Speed up MSF Payload Generation with mkvenom.sh

The popular Metasploit Framework includes a payload generation tool called msfvenom. This is generally used to create backdoor scripts or binaries which are used when taking control of a target computer. During penetration tests, CTFs and exams (like OSCP) one can spend a lot of time typing out msfvenom commands and waiting for them to complete.

Today I am releasing mkvenom.sh: a Bash script which generates a selection of common Metasploit Framework msfvenom payloads for specified target machine. The idea is to kick this off in the background while performing initial scanning/enumeration of a target to speed up your penetration testing workflow (see also: ptboot.sh). It’s a slow script and it’s imprecise, but in some circumstances it can be a good time saving tool.

Screenshot of mkvenom.sh running.

Features

This Linux Bash script will create commonly used Metasploit Framework payloads such as reverse meterpreter shells, bind shells etc., including 32-bit/64-bit and staged/inline variants.

It will produce a directory called payloads which contains a library of ready to use payload files built using the local and remote TCP/IP parameters specified via the command line:

Screenshot of directory structure produced by mkvenom.sh.

Requirements

The only requirements are the presence of Metasploit Framework 4.16+ and the Bash shell. The script is intended for use in a Linux environment and was developed and tested using Kali Linux 2018.1.

Usage

Clone or download the mkvenom.sh file from this repository in to your Linux environment. You might want to consider placing it in ~/bin or /usr/local/bin so that it can be executed regardless of the shell’s current working directory.

A directory called payloads will be created in the current working directory when the script runs.

The command line usage syntax is:

Usage: mkvenom.sh <target-ip> <target-port> <local-ip> <local-port> [os]"
<target-ip> - Remote target's IP address."
<target-port> - Remote target's port (e.g. for bind shells)."
<local-ip> - Local IP address (e.g. for reverse shell connections)."
<local-port> - Local port (e.g. a MSF multi/handler's listening port)."
[os] - Restrict payload generation to one operating system (optional)."
Valid values: linux, windows, osx, bsd or solaris."

For example, if the local penetration tester’s system has an IP address of 192.168.10.200 and a remote Linux target system has an IP address of 10.20.20.1:

/usr/local/bin/mkvenom.sh 10.20.20.1 4444 192.168.10.200 443 linux

In the above example, payloads which bind to an address on the target would use port 4444 whilst payloads which make reverse connections back to the local machine would use port 443.

Running this tool early in the target enumeration phase means suitable MSF payloads will be ready and waiting for use when the time comes.

More Information

I have released this script under the MIT licence. It can be downloaded from the mkvenom GitHub repository.

Did you like this article? Please consider supporting this site.

Page last updated: