Type to search

MSFVenom Payload list (2019)



If you want to get a quick view of all the payloads which are currently integrated with MSFVenom, then you are at the right place.

Below you will find a complete list of all the MSFVenom Payloads that are currently available.

To list out all options, type “msfvenom -h

  • -p, –payload Payload to use. Specify a ‘-‘ or stdin to use custom payloads
  • –payload-options List the payload’s standard options
  • -l, –list [type] List a module type. Options are: payloads, encoders, nops, all
  • -n, –nopsled Prepend a nopsled of [length] size on to the payload
  • -f, –format Output format (use –help-formats for a list)
  • –help-formats List available formats
  • -e, –encoder The encoder to use
  • -a, –arch The architecture to use
  • –platform The platform of the payload
  • –help-platforms List available platforms
  • -s, –space The maximum size of the resulting payload
  • –encoder-space The maximum size of the encoded payload (defaults to the -s value)
  • -b, –bad-chars The list of characters to avoid example: ‘\x00\xff’
  • -i, –iterations The number of times to encode the payload
  • -c, –add-code Specify an additional win32 shellcode file to include
  • -x, –template Specify a custom executable file to use as a template
  • -k, –keep Preserve the template behavior and inject the payload as a new thread
  • -o, –out Save the payload
  • -v, –var-name Specify a custom variable name to use for certain output formats
  • –smallest Generate the smallest possible payload
  • -h, –help Show this message

To list out all payloads, type “msfvenom -l

MSFvenom Payload list

# Environment Payload name Description
1 AIX aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
2 AIX aix/ppc/shell_find_port Spawn a shell on an established connection
3 AIX aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
4 AIX aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
5 Android android/meterpreter/reverse_http Run a meterpreter server on Android. Tunnel communication overHTTP
6 Android android/meterpreter/reverse_https Run a meterpreter server on Android. Tunnel communication overHTTPS
7 Android android/meterpreter/reverse_tcp Run a meterpreter server on Android. Connect back stager
8 Android android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
9 Android android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
10 Android android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager
11 BSD bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
12 BSD bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
13 BSD bsd/x64/exec Execute an arbitrary command
14 BSD bsd/x64/shell_bind_ipv6_tcp Listen for a connection and spawn a command shell over IPv6
15 BSD bsd/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
16 BSD bsd/x64/shell_bind_tcp_small Listen for a connection and spawn a command shell
17 BSD bsd/x64/shell_reverse_ipv6_tcp Connect back to attacker and spawn a command shell over IPv6
18 BSD bsd/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
19 BSD bsd/x64/shell_reverse_tcp_small Connect back to attacker and spawn a command shell
20 BSD bsd/x86/exec Execute an arbitrary command
21 BSD bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
22 BSD bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
23 BSD bsd/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for a connection over IPv6
24 BSD bsd/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
25 BSD bsd/x86/shell/find_tag Spawn a command shell (staged). Use an established connection
26 BSD bsd/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to the attacker over IPv6
27 BSD bsd/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
28 BSD bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
29 BSD bsd/x86/shell_bind_tcp_ipv6 Listen for a connection and spawn a command shell over IPv6
30 BSD bsd/x86/shell_find_port Spawn a shell on an established connection
31 BSD bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
32 BSD bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
33 BSD bsd/x86/shell_reverse_tcp_ipv6 Connect back to attacker and spawn a command shell over IPv6
34 BSDI bsdi/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
35 BSDI bsdi/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
36 BSDI bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
37 BSDI bsdi/x86/shell_find_port Spawn a shell on an established connection
38 BSDI bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
39 CMD cmd/mainframe/generic_jcl Provide JCL which can be used to submit a job to JES2 on z/OSwhich will exit and return 0. This can be used as a template for other JCL based payloads
40 CMD cmd/mainframe/reverse_shell_jcl Provide JCL which creates a reverse shell This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.
41 CMD cmd/unix/bind_awk Listen for a connection and spawn a command shell via GNU AWK
42 CMD cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
43 CMD cmd/unix/bind_lua Listen for a connection and spawn a command shell via Lua
44 CMD cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat
45 CMD cmd/unix/bind_netcat_gaping Listen for a connection and spawn a command shell via netcat
46 CMD cmd/unix/bind_netcat_gaping_ipv6 Listen for a connection and spawn a command shell via netcat
47 CMD cmd/unix/bind_nodejs Continually listen for a connection and spawn a command shellvia nodejs
48 CMD cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl
49 CMD cmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl
50 CMD cmd/unix/bind_ruby Continually listen for a connection and spawn a command shellvia Ruby
51 CMD cmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shellvia Ruby
52 CMD cmd/unix/bind_zsh Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default.
53 CMD cmd/unix/generic Executes the supplied command
54 CMD cmd/unix/interact Interacts with a shell on an established socket connection
55 CMD cmd/unix/reverse Creates an interactive shell through two inbound connections
56 CMD cmd/unix/reverse_awk Creates an interactive shell via GNU AWK
57 CMD cmd/unix/reverse_bash Creates an interactive shell via bash’s builtin /dev/tcp. Thiswill not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.
