currently I'm preparing for OSCP and right know I'm working on reverse shells. Using msfconsole it's not problem to get a meterpreter-session, however meterpreter is not allowed during the exam so I want to go the "manual" way.

With msfvenom I create a payload for my victim windows 7 machine, I open a netcat listener on the correct port, download and execute the malicous exe file from the victim machine, and a connection will be established. But, when I type a command, the connection closes. In the screenshot you see what I'm talking about:

enter image description here

What am I doing wrong? As I said, using the exact same msfvenom command (just with windows/meterpreter/reverse_tcp instead of windows/shell/reverse_tcp) and msfconsole's multihandler everything works fine. So problems with the clients port (firewall rules for example) can be eliminated. Maybe I use a wrong payload...?

  • 273
  • 1
  • 2
  • 7

1 Answers1


TLDR: to catch it with a netcat listener you need to use windows/shell_reverse_tcp, not windows/shell/reverse_tcp. Otherwise you need to use the multihandler.

Take a look at these two payloads from msfvenom:

Windows Command Shell, Reverse TCP Stager
Spawn a piped command shell (staged). Connect back to the attacker
Total size: 283


Windows Command Shell, Reverse TCP Inline
Connect back to attacker and spawn a command shell
Total size: 324

Notice how the first one is smaller, but it also says that it is staged. This means that it can be smaller because rather than cram all the necessary code into the payload itself, it just contains the bare minimum needed to connect back to a compatible listener and receive the rest of the code. This is done by msfconsole's multihandler, but not by netcat.

If you don't want to bother with spinning up a multihandler, you can use the stageless version, though it is slightly larger. Just make sure to pay attention when listing payloads to whether or not something is described as staged. You could also just filter staged payloads out of your initial listing: eg msfvenom --list-payloads | grep -v stage[rd]

  • 123,438
  • 55
  • 284
  • 319
Yaakov Saxon
  • 158
  • 6
  • 1
    You sir made my day. It's working! You not just provided a working answer (which may I would have found out by myself via try and error), but you also explained why it's working respectively why my solution did not work. Thank you! – Alex Nov 16 '18 at 14:46
  • You're very welcome! – Yaakov Saxon Nov 16 '18 at 15:04
  • One little character ( _ ) such a huge difference... Thank you very much man. – DimiDak Mar 27 '21 at 02:55