If you want to get a quick view of all the payloads which are currently integrated with MSFVenom, then you are at the right place.
Below you will find a complete list of all the MSFVenom Payloads that are currently available.
To list out all options, type “msfvenom -h”
- -p, –payload Payload to use. Specify a ‘-‘ or stdin to use custom payloads
- –payload-options List the payload’s standard options
- -l, –list [type] List a module type. Options are: payloads, encoders, nops, all
- -n, –nopsled Prepend a nopsled of [length] size on to the payload
- -f, –format Output format (use –help-formats for a list)
- –help-formats List available formats
- -e, –encoder The encoder to use
- -a, –arch The architecture to use
- –platform The platform of the payload
- –help-platforms List available platforms
- -s, –space The maximum size of the resulting payload
- –encoder-space The maximum size of the encoded payload (defaults to the -s value)
- -b, –bad-chars The list of characters to avoid example: ‘\x00\xff’
- -i, –iterations The number of times to encode the payload
- -c, –add-code Specify an additional win32 shellcode file to include
- -x, –template Specify a custom executable file to use as a template
- -k, –keep Preserve the template behavior and inject the payload as a new thread
- -o, –out Save the payload
- -v, –var-name Specify a custom variable name to use for certain output formats
- –smallest Generate the smallest possible payload
- -h, –help Show this message
To list out all payloads, type “msfvenom -l”
MSFvenom Payload list
| # | Environment | Payload name | Description |
| 1 | AIX | aix/ppc/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 2 | AIX | aix/ppc/shell_find_port | Spawn a shell on an established connection |
| 3 | AIX | aix/ppc/shell_interact | Simply execve /bin/sh (for inetd programs) |
| 4 | AIX | aix/ppc/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 5 | Android | android/meterpreter/reverse_http | Run a meterpreter server on Android. Tunnel communication overHTTP |
| 6 | Android | android/meterpreter/reverse_https | Run a meterpreter server on Android. Tunnel communication overHTTPS |
| 7 | Android | android/meterpreter/reverse_tcp | Run a meterpreter server on Android. Connect back stager |
| 8 | Android | android/shell/reverse_http | Spawn a piped command shell (sh). Tunnel communication over HTTP |
| 9 | Android | android/shell/reverse_https | Spawn a piped command shell (sh). Tunnel communication over HTTPS |
| 10 | Android | android/shell/reverse_tcp | Spawn a piped command shell (sh). Connect back stager |
| 11 | BSD | bsd/sparc/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 12 | BSD | bsd/sparc/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 13 | BSD | bsd/x64/exec | Execute an arbitrary command |
| 14 | BSD | bsd/x64/shell_bind_ipv6_tcp | Listen for a connection and spawn a command shell over IPv6 |
| 15 | BSD | bsd/x64/shell_bind_tcp | Bind an arbitrary command to an arbitrary port |
| 16 | BSD | bsd/x64/shell_bind_tcp_small | Listen for a connection and spawn a command shell |
| 17 | BSD | bsd/x64/shell_reverse_ipv6_tcp | Connect back to attacker and spawn a command shell over IPv6 |
| 18 | BSD | bsd/x64/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 19 | BSD | bsd/x64/shell_reverse_tcp_small | Connect back to attacker and spawn a command shell |
| 20 | BSD | bsd/x86/exec | Execute an arbitrary command |
| 21 | BSD | bsd/x86/metsvc_bind_tcp | Stub payload for interacting with a Meterpreter Service |
| 22 | BSD | bsd/x86/metsvc_reverse_tcp | Stub payload for interacting with a Meterpreter Service |
| 23 | BSD | bsd/x86/shell/bind_ipv6_tcp | Spawn a command shell (staged). Listen for a connection over IPv6 |
| 24 | BSD | bsd/x86/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 25 | BSD | bsd/x86/shell/find_tag | Spawn a command shell (staged). Use an established connection |
| 26 | BSD | bsd/x86/shell/reverse_ipv6_tcp | Spawn a command shell (staged). Connect back to the attacker over IPv6 |
| 27 | BSD | bsd/x86/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 28 | BSD | bsd/x86/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 29 | BSD | bsd/x86/shell_bind_tcp_ipv6 | Listen for a connection and spawn a command shell over IPv6 |
| 30 | BSD | bsd/x86/shell_find_port | Spawn a shell on an established connection |
| 31 | BSD | bsd/x86/shell_find_tag | Spawn a shell on an established connection (proxy/nat safe) |
| 32 | BSD | bsd/x86/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 33 | BSD | bsd/x86/shell_reverse_tcp_ipv6 | Connect back to attacker and spawn a command shell over IPv6 |
| 34 | BSDI | bsdi/x86/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 35 | BSDI | bsdi/x86/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 36 | BSDI | bsdi/x86/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 37 | BSDI | bsdi/x86/shell_find_port | Spawn a shell on an established connection |
| 38 | BSDI | bsdi/x86/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 39 | CMD | cmd/mainframe/generic_jcl | Provide JCL which can be used to submit a job to JES2 on z/OSwhich will exit and return 0. This can be used as a template for other JCL based payloads |
| 40 | CMD | cmd/mainframe/reverse_shell_jcl | Provide JCL which creates a reverse shell This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. |
| 41 | CMD | cmd/unix/bind_awk | Listen for a connection and spawn a command shell via GNU AWK |
| 42 | CMD | cmd/unix/bind_inetd | Listen for a connection and spawn a command shell (persistent) |
| 43 | CMD | cmd/unix/bind_lua | Listen for a connection and spawn a command shell via Lua |
| 44 | CMD | cmd/unix/bind_netcat | Listen for a connection and spawn a command shell via netcat |
| 45 | CMD | cmd/unix/bind_netcat_gaping | Listen for a connection and spawn a command shell via netcat |
| 46 | CMD | cmd/unix/bind_netcat_gaping_ipv6 | Listen for a connection and spawn a command shell via netcat |
| 47 | CMD | cmd/unix/bind_nodejs | Continually listen for a connection and spawn a command shellvia nodejs |
| 48 | CMD | cmd/unix/bind_perl | Listen for a connection and spawn a command shell via perl |
| 49 | CMD | cmd/unix/bind_perl_ipv6 | Listen for a connection and spawn a command shell via perl |
| 50 | CMD | cmd/unix/bind_ruby | Continually listen for a connection and spawn a command shellvia Ruby |
| 51 | CMD | cmd/unix/bind_ruby_ipv6 | Continually listen for a connection and spawn a command shellvia Ruby |
