Metasploit: Payload Generation

Throughout the first three rooms of this module, every payload you used was delivered through an exploit launched from msfconsole. You selected a module, set RHOSTS and LHOST, typed exploit, and Metasploit handled the rest: packaging the payload, sending it to the target, and establishing the session.

But what happens when that workflow does not apply?

Consider a few scenarios from the Stratford Systems engagement. You have found a file upload vulnerability in a web application, but there is no Metasploit exploit module for it. You have SSH credentials to a Linux server and can transfer files, but you need a Meterpreter session rather than a basic shell. You need to embed a payload inside an existing Windows executable to deliver it through a phishing email. In each of these cases, you need a standalone payload file that you generate outside of an exploit module and deliver to the target through your own means.

That is what msfvenom does.

What Is Msfvenom?

Msfvenom is a command-line tool that generates payloads in a wide variety of formats for virtually any target platform. It is part of the Metasploit Framework but runs independently from msfconsole. You use it from a regular terminal prompt, not from the msf6 > prompt.

With msfvenom, you can:

• Generate standalone executables (.exe, .elf, .apk, .war) that deliver a Meterpreter session or command shell when executed on the target
• Produce raw shellcode in languages like C, Python, PowerShell, or C# for embedding in your own tools
• Create web shells (PHP, ASP, JSP) for upload through web application vulnerabilities
• Encode payloads to remove bad characters or transform their byte patterns
• Inject payloads into existing legitimate binaries to make them appear less suspicious

History: Two Tools Became One

Older versions of the Metasploit Framework split payload generation across two separate tools:

• msfpayload: Generated raw payload output
• msfencode: Encoded payload output to remove bad characters or attempt basic evasion

In 2015, both tools were merged into a single utility: msfvenom. If you encounter older tutorials referencing msfpayload or msfencode, those commands no longer exist. Everything they did is now handled by msfvenom.

Where Msfvenom Fits in the Workflow

The penetration testing workflow with msfvenom adds a manual delivery step that msfconsole exploits handle automatically:

1. Generate the payload with msfvenom (specifying target platform, payload type, format, and connection details)
2. Deliver the payload to the target (through file upload, SSH transfer, phishing, USB drop, or any other delivery mechanism)
3. Set up a handler in msfconsole using exploit/multi/handler to catch the incoming connection
4. Execute the payload on the target (or wait for the victim to execute it)
5. Interact with the resulting session

Steps 3 through 5 are identical to what happens when you run an exploit from msfconsole. The difference is that you are responsible for steps 1 and 2, rather than an exploit module handling them for you.

Prerequisites

This room builds on all three previous rooms in the module. You should be comfortable with:

• Metasploit: The Basics
• Metasploit: Scanning and Exploitation
• Metasploit: Post-Exploitation

Learning Objectives

By the end of this room, you will be able to:

• Use msfvenom to generate payloads for Windows, Linux, and web application targets
• Choose between staged and stageless payloads based on engagement requirements
• Select the appropriate output format for your delivery method
• Understand what encoding does (and does not do) for evasion
• Inject payloads into existing binaries
• Set up a multi/handler to catch reverse connections from standalone payloads
• Complete a full generate → deliver → catch → post-exploit workflow