[远控免杀]msf生成木马的信息储备

1.msfvenom的命令使用

Options:-p, --payload <payload> 指定需要使用的payload(攻击荷载)。如果需要使用自定义的payload，请使用&#039;-&#039;或者stdin指定-l, --list [module_type] 列出指定模块的所有可用资源. 模块类型包括: payloads, encoders, nops, all-n, --nopsled <length> 为payload预先指定一个NOP滑动长度-f, --format<format> 指定输出格式 (使用 --help-formats 来获取msf支持的输出格式列表)-e, --encoder [encoder] 指定需要使用的encoder（编码器）-a, --arch <architecture> 指定payload的目标架构--platform <platform>指定payload的目标平台-s, --space<length> 设定有效攻击荷载的最大长度-b, --bad-chars <list>设定规避字符集，比如: &#039;\x00\xff&#039;-i, --iterations <count> 指定payload的编码次数-c, --add-code <path>指定一个附加的win32 shellcode文件-x, --template <path>指定一个自定义的可执行文件作为模板-k, --keep 保护模板程序的动作，注入的payload作为一个新的进程运行--payload-options 列举payload的标准选项-o, --out <path>保存payload-v, --var-name <name> 指定一个自定义的变量，以确定输出格式--shellest 最小化生成payload-h, --help 查看帮助选项--help-formats查看msf支持的输出格式列表

2.可使用的payload

Framework Payloads (560 total) [--payload <value>]==================================================Name Description---- -----------aix/ppc/shell_bind_tcpListen for a connection and spawn a command shellaix/ppc/shell_find_port Spawn a shell on an established connectionaix/ppc/shell_interactSimply execve /bin/sh (for inetd programs)aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shellandroid/meterpreter/reverse_httpRun a meterpreter server in Android. Tunnel communication over HTTPandroid/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPSandroid/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stagerandroid/meterpreter_reverse_httpConnect back to attacker and spawn a Meterpreter shellandroid/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shellandroid/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shellandroid/shell/reverse_httpSpawn a piped command shell (sh). Tunnel communication over HTTPandroid/shell/reverse_httpsSpawn a piped command shell (sh). Tunnel communication over HTTPSandroid/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stagerapple_ios/aarch64/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)apple_ios/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)apple_ios/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)apple_ios/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shellapple_ios/armle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)apple_ios/armle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)apple_ios/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shellbsd/sparc/shell_reverse_tcpConnect back to attacker and spawn a command shellbsd/vax/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/x64/execExecute an arbitrary commandbsd/x64/shell_bind_ipv6_tcpListen for a connection and spawn a command shell over IPv6bsd/x64/shell_bind_tcpBind an arbitrary command to an arbitrary portbsd/x64/shell_bind_tcp_small Listen for a connection and spawn a command shellbsd/x64/shell_reverse_ipv6_tcp Connect back to attacker and spawn a command shell over IPv6bsd/x64/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/x64/shell_reverse_tcp_small Connect back to attacker and spawn a command shellbsd/x86/execExecute an arbitrary commandbsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Servicebsd/x86/metsvc_reverse_tcpStub payload for interacting with a Meterpreter Servicebsd/x86/shell/bind_ipv6_tcpSpawn a command shell (staged). Listen for a connection over IPv6bsd/x86/shell/bind_tcpSpawn a command shell (staged). Listen for a connectionbsd/x86/shell/find_tagSpawn a command shell (staged). Use an established connectionbsd/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to the attacker over IPv6bsd/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attackerbsd/x86/shell_bind_tcpListen for a connection and spawn a command shellbsd/x86/shell_bind_tcp_ipv6Listen for a connection and spawn a command shell over IPv6bsd/x86/shell_find_port Spawn a shell on an established connectionbsd/x86/shell_find_tagSpawn a shell on an established connection (proxy/nat safe)bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6bsdi/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connectionbsdi/x86/shell/reverse_tcpSpawn a command shell (staged). Connect back to the attackerbsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shellbsdi/x86/shell_find_port Spawn a shell on an established connectionbsdi/x86/shell_reverse_tcpConnect back to attacker and spawn a command shellcmd/mainframe/apf_privesc_jcl (Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is supported.)cmd/mainframe/bind_shell_jcl Provide JCL which creates a bind shell This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.cmd/mainframe/generic_jcl Provide JCL which can be used to submit a job to JES2 on z/OS which will exit and return 0. This can be used as a template for other JCL based payloadscmd/mainframe/reverse_shell_jcl Provide JCL which creates a reverse shell This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.cmd/unix/bind_awkListen for a connection and spawn a command shell via GNU AWKcmd/unix/bind_busybox_telnetd Listen for a connection and spawn a command shell via BusyBox telnetdcmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)cmd/unix/bind_jjsListen for a connection and spawn a command shell via jjscmd/unix/bind_luaListen for a connection and spawn a command shell via Luacmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcatcmd/unix/bind_netcat_gapingListen for a connection and spawn a command shell via netcatcmd/unix/bind_netcat_gaping_ipv6Listen for a connection and spawn a command shell via netcatcmd/unix/bind_nodejs Continually listen for a connection and spawn a command shell via nodejscmd/unix/bind_perl Listen for a connection and spawn a command shell via perlcmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perlcmd/unix/bind_r Continually listen for a connection and