background image

Metasploit Basics

13

To see which options the utility takes, enter 

msfpayload -h

 at the command 

line, as shown here:

root@bt:/# 

msfpayload -h

As with 

msfcli

, if you find yourself stuck on the required options for a pay-

load module, append the letter 

O

 on the command line for a list of required 

and optional variables, like so:

root@bt:/# 

msfpayload windows/shell_reverse_tcp O

We will dive much deeper into 

msfpayload

 as we explore exploit develop-

ment in later chapters.

MSFencode

The shellcode generated by 

msfpayload

 is fully functional, but it contains sev-

eral null characters that, when interpreted by many programs, signify the 
end of a string, and this will cause the code to terminate before completion. 
In other words, those 

x00

s and 

xff

s can break your payload!

In addition, shellcode traversing a network in cleartext is likely to be 

picked up by intrusion detection systems (IDSs) and antivirus software. To 
address this problem, Metasploit’s developers offer 

msfencode

, which helps 

you to avoid bad characters and evade antivirus and IDSs by encoding the 
original payload in a way that does not include “bad” characters. Enter 

msfencode -h

 to see a list of 

msfencode

 options.

Metasploit contains a number of different encoders for specific situations. 

Some will be useful when you can use only alphanumeric characters as part 
of a payload, as is the case with many file format exploits or other applications 
that accept only printable characters as input, while others are great general 
purpose encoders that do well in every situation.

When in doubt, though, you really can’t go wrong with the 

x86/shikata_

ga_nai

 encoder, the only encoder with the rank of Excellent, a measure of 

the reliability and stability of a module. In the context of an encoder, an 
Excellent ranking implies that it is one of the most versatile encoders and 
can accommodate a greater degree of fine-tuning than other encoders. To 
see the list of encoders available, append 

-l

 to 

msfencode

 as shown next. The 

payloads are ranked in order of reliability.

root@bt:~# 

msfencode -l

Nasm Shell

The 

nasm_shell.rb

 utility can be handy when you’re trying to make sense of 

assembly code, especially if, during exploit development, you need to iden-
tify the 

opcodes

 (the assembly instructions) for a given assembly command.