Jump to content

How would one go about encrypting a file to be used to get around an anti virus *to trick the anti virus's hash data base* . For encrypted files to be deployed with the Duck


h0ner

Recommended Posts

Hello fine people of the Hak.5 forms. I have forums my self with quite a substantial problem. The issue is that I have no idea how to change the hash of a program so that it can get around common anti virus programs. Previous to this when having to encrypt files(reverse TCP) I have just used veil evasion as I do not posies the skill and know how to encrypt files on my own. Now today is the day that all that changes(with help from you guys 'hopefully'). I have found myself with a problem that just using veil ain't going to solve(well to my knowledge at least to my knowledge) so I put it to you kind people of this great form how would I encrypt the file that I will link below. 

 

 

- h0ner 

Link to comment
Share on other sites

file signature these days is still used, but many AV's can tell what a program does even without a sig to match against via heuristics and various mathematical methods to assess the executable. What you really need to do is test with various AV, and have the payload run only in memory, never touch disk, at least not in executable native code. Simple base64 or hexadecimal output and reversing the string, will bypass most AV for transport, but it can't be run like this. You need to use something on the system, to recode it back to an executable, but only in memory, and then execute it from there. Google powershell UAC bypasses and running programs in memory only via powershell (If on windows)

https://www.google.com/search?client=opera&q=how+to+make+a+program+run+in+memory+only+via+powershell&sourceid=opera&ie=UTF-8&oe=UTF-8

By the way, you should not upload executables to the forums..mods need to remove it.

https://www.virustotal.com/en-gb/file/7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2/analysis/1472129530/

Edited by digip
Link to comment
Share on other sites

  • 4 weeks later...

Depends on what you are trying to do on the endpoint.

If you are trying to deploy pre-compiled executable, into which you want to embed shellcode, then something like shellter (as mentioned by @anode) is a good choice.  I have used it to deploy putty with an embedded meterpreter reverse_tcp shell to an endpoint.  The handy thing that shellter can keep the executable functional, which is really cool when used with putty, when you consider that it is used by IT professionals, and they make for good targets (holding the keys to the kingdom and all).

If you want to take an existing executable and make it bypass AV, then you can use any number of packers and/or crypters.  One that I have had a lot of success with recently was Hyperion.

As @digip says, there are other ways that ensure that executables don't even land on the endpoint.  An example of this is the reflective DLL injection used by the Invoke-Mimikatz.ps1 powershell script, which was demonstrated by Hak5 with the USB-RD in their 15 sec credential hack, a la Mr Robot.

Link to comment
Share on other sites

If you want to get around any Antivirus you simply need to identify which part of the file contains a malicious signature and alter the signature.  In the method described here.

https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm

You disassemble a binary file into raw ASM.  Manually obfuscate each section  of the code until all existing signatures have been changed, then repackage the binary.  You could call this the point and spray machine gun method.

A more surgical method would be to take each individual chunk of ASM and create individual compiled binaries off of them.  Point the AV you wish to bypass at the smaller chunks and see which one triggers the malicious signature.  Then you can take the original binary and simply obfuscate that code section.

Hope that helps!

Link to comment
Share on other sites

Basic Windows Defender (or what ever its called now) has flagged *every* MSVenom payload I've thrown at it (no matter the encoding/encryption).

AV is starting to flag Veil, Empire, etc,  Ben0xA did a talk at this past Derbycon about running powershell on a machine where powershell.exe was removed and even doing it in memory.

http://www.irongeek.com/i.php?page=videos/derbycon6/106-powershell-secrets-and-tactics-ben0xa

(Plus he's a fun speaker)

Link to comment
Share on other sites

On 10/1/2016 at 10:57 PM, anode said:

Basic Windows Defender (or what ever its called now) has flagged *every* MSVenom payload I've thrown at it (no matter the encoding/encryption).

AV is starting to flag Veil, Empire, etc,  Ben0xA did a talk at this past Derbycon about running powershell on a machine where powershell.exe was removed and even doing it in memory.

http://www.irongeek.com/i.php?page=videos/derbycon6/106-powershell-secrets-and-tactics-ben0xa

(Plus he's a fun speaker)

That was a sensational presentation.  Some really cool stuff in there.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...