Msfvenom 学习笔记与总结

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Msfvenom 学习笔记与总结相关的知识,希望对你有一定的参考价值。

平台:android,可用Payload:

1  android/meterpreter/reverse_http                    Run a meterpreter server on Android. Tunnel communication over HTTP
2  android/meterpreter/reverse_https                   Run a meterpreter server on Android. Tunnel communication over HTTPS
3  android/meterpreter/reverse_tcp                     Run a meterpreter server on Android. Connect back stager
4  android/shell/reverse_http                          Spawn a piped command shell (sh). Tunnel communication over HTTP
5  android/shell/reverse_https                         Spawn a piped command shell (sh). Tunnel communication over HTTPS
6  android/shell/reverse_tcp                           Spawn a piped command shell (sh). Connect back stager

不常用的是最后三行的Payload ,用它只能得到一个sh的shell,不如meterpreter提供的后渗透模块强大,可能是有其他的用处吧..不解..

运行平台:Java,可用Payload:

1  java/jsp_shell_bind_tcp                             Listen for a connection and spawn a command shell
2  java/jsp_shell_reverse_tcp                          Connect back to attacker and spawn a command shell
3  java/meterpreter/bind_tcp                           Run a meterpreter server in Java. Listen for a connection
4  java/meterpreter/reverse_http                       Run a meterpreter server in Java. Tunnel communication over HTTP
5  java/meterpreter/reverse_https                      Run a meterpreter server in Java. Tunnel communication over HTTPS
6  java/meterpreter/reverse_tcp                        Run a meterpreter server in Java. Connect back stager
7  java/shell/bind_tcp                                 Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
8  java/shell/reverse_tcp                              Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
9  java/shell_reverse_tcp                              Connect back to attacker and spawn a command shell

明白怎么回事,说不出来,还是没明白透,先略过了

 

平台:Linux ,可用Payload:

