January 20, 2018
How to Evade AV with OWASP-ZSC - Part 1
January 20, 2018
Once we have OWASP-ZSC downloaded to our Kali system, the next step is to install it.
Navigate to the directory of OWASP-ZSC.
root@kali: > cd OWASP-ZSC
Next, we need to execute the installer the script
root@kali:~/OWASP-ZSC# chmod 775 installer.pyroot@kali:# ./installer.py
Once the installer has run, you should see a screen like that above. Note that to uninstall OWASP-ZSC, you simply run ./uninstaller script. Also, once OWASP-ZSC has been installed, you need only type zsc to start this script.
Step - 3 The OWASP-ZSC Help
Before we get started with OWASP-ZSC, let's take a look at the help screen. That's ALWAYS a good idea when using a new application.
In the screen-shot above, you can see that OWASP-ZSC displays all the commands in its help screen. The key commands are the first six, but also note the back, clear, help, exit commands that useful when using OWASP-ZSC.
Step - 4 Generate Shellcode
Now, let's generate some shellcode. As we can see from from the help screen, we simply type "shellcode" and then "generate".
zsc> shellcodezsc/shellcode> generate
OWASP-ZSC uses the TAB key to show options for any command, so now we use the TAB to show the shellcode options.As you can see below, OWASP_ZSC has three OS shellcode options, linux_x86, osx_x86 and windows_x86. Since most of us are interested in Windows, let's type;zsc/shellcode/generate>windows_x86Now that we have selected the type of target OS platform to build a shellcode for, we can hit TAB to get more options.
OWASP-ZSC now displays the shellcode options it has for windows_x86. Note that we are not limited to these shellcodes. OWASP-ZSC will work on just about any shellcode, but these shellcodes are built-in by default.You can get a plethora of shellcodes to use at shell-storm.org among other places including exploit-db.com. OWASP-ZSC has an API connected to the www.shell-storm.org site that enables you to search and download directly from the hundreds of shellcode at that site shell-storm.orgLet's use the add_admin shellcode. This shellcode will--as the name implies-- add another admin user on the target system.zsc/shellcode/generate/windows_x86> add_adminOWASP-ZSC will now prompt us for the username and password we want to use for this admin account. Of course, I entered my name, "OTW" and password "hackers-arise".zsc/shellcode/generate/windows_x86/add_admin> username&&passwordshellcode. If you don't want to encode, type "none". Here, I chose to encode with random XOR (xor_random). The random encodes produce shellcode that is different each time making it more likely to be undetected by AV.zsc/shellcode/generate/windows_x86/add_admin/encode_type> xor_randomAfter I typed in my encoding type, OWASP-ZSC prompts me whether I want to output assembly code and whether I want to output my shellcode to the screen. I said "n" for the assembly and "y" to output the shellcode to my screen. Of course, neither is necessary.OWASP-ZSC now prompts us whether we want to output to .c file. I entered "y". It then prompts me for a file name. You can call your new shellcode any qualified file name, but I entered "mynewshellcode".When I create my new shellcode, it saves it by default in the OWASP=ZSC directory. Let's take a look. Note that "mynewshellcode" was saved at /root/OWASP-ZSC.Step - 6 ObfuscateThe process of obfuscation is an attempt to conceal the real purpose of the code. In this way, the forensic investigator or incident handler is less likely to understand the purpose of our shellcode.Next, we want to obfuscate that shellcode. Enter "obfuscate";zsc > obfuscateNow, to see the choices, hit the TAB key. It will display your obfuscation choices. These include;
I selected Perl. For more on Perl, see my series on Scripting for Hackers. This may not be the best choice for attacking Windows systems as the Perl interpreter is seldom on Windows systems, but I will use it nevertheless for demonstration purposes. On the other hand, it is unlikely that the AV has a signature for this shellcode in Perl, so that it will likely go undetected by Windows AV and be effective against those rare systems where the Perl interpreter is installed.
OWASP-ZSC now prompts you for the file name your want to obfuscate. Simply enter the full path to our new shellcode or any shellcode you have on your system. In my case, it is /root/OWASP-ZSC/mynewshellcode.
It then prompts you for the encoding you want to use and I selected simple_hex.
The final step is to test your new shellcode against AV software. If you know what software the target is using, simply test it against that one (check out my article on recon-ng to determine the AV the target is using). If not, you can test your new shellcode at VirusTotal to see how well it evades most commercial AV software.