All right, Now, let's look at by causing anti virus.
So I started off the message. Phylum command here
could be familiar with this part. The payload l host L Port.
This Dodge ex maybe knew this is going to tell it to in bed inside of an executed ble.
Oh, use your share windows, Dad. Binaries are admin dot e x ces was just a Are edmund programs. When the windows binaries folder we have,
as the name implies, some windows, binaries
stash que cause it to run the payload in a different thread. So we'll still be able to run the original program to the user to look normal.
But we'll also be able to have the payload in the background
for my execute herbal. And I just put it in tow. Earth admin dot Yet, see
All right, naturally, we need a listener to catch it.
Well, that's sitting up.
Gonna turn on real time protection and Microsoft Security Essentials on one of seven.
you want some anti lars
PC status is now protected.
If it finds these files that should delete them.
We're still loading. Done it. Before I turned on the video
So you gotta let me serve it to myself. Now
Copy Are don't you actually eating garden? You have B W
service. Happy to start.
Don't think just because you have to feed could
Does this activity there?
We have enough to reserve.
Well, when you be excusable on the first play
you two might get files onto it. And I don't want to do with our Show them until you fire show yet.
Really not sure. What's up?
This Web server? Let's see stuff.
am I couldn't think of him. All right.
You know, I worked. I don't know. What's up with My patch is over. I haven't done anything here. That's where you
As if being downloaded. Basically my herself. Security Essentials
Good or Downloads folder. It won't be there anymore.
Well, let's go ahead and start up a listener
Good a listener. If we can ever make it run
another slight that you might try. I don't want you to ever try this with anything that you put your hard work into making a wood anti virus because site, Actually, those share their results with the anti virus vendors. If you do get something that bypasses and embarrassed and then you upload it to this site, you may find on their next test it doesn't work.
I did show it in my book and did point this out. But yet people still think, Think the bad idea to show it to people in the first place. Well, I'll reiterate. Don't upload your especially crafted payloads to the site they will share it with the anti virus vendors. Was kind of the point.
Who's there trying to make anti virus better,
which we insecurity would like anti virus to be better. But with his pen testers, it makes our lives easier if it doesn't touch our stuff. Certainly,
but since I haven't done anything to this art, men don t x c to make it buy a house anti virus, I can upload it. No problem. I won't lose my super secret formula for making things avoid anti virus Last scanning it with virus total.
This will upload the file and I'll run it through multiple anti virus vendors and see whether it flagged it is malicious. So this isn't my interpreter
reverse TCP payload that we really haven't done anything to accept embedded in inexcusable. So we should expect that any anti various worth its salt would find it,
which mean they're certainly anti viruses out there. Do nothing, as far as I can tell.
Come in there, Senator. Actually pretty good at finding known threats. Of course, they are relying on it being known threats. The fact that we're using Motor Peter
makes us easier to spot. It is a very common hack tool both for malicious hackers and pin testers.
So Microsoft should be on here somewhere. So it did find it. So I would encourage you if you're actually trying to get past your client's anti virus instead of uploading it to something like this. Once you've actually put
your hard work into trying to bypass anti virus. Putting it up here is a really bad idea,
so but, you know, just for like, class exercises, you know, if you run through a lot of different techniques that are known. I still put it up here in class, but
can I wouldn't do it with anything you did for research.
Only 26 out of 54 actually found it.
big ones probably did like Microsoft clam Kaspersky McAfee
Norton pictures on your zoo, Man tick. So foes,
so probably anything that your client is likely tohave did find it. We would have to try
a little bit harder. We could certainly go through lots of different trials and techniques of how to make this number go down. But
Waas just kill this for now.
I want to use a tool. I had you download it in the set up to be in your root directory
So this is basically going to encrypt it
with something A s encryption, and I was gonna throw away the keys.
And if you know anything about encryption, that might raise a red flag for you because it's like, um,
encryption without keys, it shouldn't be able to decrypt on the other side, right? I mean, it's supposed to be a
the whole point of photography or crypt analysis. Rather is to try and break these things. Well, obviously, it doesn't use cryptographic Lee. Secure standard. It's key. Space is much smaller, so it can brute force its key on the other side in a reasonable amount of time.