 1     linux/armle/adduser                                 Create a new user with UID 0
 2     linux/armle/exec                                    Execute an arbitrary command
 3     linux/armle/shell/bind_tcp                          dup2 socket in r12, then execve. Listen for a connection
 4     linux/armle/shell/reverse_tcp                       dup2 socket in r12, then execve. Connect back to the attacker
 5     linux/armle/shell_bind_tcp                          Connect to target and spawn a command shell
 6     linux/armle/shell_reverse_tcp                       Connect back to attacker and spawn a command shell
 7     linux/mipsbe/exec                                   A very small shellcode for executing commands. This module is sometimes helpful for testing purposes.
 8     linux/mipsbe/reboot                                 A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes or executing other payloads that rely on initial startup procedures.
 9     linux/mipsbe/shell/reverse_tcp                      Spawn a command shell (staged). Connect back to the attacker
10     linux/mipsbe/shell_bind_tcp                         Listen for a connection and spawn a command shell
11     linux/mipsbe/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
12     linux/mipsle/exec                                   A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space.
13     linux/mipsle/reboot                                 A very small shellcode for rebooting the system. This payload is sometimes helpful for testing purposes.
14     linux/mipsle/shell/reverse_tcp                      Spawn a command shell (staged). Connect back to the attacker
15     linux/mipsle/shell_bind_tcp                         Listen for a connection and spawn a command shell
16     linux/mipsle/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
17     linux/ppc/shell_bind_tcp                            Listen for a connection and spawn a command shell
18     linux/ppc/shell_find_port                           Spawn a shell on an established connection
19     linux/ppc/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
20     linux/ppc64/shell_bind_tcp                          Listen for a connection and spawn a command shell
21     linux/ppc64/shell_find_port                         Spawn a shell on an established connection
22     linux/ppc64/shell_reverse_tcp                       Connect back to attacker and spawn a command shell
23     linux/x64/exec                                      Execute an arbitrary command
24     linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
25     linux/x64/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
26     linux/x64/shell_bind_tcp                            Listen for a connection and spawn a command shell
27     linux/x64/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘.
28     linux/x64/shell_find_port                           Spawn a shell on an established connection
29     linux/x64/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
30     linux/x86/adduser                                   Create a new user with UID 0
31     linux/x86/chmod                                     Runs chmod on specified file with specified mode
32     linux/x86/exec                                      Execute an arbitrary command
33     linux/x86/meterpreter/bind_ipv6_tcp                 Inject the meterpreter server payload (staged). Listen for an IPv6 connection (Linux x86)
34     linux/x86/meterpreter/bind_ipv6_tcp_uuid            Inject the meterpreter server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
35     linux/x86/meterpreter/bind_nonx_tcp                 Inject the meterpreter server payload (staged). Listen for a connection
36     linux/x86/meterpreter/bind_tcp                      Inject the meterpreter server payload (staged). Listen for a connection (Linux x86)
37     linux/x86/meterpreter/bind_tcp_uuid                 Inject the meterpreter server payload (staged). Listen for a connection with UUID Support (Linux x86)
38     linux/x86/meterpreter/find_tag                      Inject the meterpreter server payload (staged). Use an established connection
39     linux/x86/meterpreter/reverse_ipv6_tcp              Inject the meterpreter server payload (staged). Connect back to attacker over IPv6
40     linux/x86/meterpreter/reverse_nonx_tcp              Inject the meterpreter server payload (staged). Connect back to the attacker
41     linux/x86/meterpreter/reverse_tcp                   Inject the meterpreter server payload (staged). Connect back to the attacker
42     linux/x86/meterpreter/reverse_tcp_uuid              Inject the meterpreter server payload (staged). Connect back to the attacker
43     linux/x86/metsvc_bind_tcp                           Stub payload for interacting with a Meterpreter Service
44     linux/x86/metsvc_reverse_tcp                        Stub payload for interacting with a Meterpreter Service
45     linux/x86/read_file                                 Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
46     linux/x86/shell/bind_ipv6_tcp                       Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)
47     linux/x86/shell/bind_ipv6_tcp_uuid                  Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
48     linux/x86/shell/bind_nonx_tcp                       Spawn a command shell (staged). Listen for a connection
49     linux/x86/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection (Linux x86)
50     linux/x86/shell/bind_tcp_uuid                       Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
51     linux/x86/shell/find_tag                            Spawn a command shell (staged). Use an established connection
52     linux/x86/shell/reverse_ipv6_tcp                    Spawn a command shell (staged). Connect back to attacker over IPv6
53     linux/x86/shell/reverse_nonx_tcp                    Spawn a command shell (staged). Connect back to the attacker
54     linux/x86/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
55     linux/x86/shell/reverse_tcp_uuid                    Spawn a command shell (staged). Connect back to the attacker
56     linux/x86/shell_bind_ipv6_tcp                       Listen for a connection over IPv6 and spawn a command shell
57     linux/x86/shell_bind_tcp                            Listen for a connection and spawn a command shell
58     linux/x86/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: ‘nmap -sS target -p-‘.
59     linux/x86/shell_find_port                           Spawn a shell on an established connection
60     linux/x86/shell_find_tag                            Spawn a shell on an established connection (proxy/nat safe)
61     linux/x86/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
62     linux/x86/shell_reverse_tcp2                        Connect back to attacker and spawn a command shell

真他妈的多

 

平台:osx(mac电脑的系统吗:) ) ,可用payload:

