Hi all,
So I have been reading “The Hacker Playbook” found here and was on the topic of evading AV. I was also looking at my OSCP course guide as I am starting the labs again soon and was on AV, so I thought why not test it out instead of just knowing the theory!
The Hacker Playbook goes through using powersploit and executing a command which can download scripts from there and run them in memory, one example is using a keylogger and having it execute in memory. Pretty sweet.
Pyinstall and all sorts of techniques were explained, most of you would be aware of the veil-framework. So I thought I would try and inject a payload into an executable via msfvenom and see if AV would pick it up, if so I would try and see if I could evade AV.
Testing AV evasion
My setup is simple a Kali box and a Windows VM with Free AV installed, nothing enterprise size.
So I decided to follow this tutorial from Insecurety (note the 2012 date). It is old, but with security being behind in certain areas and what not it was worth giving it a shot.
The idea of injecting into a payload is explained in the post quite clearly as “By backdooring a legitimate executable, we can effectively hide our “evil” code amongst a pile of “good” code, and backdoor it in an undetectable manner. This means antivirus software will have a hard time finding our backdoor – or at least that is what we hope.”
The key points being; hiding the malicious code amongst good code, the only problem is that the malicious code does not interrupt the execution of the program so it can easily be detected.It would be like trying to hide a ‘B’ in front of or behind a line of ‘A’s. The 3 B’s being malicious code to launch a reverse shell for example.
- Example: AAAAAAAAAA
- Example of not interrupting the execution: BBBAAAAAA
- Example 2: ‘ AAABAAAAAAABAAAAABAA’
The example of not interrupting the execution shows the B stand out like a sore thumb, so an AV would simple just scan a normal executable and if the malicious code is all together as one, it could be flagged as malicious.
Whereas in the example 2 the malicious code is broken up, making it harder for the AV to detect the malicious code as being a reverse shell. This is a most basic example and it is how I visualize the process of simply injecting malicious code into a normal executable say putty.exe
So following the Insecurety tutorial I created a reverse https meterpreter shell using putty.exe. I think copied it onto a shared folder to then move it onto my windows testing machine. I dropped the exe onto the windows machine and thought oh it worked, but after a few seconds it scanned the exe and found it to be malicious (my low ram may be the cause of the delay). I did not have to execute it, it was picked up before that.
Avast picked it up a a trojan. I did a quick goole for win32 swrort and found from Lavasoft it detects as: “Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).” Aka a backdoor.
Example of AV warning:
So I wanted to delve deeper and see if I could bypass basic AV. Since you need those l33t skillz. “The Hacker Playbook” in the startup phase has you install the veil-framework and also discusses it in the evade AV section. So without reading more I jumped on to install Veil and wanted to follow the steps in Veil for creating a payload to evade AV.
I am a BIG fan of Python and heard much about p2exe and pyinstaller, so I wanted to create a Python executable that launched a meterpreter reverse HTTPS payload (staged version). The same payload used in the Insecurety blog post, so I could bypass with the same reverse shell.
So I followed the steps thought Veil, which is very simple.
I created a python meterpreter reverse shell via HTTPS encrypting communications, and used pyherion (encrypts the data, I may do some more reading and post for how it works).
You can see the options and output below:
So I did the same again having a new executable, nothing to do with putty.exe this time, but I wanted to use the same payload which my AV has the signature for and will detect. I dropped it on to my windows machine and nothing happened, *yes its on the machine*.
I setup a msf multi handler listener to catch it. I had to choose the payload to be
windows/meterpreter/reverse_https (the staged version). I believe if you do not set a payload it by default expects the non staged version of the windows meterpreter reverse https payload.
Setting the payload:
msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > exploit
I double clicked the executable to launch it, the Free Avast popped up with a ‘DEEP INSPECTION’ and thought crap its picked it up, but no! It allowed it to execute.
Catching the reverse shell from my python executable with my meterpreter shell 
:
So that was a fun adventure, and it did not take too long to complete. Feel free to add any comments on what you have done or more in-depth explanation on the how and why of the evasion.
No comments:
Post a Comment