All right, so what I actually have to do is actually go into the Hyperion directory, that's where. Like this,
you know, Elden stuffer
who was just meant to be run on windows. But we can use the tool wine there on our windows programs. So run
and always call it bypass
one is being up there.
All right, so now that one has updated it ran. My Ryan needed to be updated
So then we should have
Hyperion, Didi XY. They will copy that. I'll just do my £5 directory from here.
We'll restart my python's server and see if my bypass Hyperion that you actually can get past anti virus. Last time I checked, it could actually on tests. I used things a little bit. The rumba mess. Another tool set is veil evasion. that you can use
it Hooks hooks up directly to medicine Boy, though,
so I have had some trouble with it in class is because it's expecting, like the latest version of medicine plate, which may not necessarily have on a class image and then getting them lined up. This
can be kind of annoying, but it has a lot of awarding antivirus things in it as well.
And then, I mean, the best way to do this sort of thing is not to use my interpreter at all to build something custom that uses the windows AP eyes like Kohl back and things when these air making a
reverse connection to another system is not a malicious thing to do in. Practically all of your programs do that at some point or another.
bypassed. Hyperion. Don t x c
like it's still getting through. I just know the day is gonna come when Microsoft Security Essentials finds my help carry on and I have to change the class exercise.
We're mar odd man that I'm seeing our admin did at least get Michelle. No, we didn't get Michelle Other
Well, I didn't get hit by anti virus
never underestimate my ability. She grew up in message venom.
What's the command I used?
Okay. Uh, yeah. ZR Mendel, You, Lexie,
about this. Just to prove that it works.
I've been having some problems with them myself. Then I'm for probably the passion.
with the shell code that it generates. Not working, though. It seemed to work pretty well. And I
videos for exploit development. But it could be something wrong with the execute herbal template. Or I need to update because I haven't updated it since the build for this image when I started the class. So let's just do it.
When does the interpreter
reverse TCP not embedded in the executed ble.
We know this part works because we tried it already.
Well, Im interpreter, your tea.
We've already got our handler for it.
This is probably picked up by even more things than virus total. Since it's not even embedded in the executed herbal.
that. Are Hyperion command again?
So it does take a minute, though. That was more than a minute
get the government forced the encryption key. I've never seen it take that long and just
uh, too much of a rat. I think it has to gigs. What should be should be sufficient. I don't know why it took so long. I've never seen it take that long. But he usually is about a minute.
it did give us the interpreter sessions. It was working. Wasn't something with Emma's Have been, um,
So, like I said, I have
okay, and I had problems with the message. Been a minister. Boyd is your tool that's
maintained by a lot of hard working individuals, but with something this big
can only expected. Occasionally things will break.
So in general, I don't have too many problems with men displayed all. I do a really good job of keeping it working. But occasionally something those break.
That's why I like to stick to a particular image for classes and just switched the image for this class. That's calling all of our problems. But I think we've done pretty well, all in all,
when I was doing here is just gonna create another one. But the one we had worked just fine. It just took a little bit longer than I expected it. It's usually a little bit faster
that cracking the key than that
because my vm zehr for overworked to be him's not for going through this cost.
no hash dump privileges. But that's something we're gonna fix in the next section.
Operation failed on our hot ash dumps. Why can we not get our house dumps?
We are a local administrator.
I'm actually not a domain admin, but you're a local administrator on the system.
actually, I'm not even a local admen,
you could log back on us
But even if I was local admit it still would have not worked. So
we'll see that in post exploitation. How we can fix it.
There is a little bit extra security on our window seven machine, and there's not in our windows expiate any of our other legacy systems. So it's still worth knowing stuff on legacy systems is probably about
85 even 90% of internal PIN tests that I do. There are some legacy systems lying around, so it is, I think, definitely worth knowing all the techniques on them. It's unlikely that you're gonna get rid of all of them, particularly in like the manufacturing trades
they have them, like embedded in Windows 2000 embedded in it. And so it would cost a $1,000,000 to replace the actual device that's running it. So it's not just some server somewhere,
and, you know, I see a lot of Ex P. Still,
I think they've upgraded the main work stations to seven. But there's always something that was written that won't work the newer versions of my *** or something like that.
So when there's usually at least a couple lying around there, typically the things that people have forgotten about patching so you could get the easy winds all knows
and as well learn in our next section, turn those into
possible domain level compromise