Metasploit Basics
13
To see which options the utility takes, enter
msfpayload -h
at the command
line, as shown here:
root@bt:/#
msfpayload -h
As with
msfcli
, if you find yourself stuck on the required options for a pay-
load module, append the letter
O
on the command line for a list of required
and optional variables, like so:
root@bt:/#
msfpayload windows/shell_reverse_tcp O
We will dive much deeper into
msfpayload
as we explore exploit develop-
ment in later chapters.
MSFencode
The shellcode generated by
msfpayload
is fully functional, but it contains sev-
eral null characters that, when interpreted by many programs, signify the
end of a string, and this will cause the code to terminate before completion.
In other words, those
x00
s and
xff
s can break your payload!
In addition, shellcode traversing a network in cleartext is likely to be
picked up by intrusion detection systems (IDSs) and antivirus software. To
address this problem, Metasploit’s developers offer
msfencode
, which helps
you to avoid bad characters and evade antivirus and IDSs by encoding the
original payload in a way that does not include “bad” characters. Enter
msfencode -h
to see a list of
msfencode
options.
Metasploit contains a number of different encoders for specific situations.
Some will be useful when you can use only alphanumeric characters as part
of a payload, as is the case with many file format exploits or other applications
that accept only printable characters as input, while others are great general
purpose encoders that do well in every situation.
When in doubt, though, you really can’t go wrong with the
x86/shikata_
ga_nai
encoder, the only encoder with the rank of Excellent, a measure of
the reliability and stability of a module. In the context of an encoder, an
Excellent ranking implies that it is one of the most versatile encoders and
can accommodate a greater degree of fine-tuning than other encoders. To
see the list of encoders available, append
-l
to
msfencode
as shown next. The
payloads are ranked in order of reliability.
root@bt:~#
msfencode -l
Nasm Shell
The
nasm_shell.rb
utility can be handy when you’re trying to make sense of
assembly code, especially if, during exploit development, you need to iden-
tify the
opcodes
(the assembly instructions) for a given assembly command.