| 52 | CMD | cmd/unix/bind_zsh | Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default. |
| 53 | CMD | cmd/unix/generic | Executes the supplied command |
| 54 | CMD | cmd/unix/interact | Interacts with a shell on an established socket connection |
| 55 | CMD | cmd/unix/reverse | Creates an interactive shell through two inbound connections |
| 56 | CMD | cmd/unix/reverse_awk | Creates an interactive shell via GNU AWK |
| 57 | CMD | cmd/unix/reverse_bash | Creates an interactive shell via bash’s builtin /dev/tcp. Thiswill not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. |
| 58 | CMD | cmd/unix/reverse_bash_telnet_ssl | Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the ‘-z’ option included on some systems to encrypt using SSL. |
| 59 | CMD | cmd/unix/reverse_lua | Creates an interactive shell via Lua |
| 60 | CMD | cmd/unix/reverse_netcat | Creates an interactive shell via netcat |
| 61 | CMD | cmd/unix/reverse_netcat_gaping | Creates an interactive shell via netcat |
| 62 | CMD | cmd/unix/reverse_nodejs | Continually listen for a connection and spawn a command shellvia nodejs |
| 63 | CMD | cmd/unix/reverse_openssl | Creates an interactive shell through two inbound connections |
| 64 | CMD | cmd/unix/reverse_perl | Creates an interactive shell via perl |
| 65 | CMD | cmd/unix/reverse_perl_ssl | Creates an interactive shell via perl, uses SSL |
| 66 | CMD | cmd/unix/reverse_php_ssl | Creates an interactive shell via php, uses SSL |
| 67 | CMD | cmd/unix/reverse_python | Connect back and create a command shell via Python |
| 68 | CMD | cmd/unix/reverse_python_ssl | Creates an interactive shell via python, uses SSL, encodes with base64 by design. |
| 69 | CMD | cmd/unix/reverse_ruby | Connect back and create a command shell via Ruby |
| 70 | CMD | cmd/unix/reverse_ruby_ssl | Connect back and create a command shell via Ruby, uses SSL |
| 71 | CMD | cmd/unix/reverse_ssl_double_telnet | Creates an interactive shell through two inbound connections,encrypts using SSL via “-z” option |
| 72 | CMD | cmd/unix/reverse_zsh | Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default. |
| 73 | CMD | cmd/windows/adduser | Create a new user and add them to local administration group.Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) |
| 74 | CMD | cmd/windows/bind_lua | Listen for a connection and spawn a command shell via Lua |
| 75 | CMD | cmd/windows/bind_perl | Listen for a connection and spawn a command shell via perl (persistent) |
| 76 | CMD | cmd/windows/bind_perl_ipv6 | Listen for a connection and spawn a command shell via perl (persistent) |
| 77 | CMD | cmd/windows/bind_ruby | Continually listen for a connection and spawn a command shellvia Ruby |
| 78 | CMD | cmd/windows/download_eval_vbs | Downloads a file from an HTTP(S) URL and executes it as a vbsscript. Use it to stage a vbs encoded payload from a short command line. |
| 79 | CMD | cmd/windows/download_exec_vbs | Download an EXE from an HTTP(S) URL and execute it |
| 80 | CMD | cmd/windows/generic | Executes the supplied command |
| 81 | CMD | cmd/windows/powershell_bind_tcp | Interacts with a powershell session on an established socket connection |
| 82 | CMD | cmd/windows/powershell_reverse_tcp | Interacts with a powershell session on an established socket connection |
| 83 | CMD | cmd/windows/reverse_lua | Creates an interactive shell via Lua |
| 84 | CMD | cmd/windows/reverse_perl | Creates an interactive shell via perl |
| 85 | CMD | cmd/windows/reverse_powershell | Connect back and create a command shell via Powershell |
| 86 | CMD | cmd/windows/reverse_ruby | Connect back and create a command shell via Ruby |
| 87 | Firefox | firefox/exec | This module runs a shell command on the target OS withough touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript “launcher” to disk that hides the prompt. |
| 88 | Firefox | firefox/shell_bind_tcp | Creates an interactive shell via Javascript with access to Firefox’s XPCOM API |
| 89 | Firefox | firefox/shell_reverse_tcp | Creates an interactive shell via Javascript with access to Firefox’s XPCOM API |
| 90 | Generic | generic/custom | Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. |
| 91 | Generic | generic/debug_trap | Generate a debug trap in the target process |
| 92 | Generic | generic/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 93 | Generic | generic/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 94 | Generic | generic/tight_loop | Generate a tight loop in the target process |
| 95 | JAVA | java/jsp_shell_bind_tcp | Listen for a connection and spawn a command shell |
| 96 | JAVA | java/jsp_shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 97 | JAVA | java/meterpreter/bind_tcp | Run a meterpreter server in Java. Listen for a connection |
| 98 | JAVA | java/meterpreter/reverse_http | Run a meterpreter server in Java. Tunnel communication over HTTP |
| 99 | JAVA | java/meterpreter/reverse_https | Run a meterpreter server in Java. Tunnel communication over HTTPS |
| 100 | JAVA | java/meterpreter/reverse_tcp | Run a meterpreter server in Java. Connect back stager |
| 101 | JAVA | java/shell/bind_tcp | Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection |
| 102 | JAVA | java/shell/reverse_tcp | Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager |
| 103 | JAVA | java/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 104 | Linux | linux/armbe/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 105 | Linux | linux/armle/adduser | Create a new user with UID 0 |
| 106 | Linux | linux/armle/exec | Execute an arbitrary command |
| 107 | Linux | linux/armle/mettle/bind_tcp | Inject the mettle server payload (staged). Listen for a connection |
| 108 | Linux | linux/armle/mettle/reverse_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 109 | Linux | linux/armle/shell/bind_tcp | dup2 socket in r12, then execve. Listen for a connection |
| 110 | Linux | linux/armle/shell/reverse_tcp | dup2 socket in r12, then execve. Connect back to the attacker |
| 111 | Linux | linux/armle/shell_bind_tcp | Connect to target and spawn a command shell |
| 112 | Linux | linux/armle/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 113 | Linux | linux/mipsbe/exec | A very small shellcode for executing commands. This module issometimes helpful for testing purposes. |
| 114 | Linux | linux/mipsbe/mettle/reverse_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 115 | Linux | linux/mipsbe/reboot | A very small shellcode for rebooting the system. This payloadis sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures. |