58 CMD cmd/unix/reverse_bash_telnet_ssl Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the ‘-z’ option included on some systems to encrypt using SSL.
59 CMD cmd/unix/reverse_lua Creates an interactive shell via Lua
60 CMD cmd/unix/reverse_netcat Creates an interactive shell via netcat
61 CMD cmd/unix/reverse_netcat_gaping Creates an interactive shell via netcat
62 CMD cmd/unix/reverse_nodejs Continually listen for a connection and spawn a command shellvia nodejs
63 CMD cmd/unix/reverse_openssl Creates an interactive shell through two inbound connections
64 CMD cmd/unix/reverse_perl Creates an interactive shell via perl
65 CMD cmd/unix/reverse_perl_ssl Creates an interactive shell via perl, uses SSL
66 CMD cmd/unix/reverse_php_ssl Creates an interactive shell via php, uses SSL
67 CMD cmd/unix/reverse_python Connect back and create a command shell via Python
68 CMD cmd/unix/reverse_python_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
69 CMD cmd/unix/reverse_ruby Connect back and create a command shell via Ruby
70 CMD cmd/unix/reverse_ruby_ssl Connect back and create a command shell via Ruby, uses SSL
71 CMD cmd/unix/reverse_ssl_double_telnet Creates an interactive shell through two inbound connections,encrypts using SSL via “-z” option
72 CMD cmd/unix/reverse_zsh Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn’t usually installed by default.
73 CMD cmd/windows/adduser Create a new user and add them to local administration group.Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
74 CMD cmd/windows/bind_lua Listen for a connection and spawn a command shell via Lua
75 CMD cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
76 CMD cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent)
77 CMD cmd/windows/bind_ruby Continually listen for a connection and spawn a command shellvia Ruby
78 CMD cmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbsscript. Use it to stage a vbs encoded payload from a short command line.
79 CMD cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it
80 CMD cmd/windows/generic Executes the supplied command
81 CMD cmd/windows/powershell_bind_tcp Interacts with a powershell session on an established socket connection
82 CMD cmd/windows/powershell_reverse_tcp Interacts with a powershell session on an established socket connection
83 CMD cmd/windows/reverse_lua Creates an interactive shell via Lua
84 CMD cmd/windows/reverse_perl Creates an interactive shell via perl
85 CMD cmd/windows/reverse_powershell Connect back and create a command shell via Powershell
86 CMD cmd/windows/reverse_ruby Connect back and create a command shell via Ruby
87 Firefox firefox/exec This module runs a shell command on the target OS withough touching the disk. On Windows, this command will flash the command prompt momentarily. This can be avoided by setting WSCRIPT to true, which drops a jscript “launcher” to disk that hides the prompt.
88 Firefox firefox/shell_bind_tcp Creates an interactive shell via Javascript with access to Firefox’s XPCOM API
89 Firefox firefox/shell_reverse_tcp Creates an interactive shell via Javascript with access to Firefox’s XPCOM API
90 Generic generic/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR.
91 Generic generic/debug_trap Generate a debug trap in the target process
92 Generic generic/shell_bind_tcp Listen for a connection and spawn a command shell
93 Generic generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
94 Generic generic/tight_loop Generate a tight loop in the target process
95 JAVA java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
96 JAVA java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
97 JAVA java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
98 JAVA java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
99 JAVA java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
100 JAVA java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
101 JAVA java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
102 JAVA java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
103 JAVA java/shell_reverse_tcp Connect back to attacker and spawn a command shell
104 Linux linux/armbe/shell_bind_tcp Listen for a connection and spawn a command shell
105 Linux linux/armle/adduser Create a new user with UID 0
106 Linux linux/armle/exec Execute an arbitrary command
107 Linux linux/armle/mettle/bind_tcp Inject the mettle server payload (staged). Listen for a connection
108 Linux linux/armle/mettle/reverse_tcp Inject the mettle server payload (staged). Connect back to theattacker
109 Linux linux/armle/shell/bind_tcp dup2 socket in r12, then execve. Listen for a connection
110 Linux linux/armle/shell/reverse_tcp dup2 socket in r12, then execve. Connect back to the attacker
111 Linux linux/armle/shell_bind_tcp Connect to target and spawn a command shell
112 Linux linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
113 Linux linux/mipsbe/exec A very small shellcode for executing commands. This module issometimes helpful for testing purposes.