spawn a command shell via Rcmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Rubycmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shell via Rubycmd/unix/bind_socat_udp Creates an interactive shell via socatcmd/unix/bind_stub Listen for a connection and spawn a command shell (stub only, no payload)cmd/unix/bind_zshListen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default.cmd/unix/genericExecutes the supplied commandcmd/unix/interactInteracts with a shell on an established socket connectioncmd/unix/pingback_bindAccept a connection, send a UUID, then exitcmd/unix/pingback_reverse Creates a socket, send a UUID, then exitcmd/unix/reverseCreates an interactive shell through two inbound connectionscmd/unix/reverse_awk Creates an interactive shell via GNU AWKcmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.cmd/unix/reverse_bash_telnet_sslCreates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL.cmd/unix/reverse_bash_udp Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/udp feature.cmd/unix/reverse_jjs Connect back and create a command shell via jjscmd/unix/reverse_ksh Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default.cmd/unix/reverse_lua Creates an interactive shell via Luacmd/unix/reverse_ncat_ssl Creates an interactive shell via ncat, utilizing ssl modecmd/unix/reverse_netcat Creates an interactive shell via netcatcmd/unix/reverse_netcat_gaping Creates an interactive shell via netcatcmd/unix/reverse_nodejs Continually listen for a connection and spawn a command shell via nodejscmd/unix/reverse_openssl Creates an interactive shell through two inbound connectionscmd/unix/reverse_perl Creates an interactive shell via perlcmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSLcmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSLcmd/unix/reverse_python Connect back and create a command shell via Pythoncmd/unix/reverse_python_sslCreates an interactive shell via python, uses SSL, encodes with base64 by design.cmd/unix/reverse_r Connect back and create a command shell via Rcmd/unix/reverse_ruby Connect back and create a command shell via Rubycmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSLcmd/unix/reverse_socat_udpCreates an interactive shell via socatcmd/unix/reverse_ssh Connect back and create a command shell via SSHcmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" optioncmd/unix/reverse_stub Creates an interactive shell through an inbound connection (stub only, no payload)cmd/unix/reverse_tclshCreates an interactive shell via Tclshcmd/unix/reverse_zsh Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default.cmd/windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)cmd/windows/bind_lua Listen for a connection and spawn a command shell via Luacmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)cmd/windows/bind_perl_ipv6Listen for a connection and spawn a command shell via perl (persistent)cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Rubycmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line.cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute itcmd/windows/generic Executes the supplied commandcmd/windows/powershell_bind_tcp Interacts with a powershell session on an established socket connectioncmd/windows/powershell_reverse_tcp Interacts with a powershell session on an established socket connectioncmd/windows/reverse_lua Creates an interactive shell via Luacmd/windows/reverse_perl Creates an interactive shell via perlcmd/windows/reverse_powershell Connect back and create a command shell via Powershellcmd/windows/reverse_ruby Connect back and create a command shell via Rubyfirefox/execThis module runs a shell command on the target OS without touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript "launcher" to disk that hides the prompt.firefox/shell_bind_tcpCreates an interactive shell via Javascript with access to Firefox's XPCOM APIfirefox/shell_reverse_tcp Creates an interactive shell via Javascript with access to Firefox's XPCOM APIgeneric/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR.generic/debug_trap Generate a debug trap in the target processgeneric/shell_bind_tcpListen for a connection and spawn a command shellgeneric/shell_reverse_tcp Connect back to attacker and spawn a command shellgeneric/tight_loop Generate a tight loop in the target processjava/jsp_shell_bind_tcp Listen for a connection and spawn a command shelljava/jsp_shell_reverse_tcpConnect back to attacker and spawn a command shelljava/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connectionjava/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTPjava/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPSjava/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stagerjava/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connectionjava/shell/reverse_tcpSpawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stagerjava/shell_reverse_tcpConnect back to attacker and spawn a command shelllinux/aarch64/meterpreter/reverse_tcpInject the mettle server payload (staged). Connect back to the attackerlinux/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/aarch64/meterpreter_reverse_tcpRun the Meterpreter / Mettle server payload (stageless)linux/aarch64/shell/reverse_tcp dup2 socket in x12, then execve. Connect back to the attackerlinux/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/armbe/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/armbe/meterpreter_reverse_httpsRun the Meterpreter / Mettle server payload (stageless)linux/armbe/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/armbe/shell_bind_tcpListen for a connection and spawn a command shelllinux/armle/adduser Create a new user with UID 0linux/armle/execExecute an arbitrary commandlinux/armle/meterpreter/bind_tcpInject the mettle server payload (staged). Listen for a connectionlinux/armle/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attackerlinux/armle/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/armle/meterpreter_reverse_httpsRun the Meterpreter / Mettle server payload (stageless)linux/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/armle/shell/bind_tcpdup2 socket in r12, then execve. Listen for a connectionlinux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attackerlinux/armle/shell_bind_tcpConnect to target and spawn a command shelllinux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/mips64/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/mips64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/mips64/meterpreter_reverse_tcpRun the Meterpreter / Mettle server payload (stageless)linux/mipsbe/execA very small shellcode for executing commands. This module is sometimes helpful for testing purposes.linux/mipsbe/meterpreter/reverse_tcpInject the mettle server payload (staged). Connect back to the attackerlinux/mipsbe/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/mipsbe/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/mipsbe/meterpreter_reverse_tcpRun the Meterpreter / Mettle server payload (stageless)linux/mipsbe/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures.linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attackerlinux/mipsbe/shell_bind_tcpListen for a connection and spawn a command shelllinux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/mipsle/execA very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space.linux/mipsle/meterpreter/reverse_tcpInject the mettle server payload (staged). Connect back to the attackerlinux/mipsle/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/mipsle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/mipsle/meterpreter_reverse_tcpRun the Meterpreter / Mettle server payload (stageless)linux/mipsle/reboot A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes.linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attackerlinux/mipsle/shell_bind_tcpListen for a connection and spawn a command shelllinux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/ppc/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/ppc/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/ppc/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shelllinux/ppc/shell_find_port Spawn a shell on an established connectionlinux/ppc/shell_reverse_tcpConnect back to attacker and spawn a command shelllinux/ppc64/shell_bind_tcpListen for a connection and spawn a command shelllinux/ppc64/shell_find_portSpawn a shell on an established connectionlinux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/ppc64le/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/ppc64le/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/ppc64le/meterpreter_reverse_tcpRun the Meterpreter / Mettle server payload (stageless)linux/ppce500v2/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/ppce500v2/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/ppce500v2/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/x64/exec Execute an arbitrary commandlinux/x64/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connectionlinux/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attackerlinux/x64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/x64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/x64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/x64/pingback_bind_tcpAccept a connection from attacker and report UUID (Linux x64)linux/x64/pingback_reverse_tcp Connect back to attacker and report UUID (Linux x64)linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connectionlinux/x64/shell/reverse_tcpSpawn a command shell (staged). Connect back to the attackerlinux/x64/shell_bind_ipv6_tcp Listen for an IPv6 connection and spawn a command shelllinux/x64/shell_bind_tcp Listen for a connection and spawn a command shelllinux/x64/shell_bind_tcp_random_portListen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.linux/x64/shell_find_port Spawn a shell on an established connectionlinux/x64/shell_reverse_ipv6_tcpConnect back to attacker and spawn a command shell over IPv6linux/x64/shell_reverse_tcpConnect back to attacker and spawn a command shelllinux/x86/adduserCreate a new user with UID 0linux/x86/chmod Runs chmod on specified file with specified modelinux/x86/exec Execute an arbitrary commandlinux/x86/meterpreter/bind_ipv6_tcp Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)linux/x86/meterpreter/bind_nonx_tcp Inject the mettle server payload (staged). Listen for a connectionlinux/x86/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection (Linux x86)linux/x86/meterpreter/bind_tcp_uuid Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)linux/x86/meterpreter/find_tag Inject the mettle server payload (staged). Use an established connectionlinux/x86/meterpreter/reverse_ipv6_tcp Inject the mettle server payload (staged). Connect back to attacker over IPv6linux/x86/meterpreter/reverse_nonx_tcp Inject the mettle server payload (staged). Connect back to the attackerlinux/x86/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attackerlinux/x86/meterpreter/reverse_tcp_uuid Inject the mettle server payload (staged). Connect back to the attackerlinux/x86/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)linux/x86/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)linux/x86/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Servicelinux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Servicelinux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptorlinux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connectionlinux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86)linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connectionlinux/x86/shell/reverse_ipv6_tcpSpawn