| 116 | Linux | linux/mipsbe/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 117 | Linux | linux/mipsbe/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 118 | Linux | linux/mipsbe/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 119 | Linux | linux/mipsle/exec | A very small shellcode for executing commands. This module issometimes helpful for testing purposes as well as on targets with extremely limited buffer space. |
| 120 | Linux | linux/mipsle/mettle/reverse_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 121 | Linux | linux/mipsle/reboot | A very small shellcode for rebooting the system. This payloadis sometimes helpful for testing purposes. |
| 122 | Linux | linux/mipsle/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 123 | Linux | linux/mipsle/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 124 | Linux | linux/mipsle/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 125 | Linux | linux/ppc/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 126 | Linux | linux/ppc/shell_find_port | Spawn a shell on an established connection |
| 127 | Linux | linux/ppc/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 128 | Linux | linux/ppc64/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 129 | Linux | linux/ppc64/shell_find_port | Spawn a shell on an established connection |
| 130 | Linux | linux/ppc64/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 131 | Linux | linux/x64/exec | Execute an arbitrary command |
| 132 | Linux | linux/x64/mettle/bind_tcp | Inject the mettle server payload (staged). Listen for a connection |
| 133 | Linux | linux/x64/mettle/reverse_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 134 | Linux | linux/x64/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 135 | Linux | linux/x64/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 136 | Linux | linux/x64/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 137 | Linux | linux/x64/shell_bind_tcp_random_port | Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘. |
| 138 | Linux | linux/x64/shell_find_port | Spawn a shell on an established connection |
| 139 | Linux | linux/x64/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 140 | Linux | linux/x86/adduser | Create a new user with UID 0 |
| 141 | Linux | linux/x86/chmod | Runs chmod on specified file with specified mode |
| 142 | Linux | linux/x86/exec | Execute an arbitrary command |
| 143 | Linux | linux/x86/meterpreter/bind_ipv6_tcp | Inject the meterpreter server payload (staged). Listen for anIPv6 connection (Linux x86) |
| 144 | Linux | linux/x86/meterpreter/bind_ipv6_tcp_uuid | Inject the meterpreter server payload (staged). Listen for anIPv6 connection with UUID Support (Linux x86) |
| 145 | Linux | linux/x86/meterpreter/bind_nonx_tcp | Inject the meterpreter server payload (staged). Listen for a connection |
| 146 | Linux | linux/x86/meterpreter/bind_tcp | Inject the meterpreter server payload (staged). Listen for a connection (Linux x86) |
| 147 | Linux | linux/x86/meterpreter/bind_tcp_uuid | Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86) |
| 148 | Linux | linux/x86/meterpreter/find_tag | Inject the meterpreter server payload (staged). Use an established connection |
| 149 | Linux | linux/x86/meterpreter/reverse_ipv6_tcp | Inject the meterpreter server payload (staged). Connect back to attacker over IPv6 |
| 150 | Linux | linux/x86/meterpreter/reverse_nonx_tcp | Inject the meterpreter server payload (staged). Connect back to the attacker |
| 151 | Linux | linux/x86/meterpreter/reverse_tcp | Inject the meterpreter server payload (staged). Connect back to the attacker |
| 152 | Linux | linux/x86/meterpreter/reverse_tcp_uuid | Inject the meterpreter server payload (staged). Connect back to the attacker |
| 153 | Linux | linux/x86/metsvc_bind_tcp | Stub payload for interacting with a Meterpreter Service |
| 154 | Linux | linux/x86/metsvc_reverse_tcp | Stub payload for interacting with a Meterpreter Service |
| 155 | Linux | linux/x86/mettle/bind_ipv6_tcp | Inject the mettle server payload (staged). Listen for an IPv6connection (Linux x86) |
| 156 | Linux | linux/x86/mettle/bind_ipv6_tcp_uuid | Inject the mettle server payload (staged). Listen for an IPv6connection with UUID Support (Linux x86) |
| 157 | Linux | linux/x86/mettle/bind_nonx_tcp | Inject the mettle server payload (staged). Listen for a connection |
| 158 | Linux | linux/x86/mettle/bind_tcp | Inject the mettle server payload (staged). Listen for a connection (Linux x86) |
| 159 | Linux | linux/x86/mettle/bind_tcp_uuid | Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86) |
| 160 | Linux | linux/x86/mettle/find_tag | Inject the mettle server payload (staged). Use an establishedconnection |
| 161 | Linux | linux/x86/mettle/reverse_ipv6_tcp | Inject the mettle server payload (staged). Connect back to attacker over IPv6 |
| 162 | Linux | linux/x86/mettle/reverse_nonx_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 163 | Linux | linux/x86/mettle/reverse_tcp | Inject the mettle server payload (staged). Connect back to theattacker |
| 164 | Linux | linux/x86/mettle/reverse_tcp_uuid | Inject the mettle server payload (staged). Connect back to theattacker |
| 165 | Linux | linux/x86/read_file | Read up to 4096 bytes from the local file system and write itback out to the specified file descriptor |
| 166 | Linux | linux/x86/shell/bind_ipv6_tcp | Spawn a command shell (staged). Listen for an IPv6 connection(Linux x86) |
| 167 | Linux | linux/x86/shell/bind_ipv6_tcp_uuid | Spawn a command shell (staged). Listen for an IPv6 connectionwith UUID Support (Linux x86) |
| 168 | Linux | linux/x86/shell/bind_nonx_tcp | Spawn a command shell (staged). Listen for a connection |
| 169 | Linux | linux/x86/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection (Linuxx86) |
| 170 | Linux | linux/x86/shell/bind_tcp_uuid | Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86) |
| 171 | Linux | linux/x86/shell/find_tag | Spawn a command shell (staged). Use an established connection |
| 172 | Linux | linux/x86/shell/reverse_ipv6_tcp | Spawn a command shell (staged). Connect back to attacker overIPv6 |
| 173 | Linux | linux/x86/shell/reverse_nonx_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 174 | Linux | linux/x86/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 175 | Linux | linux/x86/shell/reverse_tcp_uuid | Spawn a command shell (staged). Connect back to the attacker |