114 Linux linux/mipsbe/mettle/reverse_tcp Inject the mettle server payload (staged). Connect back to theattacker
115 Linux linux/mipsbe/reboot A very small shellcode for rebooting the system. This payloadis sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures.
116 Linux linux/mipsbe/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
117 Linux linux/mipsbe/shell_bind_tcp Listen for a connection and spawn a command shell
118 Linux linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell
119 Linux linux/mipsle/exec A very small shellcode for executing commands. This module issometimes helpful for testing purposes as well as on targets with extremely limited buffer space.
120 Linux linux/mipsle/mettle/reverse_tcp Inject the mettle server payload (staged). Connect back to theattacker
121 Linux linux/mipsle/reboot A very small shellcode for rebooting the system. This payloadis sometimes helpful for testing purposes.
122 Linux linux/mipsle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
123 Linux linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell
124 Linux linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell
125 Linux linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
126 Linux linux/ppc/shell_find_port Spawn a shell on an established connection
127 Linux linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
128 Linux linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell
129 Linux linux/ppc64/shell_find_port Spawn a shell on an established connection
130 Linux linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell
131 Linux linux/x64/exec Execute an arbitrary command
132 Linux linux/x64/mettle/bind_tcp Inject the mettle server payload (staged). Listen for a connection
133 Linux linux/x64/mettle/reverse_tcp Inject the mettle server payload (staged). Connect back to theattacker
134 Linux linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
135 Linux linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
136 Linux linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell
137 Linux linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘.
138 Linux linux/x64/shell_find_port Spawn a shell on an established connection
139 Linux linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
140 Linux linux/x86/adduser Create a new user with UID 0
141 Linux linux/x86/chmod Runs chmod on specified file with specified mode
142 Linux linux/x86/exec Execute an arbitrary command
143 Linux linux/x86/meterpreter/bind_ipv6_tcp Inject the meterpreter server payload (staged). Listen for anIPv6 connection (Linux x86)
144 Linux linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server payload (staged). Listen for anIPv6 connection with UUID Support (Linux x86)
145 Linux linux/x86/meterpreter/bind_nonx_tcp Inject the meterpreter server payload (staged). Listen for a connection
146 Linux linux/x86/meterpreter/bind_tcp Inject the meterpreter server payload (staged). Listen for a connection (Linux x86)
147 Linux linux/x86/meterpreter/bind_tcp_uuid Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86)
148 Linux linux/x86/meterpreter/find_tag Inject the meterpreter server payload (staged). Use an established connection
149 Linux linux/x86/meterpreter/reverse_ipv6_tcp Inject the meterpreter server payload (staged). Connect back to attacker over IPv6
150 Linux linux/x86/meterpreter/reverse_nonx_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
151 Linux linux/x86/meterpreter/reverse_tcp Inject the meterpreter server payload (staged). Connect back to the attacker
152 Linux linux/x86/meterpreter/reverse_tcp_uuid Inject the meterpreter server payload (staged). Connect back to the attacker
153 Linux linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
154 Linux linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
155 Linux linux/x86/mettle/bind_ipv6_tcp Inject the mettle server payload (staged). Listen for an IPv6connection (Linux x86)
156 Linux linux/x86/mettle/bind_ipv6_tcp_uuid Inject the mettle server payload (staged). Listen for an IPv6connection with UUID Support (Linux x86)
157 Linux linux/x86/mettle/bind_nonx_tcp Inject the mettle server payload (staged). Listen for a connection
158 Linux linux/x86/mettle/bind_tcp Inject the mettle server payload (staged). Listen for a connection (Linux x86)
159 Linux linux/x86/mettle/bind_tcp_uuid Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)
160 Linux linux/x86/mettle/find_tag Inject the mettle server payload (staged). Use an establishedconnection
161 Linux linux/x86/mettle/reverse_ipv6_tcp Inject the mettle server payload (staged). Connect back to attacker over IPv6
162 Linux linux/x86/mettle/reverse_nonx_tcp Inject the mettle server payload (staged). Connect back to theattacker
163 Linux linux/x86/mettle/reverse_tcp Inject the mettle server payload (staged). Connect back to theattacker
164 Linux linux/x86/mettle/reverse_tcp_uuid Inject the mettle server payload (staged). Connect back to theattacker
165 Linux linux/x86/read_file Read up to 4096 bytes from the local file system and write itback out to the specified file descriptor