a command shell (staged). Connect back to attacker over IPv6linux/x86/shell/reverse_nonx_tcpSpawn a command shell (staged). Connect back to the attackerlinux/x86/shell/reverse_tcpSpawn a command shell (staged). Connect back to the attackerlinux/x86/shell/reverse_tcp_uuidSpawn a command shell (staged). Connect back to the attackerlinux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shelllinux/x86/shell_bind_tcp Listen for a connection and spawn a command shelllinux/x86/shell_bind_tcp_random_portListen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.linux/x86/shell_find_port Spawn a shell on an established connectionlinux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)linux/x86/shell_reverse_tcpConnect back to attacker and spawn a command shelllinux/x86/shell_reverse_tcp_ipv6Connect back to attacker and spawn a command shell over IPv6linux/zarch/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)linux/zarch/meterpreter_reverse_httpsRun the Meterpreter / Mettle server payload (stageless)linux/zarch/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)mainframe/shell_reverse_tcpListen for a connection and spawn a command shell. This implementation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.multi/meterpreter/reverse_http Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPmulti/meterpreter/reverse_https Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPSnetware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attackernodejs/shell_bind_tcp Creates an interactive shell via nodejsnodejs/shell_reverse_tcp Creates an interactive shell via nodejsnodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSLosx/armle/execute/bind_tcpSpawn a command shell (staged). Listen for a connectionosx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attackerosx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connectionosx/armle/shell/reverse_tcpSpawn a command shell (staged). Connect back to the attackerosx/armle/shell_bind_tcp Listen for a connection and spawn a command shellosx/armle/shell_reverse_tcpConnect back to attacker and spawn a command shellosx/armle/vibrateCauses the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]>.osx/ppc/shell/bind_tcpSpawn a command shell (staged). Listen for a connectionosx/ppc/shell/find_tagSpawn a command shell (staged). Use an established connectionosx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attackerosx/ppc/shell_bind_tcpListen for a connection and spawn a command shellosx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shellosx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, executeosx/x64/dupandexecve/reverse_tcpdup2 socket in edi, then execve. Connect, read length, read buffer, executeosx/x64/execExecute an arbitrary commandosx/x64/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen, read length, read buffer, executeosx/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect, read length, read buffer, executeosx/x64/meterpreter_reverse_httpRun the Meterpreter / Mettle server payload (stageless)osx/x64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)osx/x64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)osx/x64/say Say an arbitrary string outloud using Mac OS X text2speechosx/x64/shell_bind_tcpBind an arbitrary command to an arbitrary portosx/x64/shell_find_tagSpawn a shell on an established connection (proxy/nat safe)osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shellosx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, executeosx/x86/bundleinject/reverse_tcpInject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, executeosx/x86/execExecute an arbitrary commandosx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, executeosx/x86/isight/reverse_tcpInject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, executeosx/x86/shell_bind_tcpListen for a connection and spawn a command shellosx/x86/shell_find_port Spawn a shell on an established connectionosx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shellosx/x86/vforkshell/bind_tcpCall vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, executeosx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, executeosx/x86/vforkshell_bind_tcpListen for a connection, vfork if necessary, and spawn a command shellosx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shellphp/bind_perl Listen for a connection and spawn a command shell via perl (persistent)php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6php/bind_phpListen for a connection and spawn a command shell via phpphp/bind_php_ipv6Listen for a connection and spawn a command shell via php (IPv6)php/download_execDownload an EXE from an HTTP URL and execute itphp/exec Execute a single system commandphp/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connectionphp/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection over IPv6php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Supportphp/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection with UUID Supportphp/meterpreter/reverse_tcpRun a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functionsphp/meterpreter/reverse_tcp_uuidRun a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functionsphp/meterpreter_reverse_tcpConnect back to attacker and spawn a Meterpreter server (PHP)php/reverse_perlCreates an interactive shell via perlphp/reverse_php Reverse PHP connect back shell with checks for disabled functionsphp/shell_findsock Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.python/meterpreter/bind_tcpRun a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connectionpython/meterpreter/bind_tcp_uuidRun a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Listen for a connection with UUID Supportpython/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTPpython/meterpreter/reverse_httpsRun a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Tunnel communication over HTTP using SSLpython/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attackerpython/meterpreter/reverse_tcp_ssl Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Reverse Python connect back stager using SSLpython/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.6). Connect back to the attacker with UUID Supportpython/meterpreter_bind_tcpConnect to the victim and spawn a Meterpreter shellpython/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shellpython/meterpreter_reverse_httpsConnect back to the attacker and spawn a Meterpreter shellpython/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shellpython/pingback_bind_tcp Listens for a connection from the attacker, sends a UUID, then terminatespython/pingback_reverse_tcpConnects back to the attacker, sends a UUID, then terminatespython/shell_bind_tcp Creates an interactive shell via python, encodes with base64 by designpython/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.python/shell_reverse_udp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3r/shell_bind_tcpContinually listen for a connection and spawn a command shell via Rr/shell_reverse_tcp Connect back and create a command shell via Rruby/pingback_bind_tcpListens for a connection from the attacker, sends a UUID, then terminatesruby/pingback_reverse_tcp Connect back to the attacker, sends a UUID, then terminatesruby/shell_bind_tcp Continually listen for a connection and spawn a command shell via Rubyruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shell via Rubyruby/shell_reverse_tcpConnect back and create a command shell via Rubyruby/shell_reverse_tcp_sslConnect back and create a command shell via Ruby, uses SSLsolaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shellsolaris/sparc/shell_find_port Spawn a shell on an established connectionsolaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shellsolaris/x86/shell_bind_tcpListen for a connection and spawn a command shellsolaris/x86/shell_find_portSpawn a shell on an established connectionsolaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shelltty/unix/interactInteracts with a TTY on an established socket connectionwindows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)windows/dllinject/bind_ipv6_tcp_uuidInject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)windows/dllinject/bind_named_pipe Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection (No NX)windows/dllinject/bind_tcpInject a DLL via a reflective loader. Listen for a connection (Windows x86)windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connectionwindows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)windows/dllinject/find_tagInject a DLL via a reflective loader. Use an established connectionwindows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTPwindows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX)windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attackerwindows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attackerwindows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attackerwindows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attackerwindows/dllinject/reverse_tcp_rc4_dnsInject a DLL via a reflective loader. Connect back to the attackerwindows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Supportwindows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)windows/dns_txt_query_execPerforms a TXT query against a series of DNS record(s) and executes the returned payloadwindows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute itwindows/execExecute an arbitrary commandwindows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume.windows/loadlibrary Load an arbitrary library pathwindows/messagebox Spawns a dialog via MessageBox using a customizable title, text & iconwindows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)windows/meterpreter/bind_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a pipe connection (Windows x86)windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)windows/meterpreter/bind_tcp_rc4Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connectionwindows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connectionwindows/meterpreter/reverse_hop_httpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.windows/meterpreter/reverse_httpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPwindows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy supportwindows/meterpreter/reverse_ipv6_tcpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6windows/meterpreter/reverse_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker via a named pipe pivotwindows/meterpreter/reverse_nonx_tcpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attackerwindows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attackerwindows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attackerwindows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attackerwindows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attackerwindows/meterpreter/reverse_tcp_uuidInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Supportwindows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)windows/meterpreter/reverse_winhttpsInject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)windows/meterpreter_bind_named_pipe Connect to victim and spawn a Meterpreter shellwindows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shellwindows/meterpreter_reverse_httpConnect back to attacker and spawn a Meterpreter shellwindows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shellwindows/meterpreter_reverse_ipv6_tcpConnect back to attacker and spawn a Meterpreter shellwindows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shellwindows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Servicewindows/metsvc_reverse_tcpStub payload for interacting with a Meterpreter Servicewindows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)windows/patchupdllinject/bind_named_pipe Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86)windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX)windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)windows/patchupdllinject/bind_tcp_rc4Inject a custom DLL into the exploited process. Listen for a connectionwindows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connectionwindows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attackerwindows/patchupdllinject/reverse_tcpInject a custom DLL into the exploited process. Connect back to the attackerwindows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attackerwindows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attackerwindows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attackerwindows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Supportwindows/patchupmeterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/patchupmeterpreter/bind_hidden_tcpInject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)windows/patchupmeterpreter/bind_named_pipeInject the meterpreter server DLL (staged). Listen for a pipe connection (Windows x86)windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX)windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connectionwindows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an established connectionwindows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)windows/patchupmeterpreter/reverse_ord_tcpInject the meterpreter server DLL (staged). Connect back to the attackerwindows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attackerwindows/patchupmeterpreter/reverse_tcp_allportsInject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/patchupmeterpreter/reverse_tcp_dnsInject the meterpreter server DLL (staged). Connect back to the attackerwindows/patchupmeterpreter/reverse_tcp_rc4Inject the meterpreter server DLL (staged). Connect back to the attackerwindows/patchupmeterpreter/reverse_tcp_rc4_dnsInject the meterpreter server DLL (staged). Connect back to the attackerwindows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Supportwindows/pingback_bind_tcp Open a socket and report UUID when a connection is received (Windows x86)windows/pingback_reverse_tcp Connect back to attacker and report UUID (Windows x86)windows/powershell_bind_tcpListen for a connection and spawn an interactive powershell sessionwindows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell sessionwindows/shell/bind_hidden_ipknock_tcpSpawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/shell/bind_ipv6_tcpSpawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)windows/shell/bind_ipv6_tcp_uuidSpawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)windows/shell/bind_named_pipe Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86)windows/shell/bind_nonx_tcpSpawn a piped command shell (staged). Listen for a connection (No NX)windows/shell/bind_tcpSpawn a piped command shell (staged). Listen for a connection (Windows x86)windows/shell/bind_tcp_rc4Spawn a piped command shell (staged). Listen for a connectionwindows/shell/bind_tcp_uuidSpawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)windows/shell/find_tagSpawn a piped command shell (staged). Use an established connectionwindows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX)windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attackerwindows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attackerwindows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attackerwindows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attackerwindows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attackerwindows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Supportwindows/shell/reverse_udp Spawn a piped command shell (staged). Connect back to the attacker with UUID Supportwindows/shell_bind_tcpListen for a connection and spawn a command shellwindows/shell_bind_tcp_xpfwDisable the Windows ICF, then listen for a connection and spawn a command shellwindows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.windows/shell_reverse_tcp Connect back to attacker and spawn a command shellwindows/speak_pwned Causes the target to say "You Got Pwned" via the Windows Speech APIwindows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)windows/upexec/bind_named_pipe Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86)windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX)windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86)windows/upexec/bind_tcp_rc4Uploads an executable and runs it (staged). Listen for a connectionwindows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)windows/upexec/find_tag Uploads an executable and runs it (staged). Use an established connectionwindows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX)windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attackerwindows/upexec/reverse_tcpUploads an executable and runs it (staged). Connect back to the attackerwindows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attackerwindows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attackerwindows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attackerwindows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Supportwindows/upexec/reverse_udpUploads an executable and runs it (staged). Connect back to the attacker with UUID Supportwindows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcodewindows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)windows/vncinject/bind_ipv6_tcp_uuidInject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)windows/vncinject/bind_named_pipe