| 176 | Linux | linux/x86/shell_bind_ipv6_tcp | Listen for a connection over IPv6 and spawn a command shell |
| 177 | Linux | linux/x86/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 178 | Linux | linux/x86/shell_bind_tcp_random_port | Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘. |
| 179 | Linux | linux/x86/shell_find_port | Spawn a shell on an established connection |
| 180 | Linux | linux/x86/shell_find_tag | Spawn a shell on an established connection (proxy/nat safe) |
| 181 | Linux | linux/x86/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 182 | Mainframe | mainframe/shell_reverse_tcp | Listen for a connection and spawn a command shell. This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically. |
| 183 | Netware | netware/shell/reverse_tcp | Connect to the NetWare console (staged). Connect back to the attacker |
| 184 | NodeJS | nodejs/shell_bind_tcp | Creates an interactive shell via nodejs |
| 185 | NodeJS | nodejs/shell_reverse_tcp | Creates an interactive shell via nodejs |
| 186 | NodeJS | nodejs/shell_reverse_tcp_ssl | Creates an interactive shell via nodejs, uses SSL |
| 187 | OSX | osx/armle/execute/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 188 | OSX | osx/armle/execute/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 189 | OSX | osx/armle/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 190 | OSX | osx/armle/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 191 | OSX | osx/armle/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 192 | OSX | osx/armle/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 193 | OSX | osx/armle/vibrate | Causes the iPhone to vibrate, only works when the AudioToolkitlibrary has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>. |
| 194 | OSX | osx/ppc/shell/bind_tcp | Spawn a command shell (staged). Listen for a connection |
| 195 | OSX | osx/ppc/shell/find_tag | Spawn a command shell (staged). Use an established connection |
| 196 | OSX | osx/ppc/shell/reverse_tcp | Spawn a command shell (staged). Connect back to the attacker |
| 197 | OSX | osx/ppc/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 198 | OSX | osx/ppc/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 199 | OSX | osx/x64/dupandexecve/bind_tcp | dup2 socket in edi, then execve. Listen, read length, read buffer, execute |
| 200 | OSX | osx/x64/dupandexecve/reverse_tcp | dup2 socket in edi, then execve. Connect, read length, read buffer, execute |
| 201 | OSX | osx/x64/exec | Execute an arbitrary command |
| 202 | OSX | osx/x64/say | Say an arbitrary string outloud using Mac OS X text2speech |
| 203 | OSX | osx/x64/shell_bind_tcp | Bind an arbitrary command to an arbitrary port |
| 204 | OSX | osx/x64/shell_find_tag | Spawn a shell on an established connection (proxy/nat safe) |
| 205 | OSX | osx/x64/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 206 | OSX | osx/x86/bundleinject/bind_tcp | Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute |
| 207 | OSX | osx/x86/bundleinject/reverse_tcp | Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute |
| 208 | OSX | osx/x86/exec | Execute an arbitrary command |
| 209 | OSX | osx/x86/isight/bind_tcp | Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute |
| 210 | OSX | osx/x86/isight/reverse_tcp | Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute |
| 211 | OSX | osx/x86/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 212 | OSX | osx/x86/shell_find_port | Spawn a shell on an established connection |
| 213 | OSX | osx/x86/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 214 | OSX | osx/x86/vforkshell/bind_tcp | Call vfork() if necessary and spawn a command shell (staged).Listen, read length, read buffer, execute |
| 215 | OSX | osx/x86/vforkshell/reverse_tcp | Call vfork() if necessary and spawn a command shell (staged).Connect, read length, read buffer, execute |
| 216 | OSX | osx/x86/vforkshell_bind_tcp | Listen for a connection, vfork if necessary, and spawn a command shell |
| 217 | OSX | osx/x86/vforkshell_reverse_tcp | Connect back to attacker, vfork if necessary, and spawn a command shell |
| 218 | PHP | php/bind_perl | Listen for a connection and spawn a command shell via perl (persistent) |
| 219 | PHP | php/bind_perl_ipv6 | Listen for a connection and spawn a command shell via perl (persistent) over IPv6 |
| 220 | PHP | php/bind_php | Listen for a connection and spawn a command shell via php |
| 221 | PHP | php/bind_php_ipv6 | Listen for a connection and spawn a command shell via php (IPv6) |
| 222 | PHP | php/download_exec | Download an EXE from an HTTP URL and execute it |
| 223 | PHP | php/exec | Execute a single system command |
| 224 | PHP | php/meterpreter/bind_tcp | Run a meterpreter server in PHP. Listen for a connection |
| 225 | PHP | php/meterpreter/bind_tcp_ipv6 | Run a meterpreter server in PHP. Listen for a connection overIPv6 |
| 226 | PHP | php/meterpreter/bind_tcp_ipv6_uuid | Run a meterpreter server in PHP. Listen for a connection overIPv6 with UUID Support |
| 227 | PHP | php/meterpreter/bind_tcp_uuid | Run a meterpreter server in PHP. Listen for a connection withUUID Support |
| 228 | PHP | php/meterpreter/reverse_tcp | Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions |
| 229 | PHP | php/meterpreter/reverse_tcp_uuid | Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions |
| 230 | PHP | php/meterpreter_reverse_tcp | Connect back to attacker and spawn a Meterpreter server (PHP) |
| 231 | PHP | php/reverse_perl | Creates an interactive shell via perl |
| 232 | PHP | php/reverse_php | Reverse PHP connect back shell with checks for disabled functions |
| 233 | PHP | php/shell_findsock | Spawn a shell on the established connection to the webserver.Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes. |
| 234 | Python | python/meterpreter/bind_tcp | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listenfor a connection |
| 235 | Python | python/meterpreter/bind_tcp_uuid | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listenfor a connection with UUID Support |
| 236 | Python | python/meterpreter/reverse_http | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnelcommunication over HTTP |
| 237 | Python | python/meterpreter/reverse_https | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnelcommunication over HTTP using SSL |
| 238 | Python | python/meterpreter/reverse_tcp | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker |
| 239 | Python | python/meterpreter/reverse_tcp_uuid | Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support |