166 Linux linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection(Linux x86)
167 Linux linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connectionwith UUID Support (Linux x86)
168 Linux linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection
169 Linux linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linuxx86)
170 Linux linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
171 Linux linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection
172 Linux linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker overIPv6
173 Linux linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker
174 Linux linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
175 Linux linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker
176 Linux linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell
177 Linux linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
178 Linux linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘.
179 Linux linux/x86/shell_find_port Spawn a shell on an established connection
180 Linux linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
181 Linux linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
182 Mainframe mainframe/shell_reverse_tcp Listen for a connection and spawn a command shell. This implmentation does not include ebcdic character translation, so a client with translation capabilities is required. MSF handles this automatically.
183 Netware netware/shell/reverse_tcp Connect to the NetWare console (staged). Connect back to the attacker
184 NodeJS nodejs/shell_bind_tcp Creates an interactive shell via nodejs
185 NodeJS nodejs/shell_reverse_tcp Creates an interactive shell via nodejs
186 NodeJS nodejs/shell_reverse_tcp_ssl Creates an interactive shell via nodejs, uses SSL
187 OSX osx/armle/execute/bind_tcp Spawn a command shell (staged). Listen for a connection
188 OSX osx/armle/execute/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
189 OSX osx/armle/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
190 OSX osx/armle/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
191 OSX osx/armle/shell_bind_tcp Listen for a connection and spawn a command shell
192 OSX osx/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell
193 OSX osx/armle/vibrate Causes the iPhone to vibrate, only works when the AudioToolkitlibrary has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
194 OSX osx/ppc/shell/bind_tcp Spawn a command shell (staged). Listen for a connection
195 OSX osx/ppc/shell/find_tag Spawn a command shell (staged). Use an established connection
196 OSX osx/ppc/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker
197 OSX osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
198 OSX osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
199 OSX osx/x64/dupandexecve/bind_tcp dup2 socket in edi, then execve. Listen, read length, read buffer, execute
200 OSX osx/x64/dupandexecve/reverse_tcp dup2 socket in edi, then execve. Connect, read length, read buffer, execute
201 OSX osx/x64/exec Execute an arbitrary command
202 OSX osx/x64/say Say an arbitrary string outloud using Mac OS X text2speech
203 OSX osx/x64/shell_bind_tcp Bind an arbitrary command to an arbitrary port
204 OSX osx/x64/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
205 OSX osx/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell
206 OSX osx/x86/bundleinject/bind_tcp Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute
207 OSX osx/x86/bundleinject/reverse_tcp Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute
208 OSX osx/x86/exec Execute an arbitrary command
209 OSX osx/x86/isight/bind_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute
210 OSX osx/x86/isight/reverse_tcp Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute
211 OSX osx/x86/shell_bind_tcp Listen for a connection and spawn a command shell
212 OSX osx/x86/shell_find_port Spawn a shell on an established connection
213 OSX osx/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
214 OSX osx/x86/vforkshell/bind_tcp Call vfork() if necessary and spawn a command shell (staged).Listen, read length, read buffer, execute
215 OSX osx/x86/vforkshell/reverse_tcp Call vfork() if necessary and spawn a command shell (staged).Connect, read length, read buffer, execute
216 OSX osx/x86/vforkshell_bind_tcp Listen for a connection, vfork if necessary, and spawn a command shell
217 OSX osx/x86/vforkshell_reverse_tcp Connect back to attacker, vfork if necessary, and spawn a command shell
218 PHP php/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
219 PHP php/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) over IPv6
220 PHP php/bind_php Listen for a connection and spawn a command shell via php
221 PHP php/bind_php_ipv6 Listen for a connection and spawn a command shell via php (IPv6)
222 PHP php/download_exec Download an EXE from an HTTP URL and execute it
223 PHP php/exec Execute a single system command
224 PHP php/meterpreter/bind_tcp Run a meterpreter server in PHP. Listen for a connection
225 PHP php/meterpreter/bind_tcp_ipv6 Run a meterpreter server in PHP. Listen for a connection overIPv6
226 PHP php/meterpreter/bind_tcp_ipv6_uuid Run a meterpreter server in PHP. Listen for a connection overIPv6 with UUID Support
227 PHP php/meterpreter/bind_tcp_uuid Run a meterpreter server in PHP. Listen for a connection withUUID Support
228 PHP php/meterpreter/reverse_tcp Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
229 PHP php/meterpreter/reverse_tcp_uuid Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
230 PHP php/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter server (PHP)
231 PHP php/reverse_perl Creates an interactive shell via perl
232 PHP php/reverse_php Reverse PHP connect back shell with checks for disabled functions
233 PHP php/shell_findsock Spawn a shell on the established connection to the webserver.Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.
