Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson on bypassing antivirus software covers using the msfvenon command. Participants receive step by step instructions on how use the msfvenom command to run and analyze a payload to see if anything is flagged as malicious.

Video Transcription

00:04
All right, Now, let's look at by causing anti virus.
00:08
So I started off the message. Phylum command here
00:12
could be familiar with this part. The payload l host L Port.
00:17
This Dodge ex maybe knew this is going to tell it to in bed inside of an executed ble.
00:23
Oh, use your share windows, Dad. Binaries are admin dot e x ces was just a Are edmund programs. When the windows binaries folder we have,
00:32
as the name implies, some windows, binaries
00:35
stash que cause it to run the payload in a different thread. So we'll still be able to run the original program to the user to look normal.
00:44
But we'll also be able to have the payload in the background
00:48
for my execute herbal. And I just put it in tow. Earth admin dot Yet, see
00:57
who?
00:59
All right, naturally, we need a listener to catch it.
01:07
Well, that's sitting up.
01:11
Gonna turn on real time protection and Microsoft Security Essentials on one of seven.
01:19
This Will
01:22
you want some anti lars
01:25
PC status is now protected.
01:27
If it finds these files that should delete them.
01:32
We're still loading. Done it. Before I turned on the video
01:36
you fire a faction.
01:44
So?
01:45
So you gotta let me serve it to myself. Now
01:49
go.
01:51
Copy Are don't you actually eating garden? You have B W
01:56
service. Happy to start.
02:12
What's up with you?
02:19
Don't think just because you have to feed could
02:23
no
02:23
Does this activity there?
02:38
We have enough to reserve.
02:45
See,
02:47
Mac?
02:50
Well, when you be excusable on the first play
02:54
wonder
02:57
but just shoot.
03:00
Do this.
03:01
Possibly
03:15
you two might get files onto it. And I don't want to do with our Show them until you fire show yet.
03:23
Really not sure. What's up?
03:25
This Web server? Let's see stuff.
03:38
Sure. This
03:40
cool
03:57
am I couldn't think of him. All right.
04:01
Cool.
04:26
You know, I worked. I don't know. What's up with My patch is over. I haven't done anything here. That's where you
04:43
on.
04:44
As if being downloaded. Basically my herself. Security Essentials
04:51
Good or Downloads folder. It won't be there anymore.
04:56
Yeah,
05:00
partially. And ice
05:01
won't run anyway.
05:09
There is gone.
05:12
Never actually ran.
05:16
Well, let's go ahead and start up a listener
05:19
Use multi handler.
05:27
That's weird.
05:31
T p
05:38
l corps
05:43
Good a listener. If we can ever make it run
05:46
another slight that you might try. I don't want you to ever try this with anything that you put your hard work into making a wood anti virus because site, Actually, those share their results with the anti virus vendors. If you do get something that bypasses and embarrassed and then you upload it to this site, you may find on their next test it doesn't work.
06:05
I did show it in my book and did point this out. But yet people still think, Think the bad idea to show it to people in the first place. Well, I'll reiterate. Don't upload your especially crafted payloads to the site they will share it with the anti virus vendors. Was kind of the point.
06:24
Who's there trying to make anti virus better,
06:27
which we insecurity would like anti virus to be better. But with his pen testers, it makes our lives easier if it doesn't touch our stuff. Certainly,
06:34
but since I haven't done anything to this art, men don t x c to make it buy a house anti virus, I can upload it. No problem. I won't lose my super secret formula for making things avoid anti virus Last scanning it with virus total.
06:50
This will upload the file and I'll run it through multiple anti virus vendors and see whether it flagged it is malicious. So this isn't my interpreter
06:59
reverse TCP payload that we really haven't done anything to accept embedded in inexcusable. So we should expect that any anti various worth its salt would find it,
07:23
which mean they're certainly anti viruses out there. Do nothing, as far as I can tell.
07:30
Come in there, Senator. Actually pretty good at finding known threats. Of course, they are relying on it being known threats. The fact that we're using Motor Peter
07:40
makes us easier to spot. It is a very common hack tool both for malicious hackers and pin testers.
07:51
So Microsoft should be on here somewhere. So it did find it. So I would encourage you if you're actually trying to get past your client's anti virus instead of uploading it to something like this. Once you've actually put
08:03
your hard work into trying to bypass anti virus. Putting it up here is a really bad idea,
08:09
so but, you know, just for like, class exercises, you know, if you run through a lot of different techniques that are known. I still put it up here in class, but
08:20
can I wouldn't do it with anything you did for research.
08:26
Only 26 out of 54 actually found it.
08:35
But in a year,
08:41
big ones probably did like Microsoft clam Kaspersky McAfee
08:48
Norton pictures on your zoo, Man tick. So foes,
08:56
so probably anything that your client is likely tohave did find it. We would have to try
09:03
a little bit harder. We could certainly go through lots of different trials and techniques of how to make this number go down. But
09:11
for the sheikh
09:13
time
09:13
in space,
09:16
Waas just kill this for now.
09:22
I want to use a tool. I had you download it in the set up to be in your root directory
09:28
her Perriand e x e.
09:31
So this is basically going to encrypt it
09:35
with something A s encryption, and I was gonna throw away the keys.
09:41
And if you know anything about encryption, that might raise a red flag for you because it's like, um,
09:48
encryption without keys, it shouldn't be able to decrypt on the other side, right? I mean, it's supposed to be a
09:56
the whole point of photography or crypt analysis. Rather is to try and break these things. Well, obviously, it doesn't use cryptographic Lee. Secure standard. It's key. Space is much smaller, so it can brute force its key on the other side in a reasonable amount of time.
10:13
All right, so what I actually have to do is actually go into the Hyperion directory, that's where. Like this,
10:20
you know, Elden stuffer
10:20
who was just meant to be run on windows. But we can use the tool wine there on our windows programs. So run
10:28
Hyperion. Don t x c
10:31
on
10:33
our admin dot e x e
10:37
and always call it bypass
10:39
Hyperion
10:41
That you see
10:46
one is being up there.
10:54
All right, so now that one has updated it ran. My Ryan needed to be updated
11:01
in there.
11:01
So then we should have
11:03
my past
11:05
Hyperion, Didi XY. They will copy that. I'll just do my £5 directory from here.
11:13
We'll restart my python's server and see if my bypass Hyperion that you actually can get past anti virus. Last time I checked, it could actually on tests. I used things a little bit. The rumba mess. Another tool set is veil evasion. that you can use
11:28
it Hooks hooks up directly to medicine Boy, though,
11:33
so I have had some trouble with it in class is because it's expecting, like the latest version of medicine plate, which may not necessarily have on a class image and then getting them lined up. This
11:43
can be kind of annoying, but it has a lot of awarding antivirus things in it as well.
11:50
And then, I mean, the best way to do this sort of thing is not to use my interpreter at all to build something custom that uses the windows AP eyes like Kohl back and things when these air making a
12:03
reverse connection to another system is not a malicious thing to do in. Practically all of your programs do that at some point or another.
12:13
So,
12:16
well, name it
12:20
bypassed. Hyperion. Don t x c
12:30
so file.
12:31
There's yet
12:33
like it's still getting through. I just know the day is gonna come when Microsoft Security Essentials finds my help carry on and I have to change the class exercise.
12:45
Run it.
12:52
We're mar odd man that I'm seeing our admin did at least get Michelle. No, we didn't get Michelle Other
13:01
Well, I didn't get hit by anti virus
13:05
that
13:16
never underestimate my ability. She grew up in message venom.
13:26
What's the command I used?
13:31
Executed Will.
13:33
Okay. Uh, yeah. ZR Mendel, You, Lexie,
13:37
about this. Just to prove that it works.
13:41
I've been having some problems with them myself. Then I'm for probably the passion.
13:46
6 to 9 months
13:50
with the shell code that it generates. Not working, though. It seemed to work pretty well. And I
13:56
recorded the
13:58
videos for exploit development. But it could be something wrong with the execute herbal template. Or I need to update because I haven't updated it since the build for this image when I started the class. So let's just do it.
14:11
When does the interpreter
14:15
reverse TCP not embedded in the executed ble.
14:20
We know this part works because we tried it already.
14:24
Chords
14:30
for much, you see?
14:33
Well, Im interpreter, your tea.
14:39
We've already got our handler for it.
14:48
This is probably picked up by even more things than virus total. Since it's not even embedded in the executed herbal.
14:54
All right, so
15:01
we want
15:05
that. Are Hyperion command again?
15:11
Oh, there it goes.
15:13
That was slow.
15:16
So it does take a minute, though. That was more than a minute
15:20
to run
15:22
because it has to
15:24
get the government forced the encryption key. I've never seen it take that long and just
15:31
I didn't put
15:33
uh, too much of a rat. I think it has to gigs. What should be should be sufficient. I don't know why it took so long. I've never seen it take that long. But he usually is about a minute.
15:43
What
15:46
it did give us the interpreter sessions. It was working. Wasn't something with Emma's Have been, um,
15:52
So, like I said, I have
15:52
okay, and I had problems with the message. Been a minister. Boyd is your tool that's
15:58
maintained by a lot of hard working individuals, but with something this big
16:03
can only expected. Occasionally things will break.
16:07
So in general, I don't have too many problems with men displayed all. I do a really good job of keeping it working. But occasionally something those break.
16:14
That's why I like to stick to a particular image for classes and just switched the image for this class. That's calling all of our problems. But I think we've done pretty well, all in all,
16:23
so
16:25
when I was doing here is just gonna create another one. But the one we had worked just fine. It just took a little bit longer than I expected it. It's usually a little bit faster
16:33
that cracking the key than that
16:37
because my vm zehr for overworked to be him's not for going through this cost.
16:42
So we have a
16:45
no hash dump privileges. But that's something we're gonna fix in the next section.
16:49
Operation failed on our hot ash dumps. Why can we not get our house dumps?
16:57
We are a local administrator.
17:02
I'm actually not a domain admin, but you're a local administrator on the system.
17:10
Thank you. Show.
17:12
Yeah.
17:22
Uh,
17:22
actually, I'm not even a local admen,
17:27
but I waas Well,
17:30
you could log back on us
17:33
regular self.
17:33
But even if I was local admit it still would have not worked. So
17:40
we'll see that in post exploitation. How we can fix it.
17:44
There is a little bit extra security on our window seven machine, and there's not in our windows expiate any of our other legacy systems. So it's still worth knowing stuff on legacy systems is probably about
17:55
85 even 90% of internal PIN tests that I do. There are some legacy systems lying around, so it is, I think, definitely worth knowing all the techniques on them. It's unlikely that you're gonna get rid of all of them, particularly in like the manufacturing trades
18:11
they have them, like embedded in Windows 2000 embedded in it. And so it would cost a $1,000,000 to replace the actual device that's running it. So it's not just some server somewhere,
18:22
and, you know, I see a lot of Ex P. Still,
18:26
I think they've upgraded the main work stations to seven. But there's always something that was written that won't work the newer versions of my *** or something like that.
18:34
So when there's usually at least a couple lying around there, typically the things that people have forgotten about patching so you could get the easy winds all knows
18:45
and as well learn in our next section, turn those into
18:48
possible domain level compromise

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor