Metasploit_Payloads_Encoders_Modules
1 localhost:~ yuanjizhao$ msfvenom -l encoders 2 3 Framework Encoders [--encoder <value>] 4 ====================================== 5 6 Name Rank Description 7 ---- ---- ----------- 8 cmd/brace low Bash Brace Expansion Command Encoder 9 cmd/echo good Echo Command Encoder 10 cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder 11 cmd/ifs low Bourne ${IFS} Substitution Command Encoder 12 cmd/perl normal Perl Command Encoder 13 cmd/powershell_base64 excellent Powershell Base64 Command Encoder 14 cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder 15 generic/eicar manual The EICAR Encoder 16 generic/none normal The "none" Encoder 17 mipsbe/byte_xori normal Byte XORi Encoder 18 mipsbe/longxor normal XOR Encoder 19 mipsle/byte_xori normal Byte XORi Encoder 20 mipsle/longxor normal XOR Encoder 21 php/base64 great PHP Base64 Encoder 22 ppc/longxor normal PPC LongXOR Encoder 23 ppc/longxor_tag normal PPC LongXOR Encoder 24 ruby/base64 great Ruby Base64 Encoder 25 sparc/longxor_tag normal SPARC DWORD XOR Encoder 26 x64/xor normal XOR Encoder 27 x64/xor_dynamic normal Dynamic key XOR Encoder 28 x64/zutto_dekiru manual Zutto Dekiru 29 x86/add_sub manual Add/Sub Encoder 30 x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder 31 x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder 32 x86/avoid_underscore_tolower manual Avoid underscore/tolower 33 x86/avoid_utf8_tolower manual Avoid UTF8/tolower 34 x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder 35 x86/bmp_polyglot manual BMP Polyglot 36 x86/call4_dword_xor normal Call+4 Dword XOR Encoder 37 x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder 38 x86/context_stat manual stat(2)-based Context Keyed Payload Encoder 39 x86/context_time manual time(2)-based Context Keyed Payload Encoder 40 x86/countdown normal Single-byte XOR Countdown Encoder 41 x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder 42 x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder 43 x86/nonalpha low Non-Alpha Encoder 44 x86/nonupper low Non-Upper Encoder 45 x86/opt_sub manual Sub Encoder (optimised) 46 x86/service manual Register Service 47 x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder 48 x86/single_static_bit manual Single Static Bit 49 x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder 50 x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder 51 x86/xor_dynamic normal Dynamic key XOR Encoder
1 localhost:~ yuanjizhao$ msfvenom -l platforms 2 3 Framework Platforms [--platform <value>] 4 ======================================== 5 6 Name 7 ---- 8 aix 9 android 10 apple_ios 11 bsd 12 bsdi 13 cisco 14 firefox 15 freebsd 16 hardware 17 hpux 18 irix 19 java 20 javascript 21 juniper 22 linux 23 mainframe 24 multi 25 netbsd 26 netware 27 nodejs 28 openbsd 29 osx 30 php 31 python 32 r 33 ruby 34 solaris 35 unifi 36 unix 37 unknown 38 windows
1 localhost:~ yuanjizhao$ msfvenom -l archs 2 3 Framework Architectures [--arch <value>] 4 ======================================== 5 6 Name 7 ---- 8 aarch64 9 armbe 10 armle 11 cbea 12 cbea64 13 cmd 14 dalvik 15 firefox 16 java 17 mips 18 mips64 19 mips64le 20 mipsbe 21 mipsle 22 nodejs 23 php 24 ppc 25 ppc64 26 ppc64le 27 ppce500v2 28 python 29 r 30 ruby 31 sparc 32 sparc64 33 tty 34 x64 35 x86 36 x86_64 37 zarch
1 localhost:~ yuanjizhao$ msfvenom -l encrypt 2 3 Framework Encryption Formats [--encrypt <value>] 4 ================================================ 5 6 Name 7 ---- 8 aes256 9 base64 10 rc4 11 xor
1 localhost:~ yuanjizhao$ msfvenom -l formats 2 3 Framework Executable Formats [--format <value>] 4 =============================================== 5 6 Name 7 ---- 8 asp 9 aspx 10 aspx-exe 11 axis2 12 dll 13 elf 14 elf-so 15 exe 16 exe-only 17 exe-service 18 exe-small 19 hta-psh 20 jar 21 jsp 22 loop-vbs 23 macho 24 msi 25 msi-nouac 26 osx-app 27 psh 28 psh-cmd 29 psh-net 30 psh-reflection 31 vba 32 vba-exe 33 vba-psh 34 vbs 35 war 36 37 Framework Transform Formats [--format <value>] 38 ============================================== 39 40 Name 41 ---- 42 bash 43 c 44 csharp 45 dw 46 dword 47 hex 48 java 49 js_be 50 js_le 51 num 52 perl 53 pl 54 powershell 55 ps1 56 py 57 python 58 raw 59 rb 60 ruby 61 sh 62 vbapplication 63 vbscript
1 localhost:~ yuanjizhao$ msfvenom -l nops 2 3 Framework NOPs (10 total) 4 ========================= 5 6 Name Description 7 ---- ----------- 8 aarch64/simple Simple NOP generator 9 armle/simple Simple NOP generator 10 mipsbe/better Better NOP generator 11 php/generic Generates harmless padding for PHP scripts 12 ppc/simple Simple NOP generator 13 sparc/random SPARC NOP generator 14 tty/generic Generates harmless padding for TTY input 15 x64/simple An x64 single/multi byte NOP instruction generator. 16 x86/opty2 Opty2 multi-byte NOP generator 17 x86/single_byte Single-byte NOP generator
localhost:~ yuanjizhao$ msfvenom Error: No options MsfVenom - a Metasploit standalone payload generator. Also a replacement for msfpayload and msfencode. Usage: /opt/metasploit-framework/bin/../embedded/framework/msfvenom [options] <var=val> Example: /opt/metasploit-framework/bin/../embedded/framework/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe Options: -l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all -p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom --list-options List --payload <value>'s standard, advanced and evasion options -f, --format <format> Output format (use --list formats to list) -e, --encoder <encoder> The encoder to use (use --list encoders to list) --sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string --smallest Generate the smallest possible payload using all available encoders --encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list) --encrypt-key <value> A key to be used for --encrypt --encrypt-iv <value> An initialization vector for --encrypt -a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list) --platform <platform> The platform for --payload (use --list platforms to list) -o, --out <path> Save the payload to a file -b, --bad-chars <list> Characters to avoid example: '\x00\xff' -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload --pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length) -s, --space <length> The maximum size of the resulting payload --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -i, --iterations <count> The number of times to encode the payload -c, --add-code <path> Specify an additional win32 shellcode file to include -x, --template <path> Specify a custom executable file to use as a template -k, --keep Preserve the --template behaviour and inject the payload as a new thread -v, --var-name <value> Specify a custom variable name to use for certain output formats -t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable) -h, --help Show this message
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
1 localhost:~ yuanjizhao$ msfvenom -l payloads 2 3 Framework Payloads (546 total) [--payload <value>] 4 ================================================== 5 6 Name Description 7 ---- ----------- 8 aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell 9 aix/ppc/shell_find_port Spawn a shell on an established connection 10 aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs) 11 aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell 12 android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP 13 android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS 14 android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager 15 android/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell 16 android/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell 17 android/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell 18 android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP 19 android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS 20 android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager 21 apple_ios/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 22 apple_ios/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 23 apple_ios/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 24 apple_ios/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shell 25 apple_ios/armle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 26 apple_ios/armle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 27 apple_ios/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 28 bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell 29 bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell 30 bsd/vax/shell_reverse_tcp Connect back to attacker and spawn a command shell 31 bsd/x64/exec Execute an arbitrary command 32 bsd/x64/shell_bind_ipv6_tcp Listen for a connection and spawn a command shell over IPv6 33 bsd/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port 34 bsd/x64/shell_bind_tcp_small Listen for a connection and spawn a command shell 35 bsd/x64/shell_reverse_ipv6_tcp Connect back to attacker and spawn a command shell over IPv6 36 bsd/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell 37 bsd/x64/shell_reverse_tcp_small Connect back to attacker and spawn a command shell 38 bsd/x86/exec Execute an arbitrary command 39 bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service 40 bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service 41 bsd/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for a connection over IPv6 42 bsd/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 43 bsd/x86/shell/find_tag Spawn a command shell (staged). Use an established connection 44 bsd/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to the attacker over IPv6 45 bsd/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 46 bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell 47 bsd/x86/shell_bind_tcp_ipv6 Listen for a connection and spawn a command shell over IPv6 48 bsd/x86/shell_find_port Spawn a shell on an established connection 49 bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) 50 bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 51 bsd/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6 52 bsdi/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 53 bsdi/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 54 bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell 55 bsdi/x86/shell_find_port Spawn a shell on an established connection 56 bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 57 cmd/mainframe/apf_privesc_jcl (Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is supported.) 58 cmd/mainframe/bind_shell_jcl Provide JCL which creates a bind shell This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. 59 cmd/mainframe/generic_jcl Provide JCL which can be used to submit a job to JES2 on z/OS which will exit and return 0. This can be used as a template for other JCL based payloads 60 cmd/mainframe/reverse_shell_jcl Provide JCL which creates a reverse shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. 61 cmd/unix/bind_awk Listen for a connection and spawn a command shell via GNU AWK 62 cmd/unix/bind_busybox_telnetd Listen for a connection and spawn a command shell via BusyBox telnetd 63 cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent) 64 cmd/unix/bind_lua Listen for a connection and spawn a command shell via Lua 65 cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat 66 cmd/unix/bind_netcat_gaping Listen for a connection and spawn a command shell via netcat 67 cmd/unix/bind_netcat_gaping_ipv6 Listen for a connection and spawn a command shell via netcat 68 cmd/unix/bind_nodejs Continually listen for a connection and spawn a command shell via nodejs 69 cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl 70 cmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl 71 cmd/unix/bind_r Continually listen for a connection and spawn a command shell via R 72 cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby 73 cmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shell via Ruby 74 cmd/unix/bind_socat_udp Creates an interactive shell via socat 75 cmd/unix/bind_stub Listen for a connection and spawn a command shell (stub only, no payload) 76 cmd/unix/bind_zsh Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. 77 cmd/unix/generic Executes the supplied command 78 cmd/unix/interact Interacts with a shell on an established socket connection 79 cmd/unix/reverse Creates an interactive shell through two inbound connections 80 cmd/unix/reverse_awk Creates an interactive shell via GNU AWK 81 cmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. 82 cmd/unix/reverse_bash_telnet_ssl Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL. 83 cmd/unix/reverse_ksh Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default. 84 cmd/unix/reverse_lua Creates an interactive shell via Lua 85 cmd/unix/reverse_ncat_ssl Creates an interactive shell via ncat, utilizing ssl mode 86 cmd/unix/reverse_netcat Creates an interactive shell via netcat 87 cmd/unix/reverse_netcat_gaping Creates an interactive shell via netcat 88 cmd/unix/reverse_nodejs Continually listen for a connection and spawn a command shell via nodejs 89 cmd/unix/reverse_openssl Creates an interactive shell through two inbound connections 90 cmd/unix/reverse_perl Creates an interactive shell via perl 91 cmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSL 92 cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL 93 cmd/unix/reverse_python Connect back and create a command shell via Python 94 cmd/unix/reverse_python_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design. 95 cmd/unix/reverse_r Connect back and create a command shell via R 96 cmd/unix/reverse_ruby Connect back and create a command shell via Ruby 97 cmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSL 98 cmd/unix/reverse_socat_udp Creates an interactive shell via socat 99 cmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option 100 cmd/unix/reverse_stub Creates an interactive shell through an inbound connection (stub only, no payload) 101 cmd/unix/reverse_zsh Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default. 102 cmd/windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) 103 cmd/windows/bind_lua Listen for a connection and spawn a command shell via Lua 104 cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent) 105 cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) 106 cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby 107 cmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line. 108 cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it 109 cmd/windows/generic Executes the supplied command 110 cmd/windows/powershell_bind_tcp Interacts with a powershell session on an established socket connection 111 cmd/windows/powershell_reverse_tcp Interacts with a powershell session on an established socket connection 112 cmd/windows/reverse_lua Creates an interactive shell via Lua 113 cmd/windows/reverse_perl Creates an interactive shell via perl 114 cmd/windows/reverse_powershell Connect back and create a command shell via Powershell 115 cmd/windows/reverse_ruby Connect back and create a command shell via Ruby 116 firefox/exec This module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt. 117 firefox/shell_bind_tcp Creates an interactive shell via Javascript with access to Firefox's XPCOM API 118 firefox/shell_reverse_tcp Creates an interactive shell via Javascript with access to Firefox's XPCOM API 119 generic/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. 120 generic/debug_trap Generate a debug trap in the target process 121 generic/shell_bind_tcp Listen for a connection and spawn a command shell 122 generic/shell_reverse_tcp Connect back to attacker and spawn a command shell 123 generic/tight_loop Generate a tight loop in the target process 124 java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell 125 java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell 126 java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection 127 java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP 128 java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS 129 java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager 130 java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection 131 java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager 132 java/shell_reverse_tcp Connect back to attacker and spawn a command shell 133 linux/aarch64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 134 linux/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 135 linux/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 136 linux/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 137 linux/aarch64/shell/reverse_tcp dup2 socket in x12, then execve. Connect back to the attacker 138 linux/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shell 139 linux/armbe/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 140 linux/armbe/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 141 linux/armbe/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 142 linux/armbe/shell_bind_tcp Listen for a connection and spawn a command shell 143 linux/armle/adduser Create a new user with UID 0 144 linux/armle/exec Execute an arbitrary command 145 linux/armle/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection 146 linux/armle/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 147 linux/armle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 148 linux/armle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 149 linux/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 150 linux/armle/shell/bind_tcp dup2 socket in r12, then execve. Listen for a connection 151 linux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attacker 152 linux/armle/shell_bind_tcp Connect to target and spawn a command shell 153 linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell 154 linux/mips64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 155 linux/mips64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 156 linux/mips64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 157 linux/mipsbe/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes. 158 linux/mipsbe/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 159 linux/mipsbe/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 160 linux/mipsbe/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 161 linux/mipsbe/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 162 linux/mipsbe/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. 163 linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 164 linux/mipsbe/shell_bind_tcp Listen for a connection and spawn a command shell 165 linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell 166 linux/mipsle/exec A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space. 167 linux/mipsle/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 168 linux/mipsle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 169 linux/mipsle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 170 linux/mipsle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 171 linux/mipsle/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes. 172 linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 173 linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell 174 linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell 175 linux/ppc/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 176 linux/ppc/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 177 linux/ppc/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 178 linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell 179 linux/ppc/shell_find_port Spawn a shell on an established connection 180 linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell 181 linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell 182 linux/ppc64/shell_find_port Spawn a shell on an established connection 183 linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell 184 linux/ppc64le/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 185 linux/ppc64le/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 186 linux/ppc64le/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 187 linux/ppce500v2/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 188 linux/ppce500v2/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 189 linux/ppce500v2/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 190 linux/x64/exec Execute an arbitrary command 191 linux/x64/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection 192 linux/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 193 linux/x64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 194 linux/x64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 195 linux/x64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 196 linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 197 linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 198 linux/x64/shell_bind_ipv6_tcp Listen for an IPv6 connection and spawn a command shell 199 linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell 200 linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. 