Understand and Use Staged vs Stageless Payloads in Metasploit

Introduction

In the world of penetration testing with the Metasploit Framework, a payload is the code that runs on the target system after a vulnerability has been successfully exploited. Understanding the different types of payloads is crucial for a successful engagement. The two primary categories of payloads are "staged" and "stageless."

A staged payload is sent in two parts: a small initial "stager" and a larger, final "stage." The stager's job is to establish a connection back to the attacker's machine and then download the rest of the payload. A stageless payload, on the other hand, is a single, self-contained package that includes all the necessary code to execute on the target.

In this lab, you will get hands-on experience with both types. You will use the Metasploit console to select each payload type, observe their key differences, particularly in size, and learn about the pros and cons of using each one.

Select an exploit and a staged payload like windows/meterpreter/reverse_tcp

In this step, you will launch the Metasploit Framework console and select a generic exploit handler. Then, you will configure it to use a common staged payload. We use the exploit/multi/handler module because it's a universal listener, perfect for demonstrating payloads without needing a specific vulnerable target.

First, open your terminal and start the Metasploit console. We'll use the -q (quiet) flag to skip the startup banner.

msfconsole -q

Once you see the Metasploit prompt (msf6 >), you need to select the exploit handler.

use exploit/multi/handler

Next, let's set the payload. A staged payload's name is typically formatted as platform/stage/stager. For example, windows/meterpreter/reverse_tcp means the platform is Windows, the final payload (stage) is Meterpreter, and the initial connection method (stager) is a reverse TCP shell.

Set the staged payload with the following command:

set payload windows/meterpreter/reverse_tcp

You will see a confirmation message payload => windows/meterpreter/reverse_tcp. To be sure, you can view the current configuration.

show options

You will see the payload listed in the options. We don't need to set LHOST or LPORT because we are not actually running the exploit; we are just examining the payload's properties.

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

Observe the small size of the staged payload

In this step, you will use the info command to inspect the details of the staged payload you selected. The most important detail to notice is its size.

While still in the Metasploit console with the windows/meterpreter/reverse_tcp payload selected, type the info command:

info

Metasploit will display detailed information about the payload, including its name, platform, architecture, and size. Scroll through the output and find the "Payload size" line.

msf6 exploit(multi/handler) > info

       Name: Windows Meterpreter, Reverse TCP Stager
     Module: payload/windows/meterpreter/reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 354
       Rank: Normal

Provided by:
  skape <stephen_fewer@harmonysecurity.com>
  sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port

Description:
  Connect back to the attacker and spawn a Meterpreter server (staged).
  Listen for a connection from the stager and send the second stage.

Notice that the Total size is very small (e.g., 354 bytes). This is the key characteristic of a staged payload. This small piece of code, the stager, is designed only to connect back to your machine and download the much larger Meterpreter stage. This small size makes it ideal for fitting into tight memory constraints of certain exploits.

Select the same exploit and a stageless payload like windows/meterpreter_reverse_tcp

Now, let's switch to a stageless payload to see the difference. A stageless payload's name is typically formatted as platform/payload_type, using an underscore _ instead of a second slash /. This naming convention helps you quickly identify them.

In the same msfconsole session, use the set payload command again, but this time for the stageless version: windows/meterpreter_reverse_tcp.

set payload windows/meterpreter_reverse_tcp

You will see the confirmation payload => windows/meterpreter_reverse_tcp. Notice the underscore in the name. This single payload contains the full Meterpreter server and the connection logic all in one package.

Let's check the options again to confirm the change.

show options

The output will now reflect the newly selected stageless payload.

msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter_reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

...

You have now successfully switched from a staged to a stageless payload.

Observe the larger size of the stageless payload

In this step, you will inspect the stageless payload you just selected and compare its size to the staged payload from Step 2.

Just as before, use the info command to get details about the current payload.

info

Examine the output and locate the "Payload size" line.

msf6 exploit(multi/handler) > info

       Name: Windows Meterpreter, Reverse TCP Inline
     Module: payload/windows/meterpreter_reverse_tcp
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 999335
       Rank: Normal

Provided by:
  skape <stephen_fewer@harmonysecurity.com>
  sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port

Description:
  Connect back to the attacker and spawn a Meterpreter server (inline).
  This payload is a single executable and does not need to download a
  second stage.

As you can see, the Total size is dramatically larger (e.g., 999335 bytes or nearly 1 MB) compared to the staged payload's size of a few hundred bytes. This is because the stageless payload contains the entire Meterpreter functionality. It doesn't need to download anything else after execution.

Now that you've seen the primary difference, you can exit the Metasploit console.

exit

Discuss the pros and cons of each payload type

In this final step, we will summarize the advantages and disadvantages of both staged and stageless payloads. Understanding these trade-offs is key to choosing the right tool for a specific scenario. There are no commands to run in this step; it is for conceptual understanding.

Staged Payloads (e.g., windows/meterpreter/reverse_tcp)

Pros:

• Small Size: The initial stager is very small. This is a significant advantage when the exploit has a very limited buffer size or memory space for the payload.
• Stealth (Initial Stage): The small stager might be less likely to be flagged by simple signature-based antivirus solutions compared to a large, feature-rich payload.

Cons:

• Multiple Connections: They require a second connection to download the main stage. This creates more network traffic and provides another opportunity for firewalls, Intrusion Detection Systems (IDS), or network administrators to detect and block the attack.
• Less Stable: The connection can be fragile. If the connection drops while the second stage is being downloaded, the exploit will fail.
• Callback Issues: The target machine must be able to reach the attacker's machine over the network to download the stage, which can be a problem in highly restricted networks.

Stageless Payloads (e.g., windows/meterpreter_reverse_tcp)

Pros:

• Reliability & Stability: Because everything is in one package, the payload is more self-contained and stable. It only needs to establish one connection, and once it's running, it doesn't depend on downloading more components.
• Works in Restricted Environments: Once the payload is delivered to the target, it can execute without needing to download anything else, which is useful if the target has limited or no outbound internet access.

Cons:

• Large Size: Their large size is their biggest drawback. They may not fit into the memory space allowed by many exploits, making them unusable in those cases.
• Easier to Detect: A large, single executable is often easier for antivirus and security solutions to analyze and flag as malicious based on its size and signatures.

In summary, you should choose a staged payload when dealing with exploits that have size constraints. Choose a stageless payload when reliability is paramount and the exploit method can handle a larger payload size.

Summary

In this lab, you have explored the fundamental difference between staged and stageless payloads within the Metasploit Framework.

You started by launching msfconsole and selecting a staged payload, windows/meterpreter/reverse_tcp. You observed its very small size, which is designed to be a lightweight stager. Then, you switched to its stageless counterpart, windows/meterpreter_reverse_tcp, and noted its significantly larger size, as it contains the entire payload in a single package.

Finally, you reviewed the pros and cons of each type, learning that the choice between them involves a trade-off between size, stealth, and reliability. Staged payloads are small but require a second connection, while stageless payloads are large but more stable and self-contained. This knowledge is essential for making effective decisions during penetration testing engagements.