234 Python python/meterpreter/bind_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listenfor a connection
235 Python python/meterpreter/bind_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listenfor a connection with UUID Support
236 Python python/meterpreter/reverse_http Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnelcommunication over HTTP
237 Python python/meterpreter/reverse_https Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnelcommunication over HTTP using SSL
238 Python python/meterpreter/reverse_tcp Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker
239 Python python/meterpreter/reverse_tcp_uuid Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support
240 Python python/meterpreter_bind_tcp Connect to the victim and spawn a Meterpreter shell
241 Python python/meterpreter_reverse_http Connect back to the attacker and spawn a Meterpreter shell
242 Python python/meterpreter_reverse_https Connect back to the attacker and spawn a Meterpreter shell
243 Python python/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell
244 Python python/shell_reverse_tcp Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3
245 Python python/shell_reverse_tcp_ssl Creates an interactive shell via python, uses SSL, encodes with base64 by design.
246 Ruby ruby/shell_bind_tcp Continually listen for a connection and spawn a command shellvia Ruby
247 Ruby ruby/shell_bind_tcp_ipv6 Continually listen for a connection and spawn a command shellvia Ruby
248 Ruby ruby/shell_reverse_tcp Connect back and create a command shell via Ruby
249 Ruby ruby/shell_reverse_tcp_ssl Connect back and create a command shell via Ruby, uses SSL
250 Solaris solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
251 Solaris solaris/sparc/shell_find_port Spawn a shell on an established connection
252 Solaris solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
253 Solaris solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell
254 Solaris solaris/x86/shell_find_port Spawn a shell on an established connection
255 Solaris solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
256 TTY tty/unix/interact Interacts with a TTY on an established socket connection
257 Windows windows/adduser Create a new user and add them to local administration group.Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
258 Windows windows/dllinject/bind_hidden_ipknock_tcp Inject a DLL via a reflective loader. Listen for a connection.First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
259 Windows windows/dllinject/bind_hidden_tcp Inject a DLL via a reflective loader. Listen for a connectionfrom a hidden port and spawn a command shell to the allowed host.
260 Windows windows/dllinject/bind_ipv6_tcp Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)
261 Windows windows/dllinject/bind_ipv6_tcp_uuid Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)
262 Windows windows/dllinject/bind_nonx_tcp Inject a DLL via a reflective loader. Listen for a connection(No NX)
263 Windows windows/dllinject/bind_tcp Inject a DLL via a reflective loader. Listen for a connection(Windows x86)
264 Windows windows/dllinject/bind_tcp_rc4 Inject a DLL via a reflective loader. Listen for a connection
265 Windows windows/dllinject/bind_tcp_uuid Inject a DLL via a reflective loader. Listen for a connectionwith UUID Support (Windows x86)
266 Windows windows/dllinject/find_tag Inject a DLL via a reflective loader. Use an established connection
267 Windows windows/dllinject/reverse_hop_http Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
268 Windows windows/dllinject/reverse_http Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)
269 Windows windows/dllinject/reverse_http_proxy_pstore Inject a DLL via a reflective loader. Tunnel communication over HTTP
270 Windows windows/dllinject/reverse_ipv6_tcp Inject a DLL via a reflective loader. Connect back to the attacker over IPv6
271 Windows windows/dllinject/reverse_nonx_tcp Inject a DLL via a reflective loader. Connect back to the attacker (No NX)
272 Windows windows/dllinject/reverse_ord_tcp Inject a DLL via a reflective loader. Connect back to the attacker
273 Windows windows/dllinject/reverse_tcp Inject a DLL via a reflective loader. Connect back to the attacker
274 Windows windows/dllinject/reverse_tcp_allports Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
275 Windows windows/dllinject/reverse_tcp_dns Inject a DLL via a reflective loader. Connect back to the attacker
276 Windows windows/dllinject/reverse_tcp_rc4 Inject a DLL via a reflective loader. Connect back to the attacker
277 Windows windows/dllinject/reverse_tcp_rc4_dns Inject a DLL via a reflective loader. Connect back to the attacker
278 Windows windows/dllinject/reverse_tcp_uuid Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support
279 Windows windows/dllinject/reverse_winhttp Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
280 Windows windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
281 Windows windows/download_exec Download an EXE from an HTTP(S)/FTP URL and execute it
282 Windows windows/exec Execute an arbitrary command
283 Windows windows/format_all_drives This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume.
284 Windows windows/loadlibrary Load an arbitrary library path
285 Windows windows/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
286 Windows windows/meterpreter/bind_hidden_ipknock_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
287 Windows windows/meterpreter/bind_hidden_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
288 Windows windows/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)
289 Windows windows/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
290 Windows windows/meterpreter/bind_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)
291 Windows windows/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
292 Windows windows/meterpreter/bind_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection
293 Windows windows/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)
294 Windows windows/meterpreter/find_tag Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection
295 Windows windows/meterpreter/reverse_hop_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
296 Windows windows/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)
297 Windows windows/meterpreter/reverse_http_proxy_pstore Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP
298 Windows windows/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)
299 Windows windows/meterpreter/reverse_https_proxy Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support
300 Windows windows/meterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6
301 Windows windows/meterpreter/reverse_nonx_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)
302 Windows windows/meterpreter/reverse_ord_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
303 Windows windows/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
304 Windows windows/meterpreter/reverse_tcp_allports Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
305 Windows windows/meterpreter/reverse_tcp_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
306 Windows windows/meterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
307 Windows windows/meterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
308 Windows windows/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support
309 Windows windows/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)
310 Windows windows/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)
311 Windows windows/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell
312 Windows windows/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
313 Windows windows/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
314 Windows windows/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell
315 Windows windows/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
316 Windows windows/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service
317 Windows windows/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service
318 Windows windows/patchupdllinject/bind_hidden_ipknock_tcp Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
319 Windows windows/patchupdllinject/bind_hidden_tcp Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
320 Windows windows/patchupdllinject/bind_ipv6_tcp Inject a custom DLL into the exploited process. Listen for anIPv6 connection (Windows x86)
321 Windows windows/patchupdllinject/bind_ipv6_tcp_uuid Inject a custom DLL into the exploited process. Listen for anIPv6 connection with UUID Support (Windows x86)
322 Windows windows/patchupdllinject/bind_nonx_tcp Inject a custom DLL into the exploited process. Listen for a connection (No NX)
323 Windows windows/patchupdllinject/bind_tcp Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)
324 Windows windows/patchupdllinject/bind_tcp_rc4 Inject a custom DLL into the exploited process. Listen for a connection
325 Windows windows/patchupdllinject/bind_tcp_uuid Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)
326 Windows windows/patchupdllinject/find_tag Inject a custom DLL into the exploited process. Use an established connection
327 Windows windows/patchupdllinject/reverse_ipv6_tcp Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6
328 Windows windows/patchupdllinject/reverse_nonx_tcp Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)
329 Windows windows/patchupdllinject/reverse_ord_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
330 Windows windows/patchupdllinject/reverse_tcp Inject a custom DLL into the exploited process. Connect back to the attacker
331 Windows windows/patchupdllinject/reverse_tcp_allports Inject a custom DLL into the exploited process. Try to connectback to the attacker, on all possible ports (1-65535, slowly)
332 Windows windows/patchupdllinject/reverse_tcp_dns Inject a custom DLL into the exploited process. Connect back to the attacker
333 Windows windows/patchupdllinject/reverse_tcp_rc4 Inject a custom DLL into the exploited process. Connect back to the attacker
334 Windows windows/patchupdllinject/reverse_tcp_rc4_dns Inject a custom DLL into the exploited process. Connect back to the attacker
335 Windows windows/patchupdllinject/reverse_tcp_uuid Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support
336 Windows windows/patchupmeterpreter/bind_hidden_ipknock_tc Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
337 Windows windows/patchupmeterpreter/bind_hidden_tcp Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
338 Windows windows/patchupmeterpreter/bind_ipv6_tcp Inject the meterpreter server DLL (staged). Listen for an IPv6connection (Windows x86)
339 Windows windows/patchupmeterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL (staged). Listen for an IPv6connection with UUID Support (Windows x86)
340 Windows windows/patchupmeterpreter/bind_nonx_tcp Inject the meterpreter server DLL (staged). Listen for a connection (No NX)
341 Windows windows/patchupmeterpreter/bind_tcp Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)
342 Windows windows/patchupmeterpreter/bind_tcp_rc4 Inject the meterpreter server DLL (staged). Listen for a connection
343 Windows windows/patchupmeterpreter/bind_tcp_uuid Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)
344 Windows windows/patchupmeterpreter/find_tag Inject the meterpreter server DLL (staged). Use an establishedconnection
345 Windows windows/patchupmeterpreter/reverse_ipv6_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6
346 Windows windows/patchupmeterpreter/reverse_nonx_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)
347 Windows windows/patchupmeterpreter/reverse_ord_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
348 Windows windows/patchupmeterpreter/reverse_tcp Inject the meterpreter server DLL (staged). Connect back to the attacker
349 Windows windows/patchupmeterpreter/reverse_tcp_allports Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
350 Windows windows/patchupmeterpreter/reverse_tcp_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
351 Windows windows/patchupmeterpreter/reverse_tcp_rc4 Inject the meterpreter server DLL (staged). Connect back to the attacker
352 Windows windows/patchupmeterpreter/reverse_tcp_rc4_dns Inject the meterpreter server DLL (staged). Connect back to the attacker
353 Windows windows/patchupmeterpreter/reverse_tcp_uuid Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support
354 Windows windows/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session
355 Windows windows/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session
356 Windows windows/shell/bind_hidden_ipknock_tcp Spawn a piped command shell (staged). Listen for a connection.First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
357 Windows windows/shell/bind_hidden_tcp Spawn a piped command shell (staged). Listen for a connectionfrom a hidden port and spawn a command shell to the allowed host.
