How do I deploy a payload through a hosted website?

malware

(Gentle Byte) #1

Hello house, I am new to this forum and I’ve learnt so many things from here.

I created a payload using the SEToolkits in Kali linus and I wish to deploy it to my experimental computer with a different network. I also want to learn how to encode this payload and upload to a 00webhost.com so I can test with my windows system and know if it can bypass my Avast AV.

To be specific, I want to learn how to deploy payloads to a network you’re not connected to.

How to make your payload bypass different AV.

How to port forward and get logs from the payload when I click on it from my windows pc.

I am totally new to ethical hacking and would appreciate your response.

Thanks.


#2

First of all, welcome to 0x00sec, I’m glad you’re enjoying your stay so far.

Now, if you’re still completely new to ethical hacking I would suggest you to go document yourself on a few preparatory topics such as port forwarding (and networking as a whole), it’s a very easy task that most of the times can be done by tweaking your router settings from its control panel, but there are alternatives. My suggestion is that if you’re struggling to do these steps you should come back to hacking in a little while, once you have the basics down, so you’ll understand much better what you’re doing, saving yourself a lot of frustration from not being able to solve a trivial issue like this.

Your questions are also kind of generic, a Google search could have given you a lot more practical examples to learn from, we can’t really tell you every AV evasion technique in one reply, or describe all the different ways you can deploy a payload remotely, you have to narrow it down to a few options and then we will know what to tell you exactly. As a general idea, the Veil Framework is pretty good when it comes to AV evasion so check it out, while for deploying Metasploit is one of the most used programs for the job thanks to its huge array of modules. Read how these two useful frameworks work and how to use them, although the first part is much more important in order to understand what’s actually going on and why.

If you have more questions ask away, but be a little more specific so we can be more helpful. And think about that little advice, go back to the basics for a bit beforehand.


(Gentle Byte) #3

Thanks for sharing this information with me. I’m currently attending an ethical hacking class here but the instructor seems to only teach how to create different kind of payloads and evasion with sheka ga nai. My problem now is that I want to learn how to deploy the said payloads remotely using my windows system as a practical example.

Secondly, I would like to host the payload on a web server so I can listen or get feedback of user information through the database created.

Thanks


#4

Deploying a payload may require different techniques based on the approach you want to take, each engagement is going to be different in at least one way so it’s not easy to tell you “do this”, the exploitation phase, the one where the deploying actually takes place, comes only after careful planning in which you choose one or more possible attack vectors: a typical example is resorting to social engineering by sending an email that contains a malicious .doc file, which will download your payload on the target machine thanks to an obfuscated macro that will grant you an initial foothold in the target network. Sometimes you could do that, or other times you discover there is a vulnerable service installed on the target that lets you get a shell easily thanks to a pre-made Metasploit module, you never know what attack vector you’ll be using until you enumerate your targets and study a plan, there are way too many possibilities. The more you study and experiment, the more new sophisticated and interesting methods you will discover.

Secondly, I would like to host the payload on a web server so I can listen or get feedback of user information through the database created

Then you’ll need an Advanced Persistent Threat kind of malware, the popular APTs. That kind of functionality is also common with botnets, but not with the usual piece of malware you’ll be generating with msfvenom, for example. You can get yourself an offshore VPS or hosting plan if you wish to use it ethically, while black hats tend to use compromised servers for this kind of business, but I assume you don’t fall into that category if you’re taking an ethical hacking class.