Inject a VNC Dll via a reflective loader (staged). Listen for a pipe connection (Windows x86)windows/vncinject/bind_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)windows/vncinject/bind_tcpInject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)windows/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Listen for a connectionwindows/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)windows/vncinject/find_tagInject a VNC Dll via a reflective loader (staged). Use an established connectionwindows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.windows/vncinject/reverse_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)windows/vncinject/reverse_http_proxy_pstore Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTPwindows/vncinject/reverse_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6windows/vncinject/reverse_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)windows/vncinject/reverse_ord_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attackerwindows/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attackerwindows/vncinject/reverse_tcp_allports Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)windows/vncinject/reverse_tcp_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attackerwindows/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Connect back to the attackerwindows/vncinject/reverse_tcp_rc4_dnsInject a VNC Dll via a reflective loader (staged). Connect back to the attackerwindows/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Supportwindows/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)windows/x64/execExecute an arbitrary command (Windows x64)windows/x64/loadlibrary Load an arbitrary x64 library pathwindows/x64/messageboxSpawn a dialog via MessageBox using a customizable title, text & iconwindows/x64/meterpreter/bind_ipv6_tcpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64)windows/x64/meterpreter/bind_ipv6_tcp_uuidInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64)windows/x64/meterpreter/bind_named_pipe Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a pipe connection (Windows x64)windows/x64/meterpreter/bind_tcpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64)windows/x64/meterpreter/bind_tcp_rc4Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attackerwindows/x64/meterpreter/bind_tcp_uuidInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64)windows/x64/meterpreter/reverse_httpInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)windows/x64/meterpreter/reverse_httpsInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)windows/x64/meterpreter/reverse_named_pipeInject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker via a named pipe pivotwindows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)windows/x64/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attackerwindows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp)windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp)windows/x64/meterpreter_bind_named_pipe Connect to victim and spawn a Meterpreter shellwindows/x64/meterpreter_bind_tcpConnect to victim and spawn a Meterpreter shellwindows/x64/meterpreter_reverse_httpConnect back to attacker and spawn a Meterpreter shellwindows/x64/meterpreter_reverse_httpsConnect back to attacker and spawn a Meterpreter shellwindows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shellwindows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shellwindows/x64/pingback_reverse_tcpConnect back to attacker and report UUID (Windows x64)windows/x64/powershell_bind_tcp Listen for a connection and spawn an interactive powershell sessionwindows/x64/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell sessionwindows/x64/shell/bind_ipv6_tcp Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)windows/x64/shell/bind_ipv6_tcp_uuidSpawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)windows/x64/shell/bind_named_pipe Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)windows/x64/shell/bind_tcpSpawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)windows/x64/shell/bind_tcp_rc4 Spawn a piped command shell (Windows x64) (staged). Connect back to the attackerwindows/x64/shell/bind_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)windows/x64/shell/reverse_tcp Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)windows/x64/shell/reverse_tcp_rc4 Spawn a piped command shell (Windows x64) (staged). Connect back to the attackerwindows/x64/shell/reverse_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)windows/x64/shell_bind_tcpListen for a connection and spawn a command shell (Windows x64)windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64)windows/x64/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)windows/x64/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)windows/x64/vncinject/bind_named_pipeInject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a pipe connection (Windows x64)windows/x64/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)windows/x64/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attackerwindows/x64/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)windows/x64/vncinject/reverse_http Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)windows/x64/vncinject/reverse_https Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)windows/x64/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)windows/x64/vncinject/reverse_tcp_rc4Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attackerwindows/x64/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)windows/x64/vncinject/reverse_winhttpInject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)windows/x64/vncinject/reverse_winhttps Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)

3.可编码方式

base64aes256rc4xor