| 240 | Python | python/meterpreter_bind_tcp | Connect to the victim and spawn a Meterpreter shell |
| 241 | Python | python/meterpreter_reverse_http | Connect back to the attacker and spawn a Meterpreter shell |
| 242 | Python | python/meterpreter_reverse_https | Connect back to the attacker and spawn a Meterpreter shell |
| 243 | Python | python/meterpreter_reverse_tcp | Connect back to the attacker and spawn a Meterpreter shell |
| 244 | Python | python/shell_reverse_tcp | Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3 |
| 245 | Python | python/shell_reverse_tcp_ssl | Creates an interactive shell via python, uses SSL, encodes with base64 by design. |
| 246 | Ruby | ruby/shell_bind_tcp | Continually listen for a connection and spawn a command shellvia Ruby |
| 247 | Ruby | ruby/shell_bind_tcp_ipv6 | Continually listen for a connection and spawn a command shellvia Ruby |
| 248 | Ruby | ruby/shell_reverse_tcp | Connect back and create a command shell via Ruby |
| 249 | Ruby | ruby/shell_reverse_tcp_ssl | Connect back and create a command shell via Ruby, uses SSL |
| 250 | Solaris | solaris/sparc/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 251 | Solaris | solaris/sparc/shell_find_port | Spawn a shell on an established connection |
| 252 | Solaris | solaris/sparc/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 253 | Solaris | solaris/x86/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 254 | Solaris | solaris/x86/shell_find_port | Spawn a shell on an established connection |
| 255 | Solaris | solaris/x86/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 256 | TTY | tty/unix/interact | Interacts with a TTY on an established socket connection |
| 257 | Windows | windows/adduser | Create a new user and add them to local administration group.Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special) |
| 258 | Windows | windows/dllinject/bind_hidden_ipknock_tcp | Inject a DLL via a reflective loader. Listen for a connection.First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 259 | Windows | windows/dllinject/bind_hidden_tcp | Inject a DLL via a reflective loader. Listen for a connectionfrom a hidden port and spawn a command shell to the allowed host. |
| 260 | Windows | windows/dllinject/bind_ipv6_tcp | Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86) |
| 261 | Windows | windows/dllinject/bind_ipv6_tcp_uuid | Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86) |
| 262 | Windows | windows/dllinject/bind_nonx_tcp | Inject a DLL via a reflective loader. Listen for a connection(No NX) |
| 263 | Windows | windows/dllinject/bind_tcp | Inject a DLL via a reflective loader. Listen for a connection(Windows x86) |
| 264 | Windows | windows/dllinject/bind_tcp_rc4 | Inject a DLL via a reflective loader. Listen for a connection |
| 265 | Windows | windows/dllinject/bind_tcp_uuid | Inject a DLL via a reflective loader. Listen for a connectionwith UUID Support (Windows x86) |
| 266 | Windows | windows/dllinject/find_tag | Inject a DLL via a reflective loader. Use an established connection |
| 267 | Windows | windows/dllinject/reverse_hop_http | Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. |
| 268 | Windows | windows/dllinject/reverse_http | Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet) |
| 269 | Windows | windows/dllinject/reverse_http_proxy_pstore | Inject a DLL via a reflective loader. Tunnel communication over HTTP |
| 270 | Windows | windows/dllinject/reverse_ipv6_tcp | Inject a DLL via a reflective loader. Connect back to the attacker over IPv6 |
| 271 | Windows | windows/dllinject/reverse_nonx_tcp | Inject a DLL via a reflective loader. Connect back to the attacker (No NX) |
| 272 | Windows | windows/dllinject/reverse_ord_tcp | Inject a DLL via a reflective loader. Connect back to the attacker |
| 273 | Windows | windows/dllinject/reverse_tcp | Inject a DLL via a reflective loader. Connect back to the attacker |
| 274 | Windows | windows/dllinject/reverse_tcp_allports | Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 275 | Windows | windows/dllinject/reverse_tcp_dns | Inject a DLL via a reflective loader. Connect back to the attacker |
| 276 | Windows | windows/dllinject/reverse_tcp_rc4 | Inject a DLL via a reflective loader. Connect back to the attacker |
| 277 | Windows | windows/dllinject/reverse_tcp_rc4_dns | Inject a DLL via a reflective loader. Connect back to the attacker |
| 278 | Windows | windows/dllinject/reverse_tcp_uuid | Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support |
| 279 | Windows | windows/dllinject/reverse_winhttp | Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp) |
| 280 | Windows | windows/dns_txt_query_exec | Performs a TXT query against a series of DNS record(s) and executes the returned payload |
| 281 | Windows | windows/download_exec | Download an EXE from an HTTP(S)/FTP URL and execute it |
| 282 | Windows | windows/exec | Execute an arbitrary command |
| 283 | Windows | windows/format_all_drives | This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume. |
| 284 | Windows | windows/loadlibrary | Load an arbitrary library path |
| 285 | Windows | windows/messagebox | Spawns a dialog via MessageBox using a customizable title, text & icon |
| 286 | Windows | windows/meterpreter/bind_hidden_ipknock_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 287 | Windows | windows/meterpreter/bind_hidden_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. |
| 288 | Windows | windows/meterpreter/bind_ipv6_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86) |
| 289 | Windows | windows/meterpreter/bind_ipv6_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86) |
| 290 | Windows | windows/meterpreter/bind_nonx_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX) |
| 291 | Windows | windows/meterpreter/bind_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86) |
| 292 | Windows | windows/meterpreter/bind_tcp_rc4 | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection |
| 293 | Windows | windows/meterpreter/bind_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86) |
| 294 | Windows | windows/meterpreter/find_tag | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection |
| 295 | Windows | windows/meterpreter/reverse_hop_http | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. |
| 296 | Windows | windows/meterpreter/reverse_http | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet) |
| 297 | Windows | windows/meterpreter/reverse_http_proxy_pstore | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP |
| 298 | Windows | windows/meterpreter/reverse_https | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet) |
| 299 | Windows | windows/meterpreter/reverse_https_proxy | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support |
| 300 | Windows | windows/meterpreter/reverse_ipv6_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6 |
| 301 | Windows | windows/meterpreter/reverse_nonx_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX) |
| 302 | Windows | windows/meterpreter/reverse_ord_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker |
| 303 | Windows | windows/meterpreter/reverse_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker |
| 304 | Windows | windows/meterpreter/reverse_tcp_allports | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 305 | Windows | windows/meterpreter/reverse_tcp_dns | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker |
| 306 | Windows | windows/meterpreter/reverse_tcp_rc4 | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker |
| 307 | Windows | windows/meterpreter/reverse_tcp_rc4_dns | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker |
| 308 | Windows | windows/meterpreter/reverse_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support |
| 309 | Windows | windows/meterpreter/reverse_winhttp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp) |
| 310 | Windows | windows/meterpreter/reverse_winhttps | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp) |
| 311 | Windows | windows/meterpreter_bind_tcp | Connect to victim and spawn a Meterpreter shell |
| 312 | Windows | windows/meterpreter_reverse_http | Connect back to attacker and spawn a Meterpreter shell |
| 313 | Windows | windows/meterpreter_reverse_https | Connect back to attacker and spawn a Meterpreter shell |
| 314 | Windows | windows/meterpreter_reverse_ipv6_tcp | Connect back to attacker and spawn a Meterpreter shell |
| 315 | Windows | windows/meterpreter_reverse_tcp | Connect back to attacker and spawn a Meterpreter shell |
| 316 | Windows | windows/metsvc_bind_tcp | Stub payload for interacting with a Meterpreter Service |
| 317 | Windows | windows/metsvc_reverse_tcp | Stub payload for interacting with a Meterpreter Service |
| 318 | Windows | windows/patchupdllinject/bind_hidden_ipknock_tcp | Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 319 | Windows | windows/patchupdllinject/bind_hidden_tcp | Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host. |
| 320 | Windows | windows/patchupdllinject/bind_ipv6_tcp | Inject a custom DLL into the exploited process. Listen for anIPv6 connection (Windows x86) |
| 321 | Windows | windows/patchupdllinject/bind_ipv6_tcp_uuid | Inject a custom DLL into the exploited process. Listen for anIPv6 connection with UUID Support (Windows x86) |
| 322 | Windows | windows/patchupdllinject/bind_nonx_tcp | Inject a custom DLL into the exploited process. Listen for a connection (No NX) |
| 323 | Windows | windows/patchupdllinject/bind_tcp | Inject a custom DLL into the exploited process. Listen for a connection (Windows x86) |
| 324 | Windows | windows/patchupdllinject/bind_tcp_rc4 | Inject a custom DLL into the exploited process. Listen for a connection |
| 325 | Windows | windows/patchupdllinject/bind_tcp_uuid | Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86) |
| 326 | Windows | windows/patchupdllinject/find_tag | Inject a custom DLL into the exploited process. Use an established connection |
| 327 | Windows | windows/patchupdllinject/reverse_ipv6_tcp | Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6 |
| 328 | Windows | windows/patchupdllinject/reverse_nonx_tcp | Inject a custom DLL into the exploited process. Connect back to the attacker (No NX) |
| 329 | Windows | windows/patchupdllinject/reverse_ord_tcp | Inject a custom DLL into the exploited process. Connect back to the attacker |
| 330 | Windows | windows/patchupdllinject/reverse_tcp | Inject a custom DLL into the exploited process. Connect back to the attacker |
| 331 | Windows | windows/patchupdllinject/reverse_tcp_allports | Inject a custom DLL into the exploited process. Try to connectback to the attacker, on all possible ports (1-65535, slowly) |
| 332 | Windows | windows/patchupdllinject/reverse_tcp_dns | Inject a custom DLL into the exploited process. Connect back to the attacker |
| 333 | Windows | windows/patchupdllinject/reverse_tcp_rc4 | Inject a custom DLL into the exploited process. Connect back to the attacker |
| 334 | Windows | windows/patchupdllinject/reverse_tcp_rc4_dns | Inject a custom DLL into the exploited process. Connect back to the attacker |
| 335 | Windows | windows/patchupdllinject/reverse_tcp_uuid | Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support |
| 336 | Windows | windows/patchupmeterpreter/bind_hidden_ipknock_tc | Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 337 | Windows | windows/patchupmeterpreter/bind_hidden_tcp | Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. |
| 338 | Windows | windows/patchupmeterpreter/bind_ipv6_tcp | Inject the meterpreter server DLL (staged). Listen for an IPv6connection (Windows x86) |
| 339 | Windows | windows/patchupmeterpreter/bind_ipv6_tcp_uuid | Inject the meterpreter server DLL (staged). Listen for an IPv6connection with UUID Support (Windows x86) |
| 340 | Windows | windows/patchupmeterpreter/bind_nonx_tcp | Inject the meterpreter server DLL (staged). Listen for a connection (No NX) |
| 341 | Windows | windows/patchupmeterpreter/bind_tcp | Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86) |
| 342 | Windows | windows/patchupmeterpreter/bind_tcp_rc4 | Inject the meterpreter server DLL (staged). Listen for a connection |
| 343 | Windows | windows/patchupmeterpreter/bind_tcp_uuid | Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86) |
| 344 | Windows | windows/patchupmeterpreter/find_tag | Inject the meterpreter server DLL (staged). Use an establishedconnection |
| 345 | Windows | windows/patchupmeterpreter/reverse_ipv6_tcp | Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6 |
| 346 | Windows | windows/patchupmeterpreter/reverse_nonx_tcp | Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX) |
| 347 | Windows | windows/patchupmeterpreter/reverse_ord_tcp | Inject the meterpreter server DLL (staged). Connect back to the attacker |
| 348 | Windows | windows/patchupmeterpreter/reverse_tcp | Inject the meterpreter server DLL (staged). Connect back to the attacker |