358 Windows windows/shell/bind_ipv6_tcp Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)
359 Windows windows/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
360 Windows windows/shell/bind_nonx_tcp Spawn a piped command shell (staged). Listen for a connection(No NX)
361 Windows windows/shell/bind_tcp Spawn a piped command shell (staged). Listen for a connection(Windows x86)
362 Windows windows/shell/bind_tcp_rc4 Spawn a piped command shell (staged). Listen for a connection
363 Windows windows/shell/bind_tcp_uuid Spawn a piped command shell (staged). Listen for a connectionwith UUID Support (Windows x86)
364 Windows windows/shell/find_tag Spawn a piped command shell (staged). Use an established connection
365 Windows windows/shell/reverse_ipv6_tcp Spawn a piped command shell (staged). Connect back to the attacker over IPv6
366 Windows windows/shell/reverse_nonx_tcp Spawn a piped command shell (staged). Connect back to the attacker (No NX)
367 Windows windows/shell/reverse_ord_tcp Spawn a piped command shell (staged). Connect back to the attacker
368 Windows windows/shell/reverse_tcp Spawn a piped command shell (staged). Connect back to the attacker
369 Windows windows/shell/reverse_tcp_allports Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
370 Windows windows/shell/reverse_tcp_dns Spawn a piped command shell (staged). Connect back to the attacker
371 Windows windows/shell/reverse_tcp_rc4 Spawn a piped command shell (staged). Connect back to the attacker
372 Windows windows/shell/reverse_tcp_rc4_dns Spawn a piped command shell (staged). Connect back to the attacker
373 Windows windows/shell/reverse_tcp_uuid Spawn a piped command shell (staged). Connect back to the attacker with UUID Support
374 Windows windows/shell_bind_tcp Listen for a connection and spawn a command shell
375 Windows windows/shell_bind_tcp_xpfw Disable the Windows ICF, then listen for a connection and spawn a command shell
376 Windows windows/shell_hidden_bind_tcp Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as “closed” helping us to hide the shellcode.
377 Windows windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
378 Windows windows/speak_pwned Causes the target to say “You Got Pwned” via the Windows Speech API
379 Windows windows/upexec/bind_hidden_ipknock_tcp Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
380 Windows windows/upexec/bind_hidden_tcp Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
381 Windows windows/upexec/bind_ipv6_tcp Uploads an executable and runs it (staged). Listen for an IPv6connection (Windows x86)
382 Windows windows/upexec/bind_ipv6_tcp_uuid Uploads an executable and runs it (staged). Listen for an IPv6connection with UUID Support (Windows x86)
383 Windows windows/upexec/bind_nonx_tcp Uploads an executable and runs it (staged). Listen for a connection (No NX)
384 Windows windows/upexec/bind_tcp Uploads an executable and runs it (staged). Listen for a connection (Windows x86)
385 Windows windows/upexec/bind_tcp_rc4 Uploads an executable and runs it (staged). Listen for a connection
386 Windows windows/upexec/bind_tcp_uuid Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)
387 Windows windows/upexec/find_tag Uploads an executable and runs it (staged). Use an establishedconnection
388 Windows windows/upexec/reverse_ipv6_tcp Uploads an executable and runs it (staged). Connect back to the attacker over IPv6
389 Windows windows/upexec/reverse_nonx_tcp Uploads an executable and runs it (staged). Connect back to the attacker (No NX)
390 Windows windows/upexec/reverse_ord_tcp Uploads an executable and runs it (staged). Connect back to the attacker
391 Windows windows/upexec/reverse_tcp Uploads an executable and runs it (staged). Connect back to the attacker
392 Windows windows/upexec/reverse_tcp_allports Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
393 Windows windows/upexec/reverse_tcp_dns Uploads an executable and runs it (staged). Connect back to the attacker
394 Windows windows/upexec/reverse_tcp_rc4 Uploads an executable and runs it (staged). Connect back to the attacker
395 Windows windows/upexec/reverse_tcp_rc4_dns Uploads an executable and runs it (staged). Connect back to the attacker
396 Windows windows/upexec/reverse_tcp_uuid Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support
397 Windows windows/vncinject/bind_hidden_ipknock_tcp Inject a VNC Dll via a reflective loader (staged). Listen fora connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as “closed,” thus helping to hide the shellcode
398 Windows windows/vncinject/bind_hidden_tcp Inject a VNC Dll via a reflective loader (staged). Listen fora connection from a hidden port and spawn a command shell to the allowed host.
