Skip to content

Stager Modules

Jump to bottom
Maxime Landon edited this page Mar 5, 2020 · 7 revisions

As Wiregost integrates all payloads from Sliver, it thus integrates stager payloads and their listeners.

Types of Stager Modules

Available in Wiregost:

  • stager/reverse_tcp - Stager served through TCP
  • stager/reverse_http - Stager served through HTTP
  • stager/reverse_https - Stager served through HTTPS

Setup & Staging Process

The process incurred by a stager in Wiregost is the following:

Stage

  1. With a multi/single/reverse payload module, an implant is generated in shellcode/shared_library format.
  2. A listener is started, ready to accept connection from the implant.

Stager

  1. A multi/stager/reverse module is loaded
  2. A stager is generated with the MSFvenom utility, with a lhost/lport address and a protocol (tcp/http/https).
  3. A staging listener, holding the implant generated in 1) in the form of bytes, is listening for incoming connections

Execution

  1. The stager code is executed on a target, and connects back to the staging listener.
  2. The staging listener sends its implant as bytes.
  3. The stager executes these bytes, thus instantiating a new Ghost implant.
  4. This new implant connects back to its listener started in 2)

Example

Below is an example of the previously described process:

1,2) Generate an implant in shared_library format, and start its associated listener:

  • We set the listener's options, and run it
  • We set the Format to shared_library, the Domains to callback (same as listener) and 'run' (compile the implant)

http-dll-stage

3) A TCP stager module is loaded, and we check its options:

  • We set the staging listener LHost:LPost, and set it as a persistent listener
  • We give it the newly generated implant (notice completion, which only proposes implant that are in correct format)

tcp-stager-module1

  1. We start this listener:

tcp-stager-listener

5) A stager is generated (using the msfvenom program, and given the module's options), and we save the output to a file:

  • We set the Arch, LHost and LPost for the stager to callback
  • We give it the Stage config of our shared_library implant, so that it knows which code to handle.
  • We save it as metasploitable3_stager.bin, and use this transform code in a script.

generate-tcp-stager

6,7) We execute the stager script on the target, but we won't see the staging listener serving its payload...

8,9) The stager executes the bytes it just received, and thus instantiates a new implant session, which connects back to its listener started in 1):

tcp-stage-server

Overview

Install

Data Service

C2 Server

Console

Modules

Implants

Writing Modules

Configuration

Clone this wiki locally