Payloads are the code that gets executed on the target machine after a successful exploit. Metasploit organizes payloads into types based on how they behave and how they are structured: singles, stagers, stages, and adapters.

Single Payloads

Single payloads are self-contained. They include all functionality in one binary that is delivered and executed immediately.

set payload cmd/unix/reverse

In msfconsole, you can identify them by their path:

payload/<platform>/<payload_name>

Example:

payload/windows/shell_reverse_tcp
  • No external components or networking stages
  • More stable in restrictive environments
  • Quick to deploy but limited in features

Staged Payloads (Stager + Stage)

Staged payloads are split into two parts:

  • A stager: connects back to the attacker and loads the next step
  • A stage: the full payload sent over the network after connection
set payload windows/meterpreter/reverse_tcp

In msfconsole, you can identify them by the presence of both a stage and stager in the path:

payload/<platform>/<stage>/<stager>

Example:

payload/windows/meterpreter/reverse_tcp
  • meterpreter is the stage (the main payload)
  • reverse_tcp is the stager (the delivery method)

This structure shows clearly that the payload is staged.

Adapter Payloads

Adapters are used to modify or extend behavior of payloads, like adding encryption or routing. They aren’t full payloads on their own but act as middleware.

In practice, adapters are not shown directly in most payload paths — they are set through advanced options or used by certain modules in development frameworks.

  • Helps with evasion or special routing
  • Not common in basic attacks
  • Useful in advanced or stealthy engagements

Payload Type Comparison Table

Payload TypePath Pattern ExampleBehavior Description
Singlepayload/windows/shell_reverse_tcpSelf-contained, no staging
Stagerspayload/windows/meterpreter/reverse_tcpSmall loader for a second-stage
Stages(Delivered via stager, not selected manually)Main payload like meterpreter
Adapters(Not in direct paths, applied via options)Modify or extend other payloads

Quick Path Distinction

Staged payload path:    windows/meterpreter/reverse_tcp
                        └────── Stage ──────┘ └── Stager ─┘
 
Single payload path:    windows/shell_reverse_tcp
                        └─────── One full payload ───────┘