Lesson 107 : Generating Payloads Video Lecture | Ethical Hacking using Kali Linux (in English) - Software Development

welcome to the next tutorial of ethical
hacking and penetration testing we are
kali linux so in the police tutorial i
taught you about the different types of
payloads and but i to me but i mentioned
one thing that there is one more thing
that is a reflective DLL injection so
reflected oil injection is a technique
whereby a stage payload is injected into
a compromised host process and it is
running in memory it's never touching
the host hard drive the VNC and the
meterpreter payloads they both make use
of the reflective DLL injection we can
read more about them from Steven fever
that is the creator of reflective real
injection method so I won't be getting
much into that in deep because I would
have now how to word and start as to how
we are going to actually generate a
payload for Metasploit so now that we
have an understanding of what payload is
payload types and when to use them and
how to use them let's generate some
payloads so then letting a payload is
not that difficult in Metasploit and
unless you know exactly what you are
doing
so during expert development you will
most certainly need to generate a shell
code to use in your exploit in
Metasploit payloads can be generated
from within the MSF console so when you
use a certain payload meter spread adds
the generate pry and reload commands
generate will be the primary focus of
this section in learning how to use
Metasploit so we'll just go ahead and
use the payload so I'll just type okay
I'll just get back into my Callie that's
type use and I'll just type the payload
and I'll use the Windows one so I'll
just type windows and abusing the shelf
and tcp that i showed you previously and
just make sure that these bind option is
this is the underscore and there are no
hyphens over here i'll hit enter it has
selected the windows shell bind tcp
where shell over here is the stage
whereas the pine tcp is the stage oh
sorry the pine tcp is the stage whereas
the shell is the stator so now over here
i'll just go and type help to see what
all things you do we have so you can see
we can go I can go ahead and use these
commands to communicate with the host
yep connect and all of these things we
have these database back-end commands
such as credentials which I would be
teaching you in the next tutorial and
finally we have the payload command to
check generate pry and reload so now I
would be going around using the generate
one so I'll just since we need to
generate a payload so I'll just type
generate space hyphen H so to generate
shell code without any options simply
execute the generate command but over
here I'm actually trying to show you
exactly how we could actually generate a
payload with some other understanding so
it would be forced encoding to go to
hide it from the antivirus or the AV we
have the list of characters to avoid so
that the identifies does not warrant
detectors name of the encoder module the
output file and if it just couldn't type
generate it will just turn generate as
simple without unencoded payload so just
type it in right and as you can see this
is how the payload looks like you may or
you may not be able to understand
exactly how it is because this is just
the script to go to a vault or get you
can say as get false permission from
windows to go down and access something
from them the real thing starts over
from here over here that's how it looks
like so after that of course the odds of
generating shellcode like this without
any sort of tweaking are rather rather
low more often than not bad characters
and specific types of encoders will be
depending upon the targeted machine so
this sample payload over here it
contains an almost universal bad
character that is Danelle byte which is
/x 0 0 so if you look properly into this
you will surely go ahead and find this
/x 0 0 these stuff and that's how the
antivirus goes ahead and finds a finds
the us in the actual culprit that is our
virus or the trojan or whatever you want
to call over here I'll be calling it
payload so granted some exploits may use
or it may allow them to use it but not
many let's generate the same shellcode
only this time we will instruct the
Metasploit to remove this unwanted byte
so to accomplish this i will issue the
generate command followed by the
p-switch with accompanying bytes we wish
to be disallowed during the generation
process so as you can see i have this
specific term over here which i will be
using
to go to avoid the list of characters
such as type generate - be space and
I'll type in inverted commas /x 0 0 and
I'll hit enter
so as you can see this time there is no
/x 0 0 and it's quite a good encoded
Paylor where is the last time you can
see after the 82 we have / x 0 0 whereas
over here I don't have that you can go
and search the whole file you won't even
find anything over there so looking at
the shell code it's easy to see compared
