4. Payload Delivery
Payload Delivery

Course Description

This module will look at how payloads are delivered, and some of the methods that are used to exfiltrate information. The simulation covers an example of how a simple pivot network exploit works. 

  • Payload Delivery Methods  
  • Exfiltration  
  • Pivot Networks 

Intended Audience  

Although perceived as an IT issue, cyber security is, in fact, a subject relevant to all business units. Cyber Primer is aimed at anyone with an interest in cyber security, whether they are looking to pursue a career as a penetration tester, or just want to get a feel for the world of cyber security.  


There are no prerequisites for this course, however, participants are expected to have a basic understanding of computers and the internet. 


We welcome all feedback and suggestions - please contact us at to let us know what you think.


Crafting a payload is one thing, but delivering it is another thing altogether. Unfortunately, the attacker has a much easier job than the defenders do. Defenders must identify all of the ways that the system can be accessed, then limit and control that access in such a way as to only allow legitimate use of the system. In this module, you'll cover three common vectors of delivery, and how payloads are uploaded to targets. Following this video, you'll be shown how to deliver a payload in simulation videos. Delivery of a payload can occur in all manner of ways. Traditionally, security was focused on preventing malicious executables being downloaded, or transferred from media like USB or CD. Now, information security professionals must consider every input of a computer as a potential vulnerability. For example, a keyboard can be used to deliver payloads that cannot be scanned by antivirus. Network interfaces, which can be hardware like an ethernet input, or software based like an API, can be used to deliver malicious payloads. Network interfaces can be used in line with regular downloads, however they can be used to undermine encrypted connections to uncover usernames and passwords. Even the monitor video cable can be targeted to view the contents of the screen by demodulating the video signals remotely. Defenders must identify all of these different vectors, and prevent a breach occurring by securing them. For those inputs that cannot be secured, we must ensure robust logging takes place that will allow us to detect when that input is being abused. The defenders have a much harder task than their adversaries in this regard, unfortunately due to the huge range of inputs both on machines and the applications running on them accept and process. Let's now take a look at some of the interfaces that are vulnerable to attack. As the risks of different forms of interface devices has grown, these devices are routinely blocked by user access controls, such as Windows' active directory group policy, which restricts what users can and can't do on a network. However, not all forms of interfaced devices can be restricted. If a device connects as a network interface, or human interface device, the system cannot scan the device for malware. Network interfaces are also able to abuse the way that operating systems automatically negotiate connections, allowing a compromised USB or connected ethernet device to become a proxy server for all requests that leave the machine. USB can be abused in a whole host of ways. USB attack platforms can declare themselves as new network interfaces, which allow an attacker to compromise web browsers that are left open on locked machines. Connecting this way also allows exfiltration of data out of band, meaning you won't see your information assets leave the company if the compromised USB device contains its own means of exfiltrating data via forge or wifi as an example. USB attack platforms can also declare themselves as HID devices to quickly type out the payload and execute it. If your machine trusts your input through the keyboard, then it will also trust the input from an HID attack. These forms of attack are known as Bad USB. The company Hak5 produce a USB called the Rubber Ducky that disguises itself as a keyboard interface, and infiltrates a system in a few minutes. Networks remain one of the largest and easiest attack surfaces to compromise within an organization. Services that are listening for an incoming connection may be exploited from a great distance, using a buffer overflow or online password attack. It is possible to fingerprint these attacks, and block them before they reach the target. For outgoing connections however, this becomes more difficult. Due to the use of TCP/IP, DNS, and address resolution protocol, ARP, and almost all networks, we can get in between secure connection, and undermine encryption like transport layer security, TLS, to reveal sensitive data, passwords, and online activity. Being able to undermine the network that layer two of the TCP/IP suite through address resolution protocol, ARP, allows an attacker to compromise all higher protocols including transport layer security, TLS, even where HTTP's strict transport security, HSTS, attempts to enforce it. An attacker can compromise the network by abusing network layer protocols, such as ARP, and convince all of the devices in the LAN that their gateway, the place they send their outbound requests from the LAN, now has a new layer to address. The attacker can then route all of the traffic back to their machine. Once the traffic moves through the machine, the threat actor can undermine encryption, such as TLS, and intercept any credentials that may be passed say to the internal HR team. This could include secure banking pages, email and so on. They can also compromise the integrity of any downloaded files. This allows the attacker to inject, in real time, payloads into any executables that are downloaded. If a vulnerability in the outgoing protocols is found, all data entering and leaving the victim machine can be intercepted. A threat actor can now intercept, and infect any executable file that is downloaded. Now that you've understood how a network could be made vulnerable to attack, let's look at how payloads can actually be delivered to target machines. There are multiple ways to gain access to deliver an attack. You'll now see what client side, man-in-the-middle, MITM, and pivot expiration methods are, to name a few. You'll see how these methods can be used in tandem to first compromise a device, and then a network. Let's first look at man-in-the-middle attacks. Sometimes, a machine will have been secured to the point of leaving no ports exposed. However, that machine will, at some point, need to request and process some information from somewhere. Let's say we're the attacker, the man-in-the-middle. If we can have the target request some information from us, then we can deliver an exploit, and usually circumvent any kind of firewall as the request originated from the trusted zone of the network. This is why it is known as a man-in-the-middle attack, or MITM. The threat actor is intercepting communications, and changing them. There are multiple ways that client side attacks work. Put simply, a client side attack is when the client, a trust OS website or application is compromised, giving the attacker access to a network. In this attack, at attacker will look at how they can compromise a machine without any services listening on TCP ports. To do this, an attacker must leverage a vulnerability in the client side software. There are multiple ways to do this. A user can be manipulated to open a compromised document that launches a malicious payload. The attacker could also target the victim's web browser. The advantage of compromising the web browser is that if the attacker can get close enough to the victim, there need not be any user interaction. This is the case with a PDF exploit, where the victim opens a legitimate looking PDF document that is loaded with malware that infects the target device. Furthermore, we can eliminate the need for user interaction altogether by combining some of the techniques from our MITM attacks. By poisoning ARP and spoofing DNX, we can have the browser request the malicious payload from us once the victim requests access to a web page. Once an attacker has compromised a machine, and traversed an organization's perimeter defenses, they can then begin exploring the rest of the network. The compromised machine can now be used as a kind of proxy server. It can deliver attacks to other machines inside the target network. The new machines may also be able to see attached networks that were not previously visible. Using these machines, access to a chain of compromised machines is available. Moving from one machine to another like this is called pivoting. It can be used to exfiltrate information assets through this chain of compromised machines right out the front door. A similar method was used by a group of teenagers who hacked the Xbox 360 developer network. The teenagers managed to move between different games' developers, and stole millions in assets covertly for several years. In this video, you've looked at the risks of interfaces, including human interface devices, and network interfaces, and three forms of payload delivery, including man-in-the-middle attacks, client side attacks and pivot exploration. You'll now have the opportunity to attempt the delivery of a payload. Watch the simulation videos, and then have a go yourself.

About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.