Staged vs Non-Staged Payloads

Staged Payloads

• Sends payload in stages

• Can be less stable

• Example: windows/meterpreter/reverse_tcp

Non-staged

• Sends exploit shellcode all at once

• Larger in size and won't always work

• Example: windows/meterpreter_reverse_tcp

Payload Generation

• Metasploit and MSFvenom

• Payload All The Things

• Mythic C2 Framework

• Nishang

• Darkarmour

Payload Transfer and Execution

• Impacket - toolset built in Python that give you a way to interact with network protocols directly.

  • psexec, smbclient, wmi, kerberos and able to standup a SMB server

• Payload All The Things - also has a lot of oneliners to help transfer files across hosts

• SMB

• Remote execution via MSF: included in many exploit modules in Metasploit, is a function that will build, stage, and execute the payloads automatically

• Other protocols: FTP, TFTP, HTTP/S

CMD.exe vs PS vs WLS

Use CMD when

• on older hosts that do not have PS

• only need simple interactions/access to host

• plan to use simple batch files, net commands or MS-DOS native tools

• execution policies might affect what scripts you can run and other actions on host

Use PowerShell when:

• You are planning to utilize cmdlets or other custom-built scripts.

• When you wish to interact with .NET objects instead of text output.

• When being stealthy is of lesser concern.

• If you are planning to interact with cloud-based services and hosts.

• If your scripts set and use Aliases.

WSL

• allows for the use of Python3 and Linux binaries to download and install payloads onto a windows host vie WSL

• network requests or functions executed to or from the WSL instance are not parsed by the Windows Firewall and Windows Defender