201 linux/x64/shell_find_port Spawn a shell on an established connection 202 linux/x64/shell_reverse_ipv6_tcp Connect back to attacker and spawn a command shell over IPv6 203 linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell 204 linux/x86/adduser Create a new user with UID 0 205 linux/x86/chmod Runs chmod on specified file with specified mode 206 linux/x86/exec Execute an arbitrary command 207 linux/x86/meterpreter/bind_ipv6_tcp Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86) 208 linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86) 209 linux/x86/meterpreter/bind_nonx_tcp Inject the mettle server payload (staged). Listen for a connection 210 linux/x86/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection (Linux x86) 211 linux/x86/meterpreter/bind_tcp_uuid Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86) 212 linux/x86/meterpreter/find_tag Inject the mettle server payload (staged). Use an established connection 213 linux/x86/meterpreter/reverse_ipv6_tcp Inject the mettle server payload (staged). Connect back to attacker over IPv6 214 linux/x86/meterpreter/reverse_nonx_tcp Inject the mettle server payload (staged). Connect back to the attacker 215 linux/x86/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker 216 linux/x86/meterpreter/reverse_tcp_uuid Inject the mettle server payload (staged). Connect back to the attacker 217 linux/x86/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 218 linux/x86/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 219 linux/x86/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 220 linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service 221 linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service 222 linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor 223 linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86) 224 linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86) 225 linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection 226 linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86) 227 linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86) 228 linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection 229 linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker over IPv6 230 linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker 231 linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 232 linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker 233 linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell 234 linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell 235 linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'. 236 linux/x86/shell_find_port Spawn a shell on an established connection 237 linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) 238 linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 239 linux/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6 240 linux/zarch/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 241 linux/zarch/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 242 linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 243 mainframe/shell_reverse_tcp Listen for a connection and spawn a command shell. This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. 244 multi/meterpreter/reverse_http Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP 245 multi/meterpreter/reverse_https Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS 246 netware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attacker 247 nodejs/shell_bind_tcp Creates an interactive shell via nodejs 248 nodejs/shell_reverse_tcp Creates an interactive shell via nodejs 249 nodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSL 250 osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection 251 osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 252 osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 253 osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 254 osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell 255 osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell 256 osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>. 257 osx/ppc/shell/bind_tcp Spawn a command shell (staged). Listen for a connection 258 osx/ppc/shell/find_tag Spawn a command shell (staged). Use an established connection 259 osx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker 260 osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell 261 osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell 262 osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute 263 osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, execute 264 osx/x64/exec Execute an arbitrary command 265 osx/x64/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen, read length, read buffer, execute 266 osx/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect, read length, read buffer, execute 267 osx/x64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless) 268 osx/x64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless) 269 osx/x64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless) 270 osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech 271 osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port 272 osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) 273 osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell 274 osx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute 275 osx/x86/bundleinject/reverse_tcp Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute 276 osx/x86/exec Execute an arbitrary command 277 osx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute 278 osx/x86/isight/reverse_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute 279 osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell 280 osx/x86/shell_find_port Spawn a shell on an established connection 281 osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 282 osx/x86/vforkshell/bind_tcp Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute 283 osx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute 284 osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell 285 osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell 286 php/bind_perl Listen for a connection and spawn a command shell via perl (persistent) 287 php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6 288 php/bind_php Listen for a connection and spawn a command shell via php 289 php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6) 290 php/download_exec Download an EXE from an HTTP URL and execute it 291 php/exec Execute a single system command 292 php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection 293 php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6 294 php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support 295 php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Support 296 php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions 297 php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions 298 php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP) 299 php/reverse_perl Creates an interactive shell via perl 300 php/reverse_php Reverse PHP connect back shell with checks for disabled functions 301 php/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes. 302 python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection 303 python/meterpreter/bind_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection with UUID Support 304 python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP 305 python/meterpreter/reverse_https Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP using SSL 306 python/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker 307 python/meterpreter/reverse_tcp_ssl Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Reverse Python connect back stager using SSL 308 python/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker with UUID Support 309 python/meterpreter_bind_tcp Connect to the victim and spawn a Meterpreter shell 310 python/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shell 311 python/meterpreter_reverse_https Connect back to the attacker and spawn a Meterpreter shell 312 python/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell 313 python/shell_bind_tcp Creates an interactive shell via python, encodes with base64 by design 314 python/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3 315 python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design. 316 python/shell_reverse_udp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3 317 r/shell_bind_tcp Continually listen for a connection and spawn a command shell via R 318 r/shell_reverse_tcp Connect back and create a command shell via R 319 ruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Ruby 320 ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Ruby 321 ruby/shell_reverse_tcp Connect back and create a command shell via Ruby 322 ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL 323 solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell 324 solaris/sparc/shell_find_port Spawn a shell on an established connection 325 solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell 326 solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell 327 solaris/x86/shell_find_port Spawn a shell on an established connection 328 solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell 329 tty/unix/interact Interacts with a TTY on an established socket connection 330 windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) 331 windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 332 windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host. 333 windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86) 334 windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86) 335 windows/dllinject/bind_named_pipe Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86) 336 windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX) 337 windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection (Windows x86) 338 windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection 339 windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86) 340 windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection 341 windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 342 windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet) 343 windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP 344 windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6 345 windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX) 346 windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker 347 windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker 348 windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly) 349 windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker 350 windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker 351 windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker 352 windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support 353 windows/dllinject/reverse_udp Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support 354 windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp) 355 windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload 356 windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it 357 windows/exec Execute an arbitrary command 358 windows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume. 359 windows/loadlibrary Load an arbitrary library path 360 windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon 361 windows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 362 windows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 363 windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86) 364 windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 365 windows/meterpreter/bind_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a pipe connection (Windows x86) 366 windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX) 367 windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86) 368 windows/meterpreter/bind_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection 369 windows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86) 370 windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection 371 windows/meterpreter/reverse_hop_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 372 windows/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet) 373 windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP 374 windows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet) 375 windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support 376 windows/meterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6 377 windows/meterpreter/reverse_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker via a named pipe pivot 378 windows/meterpreter/reverse_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX) 