Payloads

A payload is a piece of code that is delivered to the target system or an application via an exploit to perform an act of our choice. Payloads can actually be divided into three main types: singles, stagers, and stages. These can be defined as follows:

  • Singles: These payloads are standalone and are usually used to perform simple tasks, such as opening notepad.exe, adding a user, and so on.
  • Stagers: This sets up a connection between the two systems, and then stages are downloaded by them to the victim's machine.
  • Stages: These can be considered as a component of a payload, which provides different features and does not need to have a size limit. An example of this is Meterpreter.

As well as these, the other types of payloads are as follows:

  • Inline (non-staged): This is a single exploit containing the full shellcode to perform a specific task.
  • Stager: This works along with stage payloads to perform a specific task. The stager establishes a communication channel between the attacker and the victim and sends a stage payload to execute on the remote host.
  • Meterpreter: This operates through DLL injection, is loaded in the memory, and leaves no traces on HDD.
  • PassiveX: This uses ActiveX control to create a hidden instance of Internet Explorer. Using this, it communicates with the attacker via HTTP requests and responses.
  • NoNX: This is used to bypass DEP protection.
  • Ord: These are extremely small sized payloads that work on all versions of Windows. However, they are unstable and rely on ws2_32.dll to be loaded in the exploitation process.
  • IPv6: This is built to work on IPv6 hosts.
  • Reflective DLL injection: This was created by Stephen Fewer, and is a technique that consists of a stage payload being injected into a compromised host process running in-memory and never touching the host hard drive.

To view a complete list of payloads, we can use the show payloads command:

From the preceding command, we can see that we have different kinds of payloads for all platforms. The most commonly used of these is as follows:

meterpreter/reverse_tcp . 

However, in a red-team activity, this payload is not recommended. We will read more about this in further chapters.