to the previously generated by an shell
the null bytes have been successfully
removed thus giving us another bite
free payload so we also see other
significant differences as well do TD
our change V enforced during generation
1 difference is the shell quotes total
bite size in our previous iteration this
size was 341 bytes this new shell code
however is 21 bytes 27 bytes so that's
quite much of a difference that created
with with the help of null payload null
by its payload size just good and
generate this and this is normal one
with the 341 bytes then if I go and type
this this is the normal one with our 27
bytes it's quite good so yeah so doing
the generational parts original intent
or usefulness in code it needed to be
replaced or encoded in order to ensure
once in memory our pine shell remains
functional and it is not thrown out or
by the antivirus another significant
change is added to the use of encoder by
default meter spread will select the
best encoder to accomplish the task in
hand
the encoders responsible for removing
unwanted characters amongst other things
entered when it was used with the - be
switch like I used I'll discuss the
encoders in great detail later on
so while specifying bad characters the
framework will use the best encoder for
the job and the best tool over here easy
into 32 bit that
x86 / Jakarta deny that and you might
wonder that if I have heard about that
before not sure exactly how where we
have seen it let's select social
engineering and I'll just
let's go and use some random stuff and
these two and over here as you can see
we have the sheikah tag and I so this is
where we have heard it previously so
yeah came back to a point the in 286 e
cotton and guy encoder it was used only
when the null by it was restricted
during the code generation so if I add a
few more bad characters a different
encoder may be used may complete the
same task so let's add several more
bytes to the list and see what happens
so I'll just type generate B slash and
I'll over here I'll just would and
change some of the things such as /x 4 4
/x 6 7
/x 6 6 /x let's say we also use some
characters and slash X 0 1 / x e0 slash
X 44 slash X 67 and what else let's say
X a 1 let's say for example X a 2 /x a 3
/ x 75 / x 4 be perfect so we'll be
using this and we will use our different
end coders let's see what happens
all of these unwanted bites were removed
perfect but the size over here is 350
White's whereas over here it was 355 and
over here it was 328 so what is the
difference so we see a different encoder
was used in order to successfully remove
our unwanted bytes Shikata and I was
probably incapable of coding our payload
using our restricted byte list and F and
s T E and V mu on the other hand was
able to accomplish the same thing and as
you can see we have the FNS te n if we
move which had encoded at this so having
the ability to generate shell code
without user certain characters this is
one of the greatest features offered by
this framework this doesn't mean it's
limitless if too many restricted bytes
are given no encoder may be set up for
the task at which the Metasploit will
display something such as the payload
generation has failed let's go ahead and
try something like that I use the same
code with a bit of modification
44 67 66 xf ax 0 1 x EO 67 until 4 x b
and let me just put and change this a
bit i'll use x FF / x 0 a slash let's
say x 0 b / x 0 1 let's say / yeah x 0 1
after that let's say x CC / 6 e / x 1 e
and then we have / x - e we have let's
just lash X 26 and let's see what
happens right now
as you can see no encoders before
encoder deeper first successfully so
it's like removing too many letters from
the alphabet and asking someone to write
a full sentence sometimes it just can't
be done and if you have seen that in
movies that they genders couldn't type
something and hack into something that's
how exactly this is it does not work in
reality at least not you have to just
sit inside in front of the computer and
wait for something to happen that's not
going to happen you have to actually try
for that to happen
so using an encoder during a pelo
generation is not that difficult but at
the same time it's not that easy as well
so as mentioned previously the framework
will choose the best encoder possible
when generating our payload however
there are times when one needs to use a
specific type regardless of what
Metasploit things imagine an exploit
that will successfully execute provide
execute a command whether it contains
only non alphanumeric characters the
Shekhar onegai encoder would not be
appropriate in this case as it uses
pretty much every characters available
to encode so looking at the encoder list
I'll go ahead and show you something
different but that would be it for this
tutorial and in the next shooter be
going ahead and starting week and ending
this payload tutorial by showing you how
we could actually go and use some
different encoders to read or bandshell
payloads