| 349 | Windows | windows/patchupmeterpreter/reverse_tcp_allports | Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 350 | Windows | windows/patchupmeterpreter/reverse_tcp_dns | Inject the meterpreter server DLL (staged). Connect back to the attacker |
| 351 | Windows | windows/patchupmeterpreter/reverse_tcp_rc4 | Inject the meterpreter server DLL (staged). Connect back to the attacker |
| 352 | Windows | windows/patchupmeterpreter/reverse_tcp_rc4_dns | Inject the meterpreter server DLL (staged). Connect back to the attacker |
| 353 | Windows | windows/patchupmeterpreter/reverse_tcp_uuid | Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support |
| 354 | Windows | windows/powershell_bind_tcp | Listen for a connection and spawn an interactive powershell session |
| 355 | Windows | windows/powershell_reverse_tcp | Listen for a connection and spawn an interactive powershell session |
| 356 | Windows | windows/shell/bind_hidden_ipknock_tcp | Spawn a piped command shell (staged). Listen for a connection.First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 357 | Windows | windows/shell/bind_hidden_tcp | Spawn a piped command shell (staged). Listen for a connectionfrom a hidden port and spawn a command shell to the allowed host. |
| 358 | Windows | windows/shell/bind_ipv6_tcp | Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86) |
| 359 | Windows | windows/shell/bind_ipv6_tcp_uuid | Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86) |
| 360 | Windows | windows/shell/bind_nonx_tcp | Spawn a piped command shell (staged). Listen for a connection(No NX) |
| 361 | Windows | windows/shell/bind_tcp | Spawn a piped command shell (staged). Listen for a connection(Windows x86) |
| 362 | Windows | windows/shell/bind_tcp_rc4 | Spawn a piped command shell (staged). Listen for a connection |
| 363 | Windows | windows/shell/bind_tcp_uuid | Spawn a piped command shell (staged). Listen for a connectionwith UUID Support (Windows x86) |
| 364 | Windows | windows/shell/find_tag | Spawn a piped command shell (staged). Use an established connection |
| 365 | Windows | windows/shell/reverse_ipv6_tcp | Spawn a piped command shell (staged). Connect back to the attacker over IPv6 |
| 366 | Windows | windows/shell/reverse_nonx_tcp | Spawn a piped command shell (staged). Connect back to the attacker (No NX) |
| 367 | Windows | windows/shell/reverse_ord_tcp | Spawn a piped command shell (staged). Connect back to the attacker |
| 368 | Windows | windows/shell/reverse_tcp | Spawn a piped command shell (staged). Connect back to the attacker |
| 369 | Windows | windows/shell/reverse_tcp_allports | Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 370 | Windows | windows/shell/reverse_tcp_dns | Spawn a piped command shell (staged). Connect back to the attacker |
| 371 | Windows | windows/shell/reverse_tcp_rc4 | Spawn a piped command shell (staged). Connect back to the attacker |
| 372 | Windows | windows/shell/reverse_tcp_rc4_dns | Spawn a piped command shell (staged). Connect back to the attacker |
| 373 | Windows | windows/shell/reverse_tcp_uuid | Spawn a piped command shell (staged). Connect back to the attacker with UUID Support |
| 374 | Windows | windows/shell_bind_tcp | Listen for a connection and spawn a command shell |
| 375 | Windows | windows/shell_bind_tcp_xpfw | Disable the Windows ICF, then listen for a connection and spawn a command shell |
| 376 | Windows | windows/shell_hidden_bind_tcp | Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as “closed” helping us to hide the shellcode. |
| 377 | Windows | windows/shell_reverse_tcp | Connect back to attacker and spawn a command shell |
| 378 | Windows | windows/speak_pwned | Causes the target to say “You Got Pwned” via the Windows Speech API |
| 379 | Windows | windows/upexec/bind_hidden_ipknock_tcp | Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 380 | Windows | windows/upexec/bind_hidden_tcp | Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host. |
| 381 | Windows | windows/upexec/bind_ipv6_tcp | Uploads an executable and runs it (staged). Listen for an IPv6connection (Windows x86) |
| 382 | Windows | windows/upexec/bind_ipv6_tcp_uuid | Uploads an executable and runs it (staged). Listen for an IPv6connection with UUID Support (Windows x86) |
| 383 | Windows | windows/upexec/bind_nonx_tcp | Uploads an executable and runs it (staged). Listen for a connection (No NX) |
| 384 | Windows | windows/upexec/bind_tcp | Uploads an executable and runs it (staged). Listen for a connection (Windows x86) |
| 385 | Windows | windows/upexec/bind_tcp_rc4 | Uploads an executable and runs it (staged). Listen for a connection |
| 386 | Windows | windows/upexec/bind_tcp_uuid | Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86) |
| 387 | Windows | windows/upexec/find_tag | Uploads an executable and runs it (staged). Use an establishedconnection |
| 388 | Windows | windows/upexec/reverse_ipv6_tcp | Uploads an executable and runs it (staged). Connect back to the attacker over IPv6 |
| 389 | Windows | windows/upexec/reverse_nonx_tcp | Uploads an executable and runs it (staged). Connect back to the attacker (No NX) |
| 390 | Windows | windows/upexec/reverse_ord_tcp | Uploads an executable and runs it (staged). Connect back to the attacker |
| 391 | Windows | windows/upexec/reverse_tcp | Uploads an executable and runs it (staged). Connect back to the attacker |
| 392 | Windows | windows/upexec/reverse_tcp_allports | Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 393 | Windows | windows/upexec/reverse_tcp_dns | Uploads an executable and runs it (staged). Connect back to the attacker |
| 394 | Windows | windows/upexec/reverse_tcp_rc4 | Uploads an executable and runs it (staged). Connect back to the attacker |
| 395 | Windows | windows/upexec/reverse_tcp_rc4_dns | Uploads an executable and runs it (staged). Connect back to the attacker |
| 396 | Windows | windows/upexec/reverse_tcp_uuid | Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support |
| 397 | Windows | windows/vncinject/bind_hidden_ipknock_tcp | Inject a VNC Dll via a reflective loader (staged). Listen fora connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode |
| 398 | Windows | windows/vncinject/bind_hidden_tcp | Inject a VNC Dll via a reflective loader (staged). Listen fora connection from a hidden port and spawn a command shell to the allowed host. |
| 399 | Windows | windows/vncinject/bind_ipv6_tcp | Inject a VNC Dll via a reflective loader (staged). Listen foran IPv6 connection (Windows x86) |
| 400 | Windows | windows/vncinject/bind_ipv6_tcp_uuid | Inject a VNC Dll via a reflective loader (staged). Listen foran IPv6 connection with UUID Support (Windows x86) |
