1
00:00:00,750 --> 00:00:07,980
A payload is a piece of code that execute on a target system, and it helps us carry out some of the

2
00:00:07,980 --> 00:00:14,040
operations, such as connect to the command line of the target after a successful exploitation.

3
00:00:14,980 --> 00:00:19,720
To basically understand what a payload does, let's consider a real world example.

4
00:00:20,650 --> 00:00:25,830
So I want to show you an example that I heard a before, which helps me understand it as well.

5
00:00:26,770 --> 00:00:32,170
Payloads are kind of an explosive material that's in the head of a missile.

6
00:00:33,590 --> 00:00:39,710
When the missile hits the target, the explosive material causes the damage desired by the owner.

7
00:00:40,760 --> 00:00:46,220
Now the owner of the missile can change the explosive material as well as the payload.

8
00:00:47,270 --> 00:00:52,320
So that's the way that the Métis Boite framework works with payloads.

9
00:00:52,640 --> 00:00:56,300
It allows you to perform some operations on the target system.

10
00:00:57,560 --> 00:01:05,090
For example, reverse shell is a payload that creates a connection from the target machine back to you

11
00:01:05,330 --> 00:01:13,970
as a Windows command prompt, whereas a bind shell is a payload that binds a command prompt to a listening

12
00:01:13,970 --> 00:01:18,500
port on the target machine, which you can then connect to.

13
00:01:20,060 --> 00:01:26,180
This screenshot shows various categories of payload modules present in the media spotlight framework.

14
00:01:27,500 --> 00:01:31,880
So I'm going to go to the Métis point to rectory to view payloads.

15
00:01:34,650 --> 00:01:36,780
I'm using Glee to be clear.

16
00:01:38,260 --> 00:01:40,990
And here under the payload folder.

17
00:01:42,030 --> 00:01:48,900
You're going to see three different kinds of folders named singles stagers and stages.

18
00:01:50,450 --> 00:01:52,340
These are the main payload types.

19
00:01:54,010 --> 00:02:01,930
Singles are the payloads that consist of the exploit and requires shall code, which means they have

20
00:02:01,930 --> 00:02:05,970
everything that is required to exploit the vulnerability on the target.

21
00:02:07,880 --> 00:02:11,030
Naturally, the size of these payloads is pretty big.

22
00:02:12,240 --> 00:02:15,870
That's it's not going to be good for if you want to be stealthy.

23
00:02:18,330 --> 00:02:23,250
So, for example, this one Metro operator, reverse TCP.

24
00:02:26,890 --> 00:02:32,460
And stagers, just so you know, sometimes size really matters.

25
00:02:33,690 --> 00:02:38,220
OK, the stagers payload comes in handy in such a situation.

26
00:02:39,230 --> 00:02:41,480
So they don't have the exploit code.

27
00:02:42,690 --> 00:02:47,310
That means they're going to be smaller in size and it's going to be in many other tests.

28
00:02:48,980 --> 00:02:54,640
Like this one binde TCP and reverse TCP.

29
00:02:56,670 --> 00:03:05,310
And then finally stages after the stagers communicate with a target system, stages are then uploaded

30
00:03:05,310 --> 00:03:11,770
to the target system to do the actual actions desired by the penetration tester or attacker.

31
00:03:12,540 --> 00:03:17,550
And here you see the interpreter payload, which is the most used stages, payload.

32
00:03:19,370 --> 00:03:24,980
And you'll use it in many exploits, but we're going to get to that in some of the later sections.

33
00:03:25,850 --> 00:03:26,270
All right.

34
00:03:26,270 --> 00:03:29,330
So that's enough theory, don't you think?

35
00:03:31,190 --> 00:03:32,900
So open up your terminal again.

36
00:03:34,420 --> 00:03:39,010
And just like before, you can use an auxiliary module, usage is the same.

37
00:03:40,280 --> 00:03:42,710
Use and then the payload name.

38
00:03:43,630 --> 00:03:47,950
Use payload windows, Metropia.

39
00:03:50,170 --> 00:03:52,000
Binde Tsipi.

40
00:03:53,620 --> 00:04:01,960
Now, let me tell you an important point here, binde TCP payloads make the attacking machine directly

41
00:04:01,960 --> 00:04:03,280
connect to the target.

42
00:04:04,960 --> 00:04:07,780
So when you show the options of this module.

43
00:04:08,930 --> 00:04:12,650
There will be our host and airport variables.

44
00:04:13,900 --> 00:04:17,670
Our host defines the address of the target machine.

45
00:04:18,560 --> 00:04:22,280
On this case, it is the IP address of Matus voidable to.

46
00:04:23,540 --> 00:04:30,080
And El Port is the port number on the attacking machine that the attacking machine will listen on.

47
00:04:30,960 --> 00:04:38,100
And then on the other hand, there is reverse TCP connections, shall I show you both ways?

48
00:04:39,860 --> 00:04:41,450
Use payload.

49
00:04:42,460 --> 00:04:44,290
Windows met her.

50
00:04:47,110 --> 00:04:49,150
Rivers E.S.P.

51
00:04:50,520 --> 00:04:58,560
When you show the options, you will see the L host and import variables, so in this case, Al host

52
00:04:58,560 --> 00:05:03,780
is the IP address of the COLLY that the target will connect back to.

53
00:05:04,800 --> 00:05:11,670
And Al Port is the port number on the Calli that will listen for incoming connections from the target.

54
00:05:12,820 --> 00:05:15,700
So I'm going to set our host as my IP address.

55
00:05:16,240 --> 00:05:19,060
Let me check my address on a new tab.

56
00:05:19,060 --> 00:05:19,990
Just want to be sure.

57
00:05:21,830 --> 00:05:24,960
OK, tend tend to not one.

58
00:05:24,980 --> 00:05:26,330
One is my IP.

59
00:05:30,670 --> 00:05:36,880
And I'll set airport to four for four or five, then you can use run.

60
00:05:38,000 --> 00:05:42,890
Or generate as a command to generate the shall code of this bailout.

61
00:05:44,460 --> 00:05:50,010
So this is the payload, and by scrolling down, you can view just how long it is.

62
00:05:51,170 --> 00:05:54,920
But see, now you can use it as an exploit code.

63
00:05:56,050 --> 00:06:00,250
But you're not going to work that way in this cause I'll tell you why coming up.