379 windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 380 windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 381 windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 382 windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 383 windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 384 windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker 385 windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support 386 windows/meterpreter/reverse_udp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support 387 windows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp) 388 windows/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp) 389 windows/meterpreter_bind_named_pipe Connect to victim and spawn a Meterpreter shell 390 windows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell 391 windows/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell 392 windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell 393 windows/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell 394 windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell 395 windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service 396 windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service 397 windows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 398 windows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host. 399 windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86) 400 windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86) 401 windows/patchupdllinject/bind_named_pipe Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86) 402 windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX) 403 windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86) 404 windows/patchupdllinject/bind_tcp_rc4 Inject a custom DLL into the exploited process. Listen for a connection 405 windows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86) 406 windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connection 407 windows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6 408 windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX) 409 windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attacker 410 windows/patchupdllinject/reverse_tcp Inject a custom DLL into the exploited process. Connect back to the attacker 411 windows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly) 412 windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attacker 413 windows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attacker 414 windows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attacker 415 windows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support 416 windows/patchupdllinject/reverse_udp Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support 417 windows/patchupmeterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 418 windows/patchupmeterpreter/bind_hidden_tcp Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 419 windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86) 420 windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 421 windows/patchupmeterpreter/bind_named_pipe Inject the meterpreter server DLL (staged). Listen for a pipe connection (Windows x86) 422 windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX) 423 windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86) 424 windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connection 425 windows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86) 426 windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an established connection 427 windows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6 428 windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX) 429 windows/patchupmeterpreter/reverse_ord_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker 430 windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker 431 windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 432 windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker 433 windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker 434 windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker 435 windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support 436 windows/patchupmeterpreter/reverse_udp Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support 437 windows/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session 438 windows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session 439 windows/shell/bind_hidden_ipknock_tcp Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 440 windows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 441 windows/shell/bind_ipv6_tcp Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86) 442 windows/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 443 windows/shell/bind_named_pipe Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86) 444 windows/shell/bind_nonx_tcp Spawn a piped command shell (staged). Listen for a connection (No NX) 445 windows/shell/bind_tcp Spawn a piped command shell (staged). Listen for a connection (Windows x86) 446 windows/shell/bind_tcp_rc4 Spawn a piped command shell (staged). Listen for a connection 447 windows/shell/bind_tcp_uuid Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86) 448 windows/shell/find_tag Spawn a piped command shell (staged). Use an established connection 449 windows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6 450 windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX) 451 windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attacker 452 windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attacker 453 windows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 454 windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attacker 455 windows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attacker 456 windows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attacker 457 windows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Support 458 windows/shell/reverse_udp Spawn a piped command shell (staged). Connect back to the attacker with UUID Support 459 windows/shell_bind_tcp Listen for a connection and spawn a command shell 460 windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell 461 windows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode. 462 windows/shell_reverse_tcp Connect back to attacker and spawn a command shell 463 windows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech API 464 windows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 465 windows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 466 windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86) 467 windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 468 windows/upexec/bind_named_pipe Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86) 