.

Metasploit payload question

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 24, 2013 8:23 am

Metasploit payload question

Hi,

Can someone tell me what is the difference between these two Metasploit payloads:

1) windows/shell/bind_tcp
Listen for a connection, Spawn a piped command shell (staged)

2) windows/shell_bind_tcp
Listen for a connection and spawn a command shell

They both have the same basic options:

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes        Exit technique: seh, thread, process, none
LPORT      4444              yes        The listen port
RHOST                          no          The target address


Basically, what does "spawn a piped shell (staged)" means compared to "spawn a command shell"?

Thanks in advance
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Jan 24, 2013 8:43 am

Re: Metasploit payload question

A staged payload uses a stager to instruct the exploit on how to shovel the payload to the victim over the network connection. Non-staged payloads are fully self-contained. The advantage to staged payloads is that they can fit into very small sections of memory, but they're not always as reliable.

You can read more here:
http://www.room362.com/blog/2011/6/26/metasploit-payloads-explained-part-1.html
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 24, 2013 10:33 am

Re: Metasploit payload question

Great article, thanks!

One thing that isn't immediately obvious is another marker of staged vs. singles:

osx/ppc/shell/reverse_tcp

osx/ppc/shell_reverse_tcp



The difference between these two payloads isn't obvious other than the fact that one has an underscore '_' instead of a forward slash '/'. The one with the underscore means it's a single while the other is staged.

I already knew about staged, stagers and singles, but I didn't know about the / and the _. I also figured what "piped" meant.

Thanks again ziggy_567
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu Jan 24, 2013 11:00 am

Re: Metasploit payload question

I guess I should read your posts more carefully! I didn't pick up on the "piped" part of the question!  ;D
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software