| 401 | Windows | windows/vncinject/bind_nonx_tcp | Inject a VNC Dll via a reflective loader (staged). Listen fora connection (No NX) |
| 402 | Windows | windows/vncinject/bind_tcp | Inject a VNC Dll via a reflective loader (staged). Listen fora connection (Windows x86) |
| 403 | Windows | windows/vncinject/bind_tcp_rc4 | Inject a VNC Dll via a reflective loader (staged). Listen fora connection |
| 404 | Windows | windows/vncinject/bind_tcp_uuid | Inject a VNC Dll via a reflective loader (staged). Listen fora connection with UUID Support (Windows x86) |
| 405 | Windows | windows/vncinject/find_tag | Inject a VNC Dll via a reflective loader (staged). Use an established connection |
| 406 | Windows | windows/vncinject/reverse_hop_http | Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. |
| 407 | Windows | windows/vncinject/reverse_http | Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet) |
| 408 | Windows | windows/vncinject/reverse_http_proxy_pstore | Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP |
| 409 | Windows | windows/vncinject/reverse_ipv6_tcp | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6 |
| 410 | Windows | windows/vncinject/reverse_nonx_tcp | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX) |
| 411 | Windows | windows/vncinject/reverse_ord_tcp | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker |
| 412 | Windows | windows/vncinject/reverse_tcp | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker |
| 413 | Windows | windows/vncinject/reverse_tcp_allports | Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly) |
| 414 | Windows | windows/vncinject/reverse_tcp_dns | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker |
| 415 | Windows | windows/vncinject/reverse_tcp_rc4 | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker |
| 416 | Windows | windows/vncinject/reverse_tcp_rc4_dns | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker |
| 417 | Windows | windows/vncinject/reverse_tcp_uuid | Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support |
| 418 | Windows | windows/vncinject/reverse_winhttp | Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp) |
| 419 | Windows | windows/x64/exec | Execute an arbitrary command (Windows x64) |
| 420 | Windows | windows/x64/loadlibrary | Load an arbitrary x64 library path |
| 421 | Windows | windows/x64/meterpreter/bind_ipv6_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64) |
| 422 | Windows | windows/x64/meterpreter/bind_ipv6_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64) |
| 423 | Windows | windows/x64/meterpreter/bind_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64) |
| 424 | Windows | windows/x64/meterpreter/bind_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64) |
| 425 | Windows | windows/x64/meterpreter/reverse_http | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) |
| 426 | Windows | windows/x64/meterpreter/reverse_https | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) |
| 427 | Windows | windows/x64/meterpreter/reverse_tcp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64) |
| 428 | Windows | windows/x64/meterpreter/reverse_tcp_uuid | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64) |
| 429 | Windows | windows/x64/meterpreter/reverse_winhttp | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp) |
| 430 | Windows | windows/x64/meterpreter/reverse_winhttps | Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp) |
| 431 | Windows | windows/x64/meterpreter_bind_tcp | Connect to victim and spawn a Meterpreter shell |
| 432 | Windows | windows/x64/meterpreter_reverse_http | Connect back to attacker and spawn a Meterpreter shell |
| 433 | Windows | windows/x64/meterpreter_reverse_https | Connect back to attacker and spawn a Meterpreter shell |
| 434 | Windows | windows/x64/meterpreter_reverse_ipv6_tcp | Connect back to attacker and spawn a Meterpreter shell |
| 435 | Windows | windows/x64/meterpreter_reverse_tcp | Connect back to attacker and spawn a Meterpreter shell |
| 436 | Windows | windows/x64/powershell_bind_tcp | Listen for a connection and spawn an interactive powershell session |
| 437 | Windows | windows/x64/powershell_reverse_tcp | Listen for a connection and spawn an interactive powershell session |
| 438 | Windows | windows/x64/shell/bind_ipv6_tcp | Spawn a piped command shell (Windows x64) (staged). Listen foran IPv6 connection (Windows x64) |
| 439 | Windows | windows/x64/shell/bind_ipv6_tcp_uuid | Spawn a piped command shell (Windows x64) (staged). Listen foran IPv6 connection with UUID Support (Windows x64) |
| 440 | Windows | windows/x64/shell/bind_tcp | Spawn a piped command shell (Windows x64) (staged). Listen fora connection (Windows x64) |
| 441 | Windows | windows/x64/shell/bind_tcp_uuid | Spawn a piped command shell (Windows x64) (staged). Listen fora connection with UUID Support (Windows x64) |
| 442 | Windows | windows/x64/shell/reverse_tcp | Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64) |
| 443 | Windows | windows/x64/shell/reverse_tcp_uuid | Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) |
| 444 | Windows | windows/x64/shell_bind_tcp | Listen for a connection and spawn a command shell (Windows x64) |
| 445 | Windows | windows/x64/shell_reverse_tcp | Connect back to attacker and spawn a command shell (Windows x64) |
| 446 | Windows | windows/x64/vncinject/bind_ipv6_tcp | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64) |
| 447 | Windows | windows/x64/vncinject/bind_ipv6_tcp_uuid | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64) |
| 448 | Windows | windows/x64/vncinject/bind_tcp | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64) |
| 449 | Windows | windows/x64/vncinject/bind_tcp_uuid | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64) |
| 450 | Windows | windows/x64/vncinject/reverse_http | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) |
| 451 | Windows | windows/x64/vncinject/reverse_https | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet) |
| 452 | Windows | windows/x64/vncinject/reverse_tcp | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64) |
| 453 | Windows | windows/x64/vncinject/reverse_tcp_uuid | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64) |
| 454 | Windows | windows/x64/vncinject/reverse_winhttp | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp) |
| 455 | Windows | windows/x64/vncinject/reverse_winhttps | Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp) |