399 Windows windows/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Listen foran IPv6 connection (Windows x86)
400 Windows windows/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen foran IPv6 connection with UUID Support (Windows x86)
401 Windows windows/vncinject/bind_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Listen fora connection (No NX)
402 Windows windows/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (staged). Listen fora connection (Windows x86)
403 Windows windows/vncinject/bind_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Listen fora connection
404 Windows windows/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Listen fora connection with UUID Support (Windows x86)
405 Windows windows/vncinject/find_tag Inject a VNC Dll via a reflective loader (staged). Use an established connection
406 Windows windows/vncinject/reverse_hop_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
407 Windows windows/vncinject/reverse_http Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)
408 Windows windows/vncinject/reverse_http_proxy_pstore Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP
409 Windows windows/vncinject/reverse_ipv6_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6
410 Windows windows/vncinject/reverse_nonx_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)
411 Windows windows/vncinject/reverse_ord_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
412 Windows windows/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
413 Windows windows/vncinject/reverse_tcp_allports Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
414 Windows windows/vncinject/reverse_tcp_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
415 Windows windows/vncinject/reverse_tcp_rc4 Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
416 Windows windows/vncinject/reverse_tcp_rc4_dns Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker
417 Windows windows/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support
418 Windows windows/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)
419 Windows windows/x64/exec Execute an arbitrary command (Windows x64)
420 Windows windows/x64/loadlibrary Load an arbitrary x64 library path
421 Windows windows/x64/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64)
422 Windows windows/x64/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64)
423 Windows windows/x64/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64)
424 Windows windows/x64/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64)
425 Windows windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
426 Windows windows/x64/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet)
427 Windows windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64)
428 Windows windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64)
429 Windows windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp)
430 Windows windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp)
431 Windows windows/x64/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell
432 Windows windows/x64/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
433 Windows windows/x64/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
434 Windows windows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell
435 Windows windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell
436 Windows windows/x64/powershell_bind_tcp Listen for a connection and spawn an interactive powershell session
437 Windows windows/x64/powershell_reverse_tcp Listen for a connection and spawn an interactive powershell session
438 Windows windows/x64/shell/bind_ipv6_tcp Spawn a piped command shell (Windows x64) (staged). Listen foran IPv6 connection (Windows x64)
439 Windows windows/x64/shell/bind_ipv6_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen foran IPv6 connection with UUID Support (Windows x64)
440 Windows windows/x64/shell/bind_tcp Spawn a piped command shell (Windows x64) (staged). Listen fora connection (Windows x64)
441 Windows windows/x64/shell/bind_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Listen fora connection with UUID Support (Windows x64)
442 Windows windows/x64/shell/reverse_tcp Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)
443 Windows windows/x64/shell/reverse_tcp_uuid Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)
444 Windows windows/x64/shell_bind_tcp Listen for a connection and spawn a command shell (Windows x64)
445 Windows windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64)
446 Windows windows/x64/vncinject/bind_ipv6_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)
447 Windows windows/x64/vncinject/bind_ipv6_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)
448 Windows windows/x64/vncinject/bind_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)
449 Windows windows/x64/vncinject/bind_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)
450 Windows windows/x64/vncinject/reverse_http Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
451 Windows windows/x64/vncinject/reverse_https Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)
452 Windows windows/x64/vncinject/reverse_tcp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)
453 Windows windows/x64/vncinject/reverse_tcp_uuid Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)
454 Windows windows/x64/vncinject/reverse_winhttp Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)
455 Windows windows/x64/vncinject/reverse_winhttps Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)


Tags::