 1     osx/armle/execute/bind_tcp                          Spawn a command shell (staged). Listen for a connection
 2     osx/armle/execute/reverse_tcp                       Spawn a command shell (staged). Connect back to the attacker
 3     osx/armle/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
 4     osx/armle/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
 5     osx/armle/shell_bind_tcp                            Listen for a connection and spawn a command shell
 6     osx/armle/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
 7     osx/armle/vibrate                                   Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>.
 8     osx/ppc/shell/bind_tcp                              Spawn a command shell (staged). Listen for a connection
 9     osx/ppc/shell/find_tag                              Spawn a command shell (staged). Use an established connection
10     osx/ppc/shell/reverse_tcp                           Spawn a command shell (staged). Connect back to the attacker
11     osx/ppc/shell_bind_tcp                              Listen for a connection and spawn a command shell
12     osx/ppc/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
13     osx/x64/dupandexecve/bind_tcp                       dup2 socket in edi, then execve. Listen, read length, read buffer, execute
14     osx/x64/dupandexecve/reverse_tcp                    dup2 socket in edi, then execve. Connect, read length, read buffer, execute
15     osx/x64/exec                                        Execute an arbitrary command
16     osx/x64/say                                         Say an arbitrary string outloud using Mac OS X text2speech
17     osx/x64/shell_bind_tcp                              Bind an arbitrary command to an arbitrary port
18     osx/x64/shell_find_tag                              Spawn a shell on an established connection (proxy/nat safe)
19     osx/x64/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
20     osx/x86/bundleinject/bind_tcp                       Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute
21     osx/x86/bundleinject/reverse_tcp                    Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute
22     osx/x86/exec                                        Execute an arbitrary command
23     osx/x86/isight/bind_tcp                             Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute
24     osx/x86/isight/reverse_tcp                          Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute
25     osx/x86/shell_bind_tcp                              Listen for a connection and spawn a command shell
26     osx/x86/shell_find_port                             Spawn a shell on an established connection
27     osx/x86/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
28     osx/x86/vforkshell/bind_tcp                         Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute
29     osx/x86/vforkshell/reverse_tcp                      Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute
30     osx/x86/vforkshell_bind_tcp                         Listen for a connection, vfork if necessary, and spawn a command shell
31     osx/x86/vforkshell_reverse_tcp                      Connect back to attacker, vfork if necessary, and spawn a command shell

挺想用用这个payload做实验呢,就是找不到mac电脑~~~

 

运行环境:python,php,ruby, 可用Payload:

 1     php/bind_perl                                       Listen for a connection and spawn a command shell via perl (persistent)
 2     php/bind_perl_ipv6                                  Listen for a connection and spawn a command shell via perl (persistent) over IPv6
 3     php/bind_php                                        Listen for a connection and spawn a command shell via php
 4     php/bind_php_ipv6                                   Listen for a connection and spawn a command shell via php (IPv6)
 5     php/download_exec                                   Download an EXE from an HTTP URL and execute it
 6     php/exec                                            Execute a single system command
 7     php/meterpreter/bind_tcp                            Run a meterpreter server in PHP. Listen for a connection
 8     php/meterpreter/bind_tcp_ipv6                       Run a meterpreter server in PHP. Listen for a connection over IPv6
 9     php/meterpreter/bind_tcp_ipv6_uuid                  Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support
10     php/meterpreter/bind_tcp_uuid                       Run a meterpreter server in PHP. Listen for a connection with UUID Support
11     php/meterpreter/reverse_tcp                         Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
12     php/meterpreter/reverse_tcp_uuid                    Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions
13     php/meterpreter_reverse_tcp                         Connect back to attacker and spawn a Meterpreter server (PHP)
14     php/reverse_perl                                    Creates an interactive shell via perl
15     php/reverse_php                                     Reverse PHP connect back shell with checks for disabled functions
16     php/shell_findsock                                  Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.
17     python/meterpreter/bind_tcp                         Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection
18     python/meterpreter/bind_tcp_uuid                    Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Listen for a connection with UUID Support
19     python/meterpreter/reverse_http                     Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP
20     python/meterpreter/reverse_https                    Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Tunnel communication over HTTP using SSL
21     python/meterpreter/reverse_tcp                      Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker
22     python/meterpreter/reverse_tcp_uuid                 Run a meterpreter server in Python (2.5-2.7 & 3.1-3.5). Connect back to the attacker with UUID Support
23     python/meterpreter_bind_tcp                         Connect to the victim and spawn a Meterpreter shell
24     python/meterpreter_reverse_http                     Connect back to the attacker and spawn a Meterpreter shell
25     python/meterpreter_reverse_https                    Connect back to the attacker and spawn a Meterpreter shell
26     python/meterpreter_reverse_tcp                      Connect back to the attacker and spawn a Meterpreter shell
27     python/shell_reverse_tcp                            Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3
28     python/shell_reverse_tcp_ssl                        Creates an interactive shell via python, uses SSL, encodes with base64 by design.
29     ruby/shell_bind_tcp                                 Continually listen for a connection and spawn a command shell via Ruby
30     ruby/shell_bind_tcp_ipv6                            Continually listen for a connection and spawn a command shell via Ruby
31     ruby/shell_reverse_tcp                              Connect back and create a command shell via Ruby
32     ruby/shell_reverse_tcp_ssl                          Connect back and create a command shell via Ruby, uses SSL

