Choosing an exploit is a matter of finding the right match between Metasploit and the target machine's vulnerabilities; choosing a payload is based entirely on what you want to do with the target machine once you've successfully exploited it. Metasploit provides a number of payloads to perform various penetration-related tasks. Since the payloads are ultimately translated into shellcode (low-level machine instructions specific to a particular operating system and CPU), each payload is specific to a particular system configuration. As with exploits, payloads are organized into a hierarchy of operating systems and CPU types to make selecting the appropriate payload easier.
You can view the list of payloads supported by Metasploit by typing show payloads at the Metasploit console prompt. If you list the payloads before you select an exploit, you'll see all payloads known to Metasploit. If you select an exploit first, you see only the list of payloads supported by the particular exploit.
In general, Metasploit tries to make all payloads available to all exploits (the decoupling of vulnerabilities and payloads is one of the core purposes of Metasploit). However, depending on the nature of the particular vulnerability and target host, certain payloads may not be available. Which payloads are supported by which exploits can be an important factor to consider when choosing an exploit.
Here's an example of Metasploit filtering the list of payloads for a specific exploit:
msf >show payloadsPayloads ======== Name Description ---- ----------- bsd/sparc/shell_bind_tcp BSD Command Shell, Bind TCP Inline bsd/sparc/shell_reverse_tcp BSD Command Shell, Reverse TCP Inline bsd/x86/exec BSD Execute Command[90 more payloads..]msf >use osx/browser/safari_metadata_archivemsf exploit(safari_metadata_archive) >show payloadsCompatible payloads =================== Name Description ---- ----------- cmd/unix/bind_inetd Unix Command Shell, Bind TCP (inetd) cmd/unix/bind_perl Unix Command Shell, Bind TCP (via perl) cmd/unix/generic Unix Command, Generic command execution cmd/unix/interact Unix Command, Interact with established connection cmd/unix/reverse Unix Command, Double reverse TCP connection (telnet) cmd/unix/reverse_bash Unix Command, Double reverse TCP connection (/dev/tcp) cmd/unix/reverse_perl Unix Command, Double reverse TCP connection (via perl)
To select a particular payload, use the set PAYLOAD payloadname command. Here's an example of selecting the windows/upexec/bind_tcp payload with the windows/smb/ms06_025_rras exploit:
msf exploit(ms06_025_rras) > set PAYLOAD windows/upexec/bind_tcp
PAYLOAD => windows/upexec/bind_tcpMetasploit provides payloads for five operating systems (BSD, Linux, OS X, Solaris, and Windows) and three CPU architectures (x86, sparc, and ppc), but Windows/x86 is by far the most supported platform (this works out well, since the vast majority of Metasploit exploits are for Windows as well). The types of payloads and specific platforms the payloads support are listed in Table 7-1.
Table 7-1. Metasploit payloads by platform
Windows | Linux | OSX | BSD | Solaris | Unix | |
|---|---|---|---|---|---|---|
VNC injection | ✓ | |||||
File execution | ✓ | |||||
Interactive shell | ✓ | ✓ | ✓ | ✓ | ✓ | |
Meterpreter | ✓ | |||||
Command execution | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
DLL injection | ✓ | |||||
Add user | ✓ | ✓ |
As of version 3.0, Metasploit contains 93 different payloads. This may sound like a lot, but there are really only seven types of payloads. The large number of payloads is caused by small changes required in the actual shellcode in order to handle various use cases or target platforms. The seven "logical" payloads that Metasploit provides are described next.
Injects a VNC DLL into the target computer's memory and runs a temporary VNC server. By using this payload, you gain full access to the target's desktop, allowing you to move their mouse cursor and interact with Windows in a fully graphical fashion. Because most Windows functionality is exposed through the graphical interface, this is a much easier way to interact with the target computer than a command-line shell. Particularly if you come from a Unix background, trying to do anything productive with the Windows shell can be extremely frustrating.
When controlling the target with VNC, be careful not to give yourself away (assuming you're trying to remain covert). Any mouse movements you make and any applications you launch or interact with will be displayed on the target monitor. If you're careless and use VNC injection while the computer's owner is sitting in front of the monitor, your attack becomes extremely obvious.
Uploads a file to the target computer and executes it. Using this payload allows for very quick and efficient installation of backdoors or rootkits (see Chapter 12).
Provides you with interactive (i.e., you type commands and see results in real time) shell access to the remote computer. For operating systems with powerful shells (BSD, Linux, OS X, Solaris), this is a very useful payload that lets you easily take full control of the target. Before Metasploit, almost all exploits provided shell access, which is where the term shellcode came from (i.e., code that provides a shell).
Runs a single command on the target computer. As with the shell payload, this is more powerful on a Unix target than on a Windows target. This payload's benefit is that it doesn't require any user interaction (similar to the file execution payload) and so is ideal for automation. Using msfcli and the command 'echo "patch me" | sendmail youremailaddress', you could easily scan an entire network's worth of machines in bulk and receive email from any of the machines that were susceptible to attack.
Injects a custom DLL into the memory of the target process, allowing you to add your own code to that of the code you just exploited. This is very advanced functionality and is only used by the most experienced Metasploit users, who need highly customized behavior. This payload is automatically used to provide the VNC injection and Meterpreter payloads.
Adds a new user to the system with a custom username and password. When used against a Windows target, it adds the user to the Administrator's group, giving you full system access. When used against a Linux target, the user is added with UID 0 granting full superuser access.
This payload, which is only available for Windows, provides a rich command-line environment for interaction with the target system. Meterpreter is covered in depth in The Meterpreter.
If you look at any of the payload types, you'll notice that each has a number of variants you can choose. For example, here are all the variants possible for a Windows shell:
msf > show payloads
Payloads
========
Name Description
---- -----------
[other payloads...]
windows/shell/bind_tcp Windows Command Shell, Bind TCP Stager
windows/shell/find_tag Windows Command Shell, Find Tag Ordinal Stager
windows/shell/reverse_http Windows Command Shell, PassiveX Reverse HTTP...
windows/shell/reverse_ord_tcp Windows Command Shell, Reverse Ordinal TCP Stager
windows/shell/reverse_tcp Windows Command Shell, Reverse TCP Stager
windows/shell_bind_tcp Windows Command Shell, Bind TCP Inline
windows/shell_reverse_tcp Windows Command Shell, Reverse TCP InlineTo find out the differences between the various payload variants, you can use the info payloadname command to get detailed information about a payload, including a brief description:
msf > info windows/shell/find_tag
Name: Windows Command Shell, Find Tag Ordinal Stager
Version: $Revision$, $Revision$
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 92
Provided by:
spoonm <spoonm@gmail.com>
skape <mmiller@hick.org>
Available options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process
Advanced options:
Name : TAG
Current Setting: v3dJ
Description : The four byte tag to signify the connection.
Description:
Use an established connection, Spawn a piped command
shellIn our example of the different "shell" payload variants, the primary difference between the payload variants is the type of network connection used to relay the shell commands. Depending on the network topology in place around the target computer, some payload variants may succeed where others may fail.
Firewalls and NAT devices (see Chapter 13) typically prevent most (or all) incoming connections to the victim host, but usually allow all outbound connections. The reverse payload variants are specifically designed for this scenario: they cause the victim to create an outbound connection back to your host (or even a different host running a Metasploit listener).