469 windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX) 470 windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86) 471 windows/upexec/bind_tcp_rc4 Uploads an executable and runs it (staged). Listen for a connection 472 windows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86) 473 windows/upexec/find_tag Uploads an executable and runs it (staged). Use an established connection 474 windows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6 475 windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX) 476 windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attacker 477 windows/upexec/reverse_tcp Uploads an executable and runs it (staged). Connect back to the attacker 478 windows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 479 windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attacker 480 windows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attacker 481 windows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attacker 482 windows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support 483 windows/upexec/reverse_udp Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support 484 windows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode 485 windows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. 486 windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86) 487 windows/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86) 488 windows/vncinject/bind_named_pipe Inject a VNC Dll via a reflective loader (staged). Listen for a pipe connection (Windows x86) 489 windows/vncinject/bind_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX) 490 windows/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86) 491 windows/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Listen for a connection 492 windows/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86) 493 windows/vncinject/find_tag Inject a VNC Dll via a reflective loader (staged). Use an established connection 494 windows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. 495 windows/vncinject/reverse_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet) 496 windows/vncinject/reverse_http_proxy_pstore Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP 497 windows/vncinject/reverse_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6 498 windows/vncinject/reverse_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX) 499 windows/vncinject/reverse_ord_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 500 windows/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 501 windows/vncinject/reverse_tcp_allports Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) 502 windows/vncinject/reverse_tcp_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 503 windows/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 504 windows/vncinject/reverse_tcp_rc4_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker 505 windows/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support 506 windows/vncinject/reverse_udp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support 507 windows/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp) 508 windows/x64/exec Execute an arbitrary command (Windows x64) 509 windows/x64/loadlibrary Load an arbitrary x64 library path 510 windows/x64/messagebox Spawn a dialog via MessageBox using a customizable title, text & icon 511 windows/x64/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64) 512 windows/x64/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64) 513 windows/x64/meterpreter/bind_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a pipe connection (Windows x64) 514 windows/x64/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64) 515 windows/x64/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64) 516 windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) 517 windows/x64/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) 518 windows/x64/meterpreter/reverse_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker via a named pipe pivot 519 windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64) 520 windows/x64/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker 521 windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64) 522 windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp) 523 windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp) 524 windows/x64/meterpreter_bind_named_pipe Connect to victim and spawn a Meterpreter shell 525 windows/x64/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell 526 windows/x64/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell 527 windows/x64/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell 528 windows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell 529 windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell 530 windows/x64/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session 531 windows/x64/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session 532 windows/x64/shell/bind_ipv6_tcp Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64) 533 windows/x64/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64) 534 windows/x64/shell/bind_named_pipe Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64) 535 windows/x64/shell/bind_tcp Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64) 536 windows/x64/shell/bind_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64) 537 windows/x64/shell/reverse_tcp Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64) 538 windows/x64/shell/reverse_tcp_rc4 Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker 539 windows/x64/shell/reverse_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) 540 windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64) 541 windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) 542 windows/x64/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64) 543 windows/x64/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64) 544 windows/x64/vncinject/bind_named_pipe Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a pipe connection (Windows x64) 545 windows/x64/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64) 546 windows/x64/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64) 547 windows/x64/vncinject/reverse_http Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) 548 windows/x64/vncinject/reverse_https Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) 549 windows/x64/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64) 550 windows/x64/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker 551 windows/x64/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) 552 windows/x64/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp) 553 windows/x64/vncinject/reverse_winhttps Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)