 

重点来了 Windows:

  1  windows/adduser                                     Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
  2     windows/dllinject/bind_hidden_ipknock_tcp           Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
  3     windows/dllinject/bind_hidden_tcp                   Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
  4     windows/dllinject/bind_ipv6_tcp                     Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)
  5     windows/dllinject/bind_ipv6_tcp_uuid                Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)
  6     windows/dllinject/bind_nonx_tcp                     Inject a DLL via a reflective loader. Listen for a connection (No NX)
  7     windows/dllinject/bind_tcp                          Inject a DLL via a reflective loader. Listen for a connection (Windows x86)
  8     windows/dllinject/bind_tcp_rc4                      Inject a DLL via a reflective loader. Listen for a connection
  9     windows/dllinject/bind_tcp_uuid                     Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)
 10     windows/dllinject/find_tag                          Inject a DLL via a reflective loader. Use an established connection
 11     windows/dllinject/reverse_hop_http                  Inject a DLL via a reflective loader. Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
 12     windows/dllinject/reverse_http                      Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)
 13     windows/dllinject/reverse_http_proxy_pstore         Inject a DLL via a reflective loader. Tunnel communication over HTTP
 14     windows/dllinject/reverse_ipv6_tcp                  Inject a DLL via a reflective loader. Connect back to the attacker over IPv6
 15     windows/dllinject/reverse_nonx_tcp                  Inject a DLL via a reflective loader. Connect back to the attacker (No NX)
 16     windows/dllinject/reverse_ord_tcp                   Inject a DLL via a reflective loader. Connect back to the attacker
 17     windows/dllinject/reverse_tcp                       Inject a DLL via a reflective loader. Connect back to the attacker
 18     windows/dllinject/reverse_tcp_allports              Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
 19     windows/dllinject/reverse_tcp_dns                   Inject a DLL via a reflective loader. Connect back to the attacker
 20     windows/dllinject/reverse_tcp_rc4                   Inject a DLL via a reflective loader. Connect back to the attacker
 21     windows/dllinject/reverse_tcp_rc4_dns               Inject a DLL via a reflective loader. Connect back to the attacker
 22     windows/dllinject/reverse_tcp_uuid                  Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support
 23     windows/dllinject/reverse_winhttp                   Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)
 24     windows/dns_txt_query_exec                          Performs a TXT query against a series of DNS record(s) and executes the returned payload
 25     windows/download_exec                               Download an EXE from an HTTP(S)/FTP URL and execute it
 26     windows/exec                                        Execute an arbitrary command
 27     windows/format_all_drives                           This payload formats all mounted disks in Windows (aka ShellcodeOfDeath). After formatting, this payload sets the volume label to the string specified in the VOLUMELABEL option. If the code is unable to access a drive for any reason, it skips the drive and proceeds to the next volume.
 28     windows/loadlibrary                                 Load an arbitrary library path
 29     windows/messagebox                                  Spawns a dialog via MessageBox using a customizable title, text & icon
 30     windows/meterpreter/bind_hidden_ipknock_tcp         Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
 31     windows/meterpreter/bind_hidden_tcp                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
 32     windows/meterpreter/bind_ipv6_tcp                   Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection (Windows x86)
 33     windows/meterpreter/bind_ipv6_tcp_uuid              Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
 34     windows/meterpreter/bind_nonx_tcp                   Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (No NX)
 35     windows/meterpreter/bind_tcp                        Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection (Windows x86)
 36     windows/meterpreter/bind_tcp_rc4                    Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection
 37     windows/meterpreter/bind_tcp_uuid                   Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Listen for a connection with UUID Support (Windows x86)
 38     windows/meterpreter/find_tag                        Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Use an established connection
 39     windows/meterpreter/reverse_hop_http                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop.
 40     windows/meterpreter/reverse_http                    Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows wininet)
 41     windows/meterpreter/reverse_http_proxy_pstore       Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP
 42     windows/meterpreter/reverse_https                   Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows wininet)
 43     windows/meterpreter/reverse_https_proxy             Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP using SSL with custom proxy support
 44     windows/meterpreter/reverse_ipv6_tcp                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker over IPv6
 45     windows/meterpreter/reverse_nonx_tcp                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker (No NX)
 46     windows/meterpreter/reverse_ord_tcp                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
 47     windows/meterpreter/reverse_tcp                     Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
 48     windows/meterpreter/reverse_tcp_allports            Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
 49     windows/meterpreter/reverse_tcp_dns                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
 50     windows/meterpreter/reverse_tcp_rc4                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
 51     windows/meterpreter/reverse_tcp_rc4_dns             Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker
 52     windows/meterpreter/reverse_tcp_uuid                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker with UUID Support
 53     windows/meterpreter/reverse_winhttp                 Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTP (Windows winhttp)
 54     windows/meterpreter/reverse_winhttps                Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Tunnel communication over HTTPS (Windows winhttp)
 55     windows/meterpreter_bind_tcp                        Connect to victim and spawn a Meterpreter shell
 56     windows/meterpreter_reverse_http                    Connect back to attacker and spawn a Meterpreter shell
 57     windows/meterpreter_reverse_https                   Connect back to attacker and spawn a Meterpreter shell
 58     windows/meterpreter_reverse_ipv6_tcp                Connect back to attacker and spawn a Meterpreter shell
 59     windows/meterpreter_reverse_tcp                     Connect back to attacker and spawn a Meterpreter shell
 60     windows/metsvc_bind_tcp                             Stub payload for interacting with a Meterpreter Service
 61     windows/metsvc_reverse_tcp                          Stub payload for interacting with a Meterpreter Service
 62     windows/patchupdllinject/bind_hidden_ipknock_tcp    Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
 63     windows/patchupdllinject/bind_hidden_tcp            Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.
 64     windows/patchupdllinject/bind_ipv6_tcp              Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)
 65     windows/patchupdllinject/bind_ipv6_tcp_uuid         Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)
 66     windows/patchupdllinject/bind_nonx_tcp              Inject a custom DLL into the exploited process. Listen for a connection (No NX)
 67     windows/patchupdllinject/bind_tcp                   Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)
 68     windows/patchupdllinject/bind_tcp_rc4               Inject a custom DLL into the exploited process. Listen for a connection
 69     windows/patchupdllinject/bind_tcp_uuid              Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)
 70     windows/patchupdllinject/find_tag                   Inject a custom DLL into the exploited process. Use an established connection
 71     windows/patchupdllinject/reverse_ipv6_tcp           Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6
 72     windows/patchupdllinject/reverse_nonx_tcp           Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)
 73     windows/patchupdllinject/reverse_ord_tcp            Inject a custom DLL into the exploited process. Connect back to the attacker
 74     windows/patchupdllinject/reverse_tcp                Inject a custom DLL into the exploited process. Connect back to the attacker
 75     windows/patchupdllinject/reverse_tcp_allports       Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)
 76     windows/patchupdllinject/reverse_tcp_dns            Inject a custom DLL into the exploited process. Connect back to the attacker
 77     windows/patchupdllinject/reverse_tcp_rc4            Inject a custom DLL into the exploited process. Connect back to the attacker
 78     windows/patchupdllinject/reverse_tcp_rc4_dns        Inject a custom DLL into the exploited process. Connect back to the attacker
 79     windows/patchupdllinject/reverse_tcp_uuid           Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support
 80     windows/patchupmeterpreter/bind_hidden_ipknock_tcp  Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
 81     windows/patchupmeterpreter/bind_hidden_tcp          Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
 82     windows/patchupmeterpreter/bind_ipv6_tcp            Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)
 83     windows/patchupmeterpreter/bind_ipv6_tcp_uuid       Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
 84     windows/patchupmeterpreter/bind_nonx_tcp            Inject the meterpreter server DLL (staged). Listen for a connection (No NX)
 85     windows/patchupmeterpreter/bind_tcp                 Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)
 86     windows/patchupmeterpreter/bind_tcp_rc4             Inject the meterpreter server DLL (staged). Listen for a connection
 87     windows/patchupmeterpreter/bind_tcp_uuid            Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)
 88     windows/patchupmeterpreter/find_tag                 Inject the meterpreter server DLL (staged). Use an established connection
 89     windows/patchupmeterpreter/reverse_ipv6_tcp         Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6
 90     windows/patchupmeterpreter/reverse_nonx_tcp         Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)
 91     windows/patchupmeterpreter/reverse_ord_tcp          Inject the meterpreter server DLL (staged). Connect back to the attacker
 92     windows/patchupmeterpreter/reverse_tcp              Inject the meterpreter server DLL (staged). Connect back to the attacker
 93     windows/patchupmeterpreter/reverse_tcp_allports     Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
 94     windows/patchupmeterpreter/reverse_tcp_dns          Inject the meterpreter server DLL (staged). Connect back to the attacker
 95     windows/patchupmeterpreter/reverse_tcp_rc4          Inject the meterpreter server DLL (staged). Connect back to the attacker
 96     windows/patchupmeterpreter/reverse_tcp_rc4_dns      Inject the meterpreter server DLL (staged). Connect back to the attacker
 97     windows/patchupmeterpreter/reverse_tcp_uuid         Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support
 98     windows/powershell_bind_tcp                         Listen for a connection and spawn an interactive powershell session
 99     windows/powershell_reverse_tcp                      Listen for a connection and spawn an interactive powershell session
100     windows/shell/bind_hidden_ipknock_tcp               Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
101     windows/shell/bind_hidden_tcp                       Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
102     windows/shell/bind_ipv6_tcp                         Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)
103     windows/shell/bind_ipv6_tcp_uuid                    Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
104     windows/shell/bind_nonx_tcp                         Spawn a piped command shell (staged). Listen for a connection (No NX)
105     windows/shell/bind_tcp                              Spawn a piped command shell (staged). Listen for a connection (Windows x86)
106     windows/shell/bind_tcp_rc4                          Spawn a piped command shell (staged). Listen for a connection
107     windows/shell/bind_tcp_uuid                         Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)
108     windows/shell/find_tag                              Spawn a piped command shell (staged). Use an established connection
109     windows/shell/reverse_ipv6_tcp                      Spawn a piped command shell (staged). Connect back to the attacker over IPv6
110     windows/shell/reverse_nonx_tcp                      Spawn a piped command shell (staged). Connect back to the attacker (No NX)
111     windows/shell/reverse_ord_tcp                       Spawn a piped command shell (staged). Connect back to the attacker
112     windows/shell/reverse_tcp                           Spawn a piped command shell (staged). Connect back to the attacker
113     windows/shell/reverse_tcp_allports                  Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
114     windows/shell/reverse_tcp_dns                       Spawn a piped command shell (staged). Connect back to the attacker
