Home
Sitemap
Global Network
Metasploit is a very robust tool with a great deal of functionality.The biggest benefit of Metasploit is that it’s open source and the user can extend it any way they want.This means a security tester in a large company with many custom-written applications can develop their own exploits and payloads to target their internal applications. Adding new payloads is not just beneficial to internal testing, however. If a researcher develops a new type of attack, having a custom payload can help make the most of that attack, and a framework that supports adding them quickly has the obvious advantage of code reuse and quick development. Plus, some of the new payloads and added functionality aren’t necessarily just for exploits. They could be for a different type of useful security testing, like Voice over IP, scanning networks for different problems, or even wireless testing.
Types of Payloads
The days where payloads just referred to specific code that executes a desired task are over. Metasploit has the capability to support a variety of different and new functionalities besides simple exploitation. Payloads can be designed to be used independently, or they can be the second stage of an exploit.There are two basic types: exploit payloads and auxiliary payloads. The exploit payloads reside in the modules/payloads directory in the Metasploit home. This is the arbitrary code used after an exploit gains the capability to execute code.This code will do everything from add a user to return a shell, and will even get you a graphical login via the VNC shellcode. Most of this code is written using hardware-specific assembly opcodes.Various versions of exploit payloads work with IBM PowerPC, SUN SPARC, and Intel x86 hardware. Aside from the different hardware versions, payloads are normally operating-specific with examples that include Linux, OSX,Windows, and different flavors of BSD. Auxiliary payloads are not necessarily used with an exploit and contain functionalities like port scanning and other snippets of code that don’t really fit precisely into any other area.These types of payloads can be developed quickly, without a lot of knowledge, to perform single tasks that may be useful but that are not necessarily exploits. Examples of auxiliary payloads can include attacks that only perform a denial of service, fuzzers for different protocols like 802.11, and various other reconnaissance tools. A variety of reasons exist to add new payloads to Metasploit, and they all begin at the design phase.This is true if you want to add a payload for a new platform or a module to perform a task that isn’t currently in Metasploit.The first step is to make sure the functionality to be added is not already part of the project since there is no sense in duplicating an existing effort.This can be accomplished by getting familiar with the modules/auxiliary and module/payloads directories.The show payload and show auxiliary commands issued from the msfconsole tool will reveal what already exists.
The days where payloads just referred to specific code that executes a desired task are over. Metasploit has the capability to support a variety of different and new functionalities besides simple exploitation. Payloads can be designed to be used independently, or they can be the second stage of an exploit.There are two basic types: exploit payloads and auxiliary payloads. The exploit payloads reside in the modules/payloads directory in the Metasploit home. This is the arbitrary code used after an exploit gains the capability to execute code.This code will do everything from add a user to return a shell, and will even get you a graphical login via the VNC shellcode. Most of this code is written using hardware-specific assembly opcodes.Various versions of exploit payloads work with IBM PowerPC, SUN SPARC, and Intel x86 hardware. Aside from the different hardware versions, payloads are normally operating-specific with examples that include Linux, OSX,Windows, and different flavors of BSD. Auxiliary payloads are not necessarily used with an exploit and contain functionalities like port scanning and other snippets of code that don’t really fit precisely into any other area.These types of payloads can be developed quickly, without a lot of knowledge, to perform single tasks that may be useful but that are not necessarily exploits. Examples of auxiliary payloads can include attacks that only perform a denial of service, fuzzers for different protocols like 802.11, and various other reconnaissance tools. A variety of reasons exist to add new payloads to Metasploit, and they all begin at the design phase.This is true if you want to add a payload for a new platform or a module to perform a task that isn’t currently in Metasploit.The first step is to make sure the functionality to be added is not already part of the project since there is no sense in duplicating an existing effort.This can be accomplished by getting familiar with the modules/auxiliary and module/payloads directories.The show payload and show auxiliary commands issued from the msfconsole tool will reveal what already exists.
Adding New Exploit Payloads
People who do not spend a lot of time developing attack code often hold the belief that exploits are monolithic pieces of code. Often a snippet of code, an exploit gives an attacker a chance to capitalize on a software flaw. Most exploits are broken down into two distinct parts:
People who do not spend a lot of time developing attack code often hold the belief that exploits are monolithic pieces of code. Often a snippet of code, an exploit gives an attacker a chance to capitalize on a software flaw. Most exploits are broken down into two distinct parts:
- Code to take advantage of the flaw, and
- Code that carries out an attacker’s plan.
The second piece of code is shellcode or the exploit payload. Metasploit initially gained popularity through a collection of high-quality, reliable exploit payloads. Exploit writers regularly make Metasploit shellcode a part of any Proof-of-Concept. In addition to easy-to-use shellcode, the Metasploit project also researches and releases new and interesting shellcode like the VNC connect shellcode contributed by Matt Miller. Metasploit’s design allows painless addition of new shellcode.The most attractive feature is that extending existing shellcode is just as easy. The term shellcode often brings forth images of long strings of hex that represent machine code that can be injected into a process or application to participate in the subversion of the flow of execution. Development of shellcode used to be as time-consuming a process as development of the exploit. Knowledge of assembly and the low-level activity of an operation system is required to write shellcode from scratch. Metasploit offered novice exploit writers the ability to cut and paste payload functionality.This ease is also partially responsible for the drop in time between a vulnerability announcement and a Proof-of-Concept becoming available. Although this section covers adding new exploit payloads, it is not an introduction in shellcode development.There are numerous references for shellcode development, and this section will cover how to add new shellcode or extend current shellcode to the framework.
 |
| Example of a Metasploit Payload |
Examining Current Payloads
Metasploit has a wide variety and flavor of payloads. Included in the Framework are payloads that cover multiple versions of Windows, Linux, and OSX to name a few. Payloads can also target multiple architectures like x86 and PPC. Executing the ‘show payloads” command from msfconsole will give an exhaustive list.
Metasploit has a wide variety and flavor of payloads. Included in the Framework are payloads that cover multiple versions of Windows, Linux, and OSX to name a few. Payloads can also target multiple architectures like x86 and PPC. Executing the ‘show payloads” command from msfconsole will give an exhaustive list.
 |
| Output of "show payloads" command |