115     windows/shell/reverse_tcp_rc4                       Spawn a piped command shell (staged). Connect back to the attacker
116     windows/shell/reverse_tcp_rc4_dns                   Spawn a piped command shell (staged). Connect back to the attacker
117     windows/shell/reverse_tcp_uuid                      Spawn a piped command shell (staged). Connect back to the attacker with UUID Support
118     windows/shell_bind_tcp                              Listen for a connection and spawn a command shell
119     windows/shell_bind_tcp_xpfw                         Disable the Windows ICF, then listen for a connection and spawn a command shell
120     windows/shell_hidden_bind_tcp                       Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not comming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.
121     windows/shell_reverse_tcp                           Connect back to attacker and spawn a command shell
122     windows/speak_pwned                                 Causes the target to say "You Got Pwned" via the Windows Speech API
123     windows/upexec/bind_hidden_ipknock_tcp              Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
124     windows/upexec/bind_hidden_tcp                      Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
125     windows/upexec/bind_ipv6_tcp                        Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)
126     windows/upexec/bind_ipv6_tcp_uuid                   Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
127     windows/upexec/bind_nonx_tcp                        Uploads an executable and runs it (staged). Listen for a connection (No NX)
128     windows/upexec/bind_tcp                             Uploads an executable and runs it (staged). Listen for a connection (Windows x86)
129     windows/upexec/bind_tcp_rc4                         Uploads an executable and runs it (staged). Listen for a connection
130     windows/upexec/bind_tcp_uuid                        Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)
131     windows/upexec/find_tag                             Uploads an executable and runs it (staged). Use an established connection
132     windows/upexec/reverse_ipv6_tcp                     Uploads an executable and runs it (staged). Connect back to the attacker over IPv6
133     windows/upexec/reverse_nonx_tcp                     Uploads an executable and runs it (staged). Connect back to the attacker (No NX)
134     windows/upexec/reverse_ord_tcp                      Uploads an executable and runs it (staged). Connect back to the attacker
135     windows/upexec/reverse_tcp                          Uploads an executable and runs it (staged). Connect back to the attacker
136     windows/upexec/reverse_tcp_allports                 Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)
137     windows/upexec/reverse_tcp_dns                      Uploads an executable and runs it (staged). Connect back to the attacker
138     windows/upexec/reverse_tcp_rc4                      Uploads an executable and runs it (staged). Connect back to the attacker
139     windows/upexec/reverse_tcp_rc4_dns                  Uploads an executable and runs it (staged). Connect back to the attacker
140     windows/upexec/reverse_tcp_uuid                     Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support
141     windows/vncinject/bind_hidden_ipknock_tcp           Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode
142     windows/vncinject/bind_hidden_tcp                   Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.
143     windows/vncinject/bind_ipv6_tcp                     Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)
144     windows/vncinject/bind_ipv6_tcp_uuid                Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)
145     windows/vncinject/bind_nonx_tcp                     Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)
146     windows/vncinject/bind_tcp                          Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)
147     windows/vncinject/bind_tcp_rc4                      Inject a VNC Dll via a reflective loader (staged). Listen for a connection
148     windows/vncinject/bind_tcp_uuid                     Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)
149     windows/vncinject/find_tag                          Inject a VNC Dll via a reflective loader (staged). Use an established connection
150     window

以上是关于Msfvenom 学习笔记与总结的主要内容,如果未能解决你的问题,请参考以下文章

Msfvenom学习总结

[原创]java WEB学习笔记61:Struts2学习之路--通用标签 property,uri,param,set,push,if-else,itertor,sort,date,a标签等(代码片段

学习笔记:python3,代码片段(2017)

Mybatis 学习笔记总结

Hadoop学习笔记:WordCount程序的实现与总结

数据结构学习笔记(栈队列)整理与总结