shimsam Posted May 6, 2016 Posted May 6, 2016 Hi.. First post. Hope i dont break any rules.. I was playing around with Metasploit, and i wanted to get my hands on way to avoid AV. So i trid cryptes and they maybe good but not great. I saw a video "DerbyCon 3 0 3202 Antivirus Evasion Lessons Learned Thelightcosine". I didn't just skipped to the end to get my answers which is how can i get my payloads FUD. Cause i enjoyed the video. Well.. So i understood it was or paying 5000$ a year for metasploit pro and get my hands on Dynamic Payloads , or learn to code and make myself my own reverse tcp script that will be FUD . But i dont have the money ot the skillz . So i gave it up. No im joking.. I found a python script online. Its a server script, that doing the lisening to the port and client script thats making the reverse tcp connection. Its working and all but there is no point in just having connection to windows command line. Metasploit have all those goodies that i can use... But the problem is that when i run it(client script), i cant have it connect back to metasploid, only to the python "server" script. BTW i can have it connect to netcat but the connection allso break when i run a command like "cd c:\" I looked at the code and tried figuring out why, but the only reason i can think of is that netcat and metasploit are supposed to be used with there own scripts. But i hope there is way.. is there??? Quote
0phoi5 Posted May 6, 2016 Posted May 6, 2016 (edited) Maybe this will help? Note, this isn't Metasploit, but if you're clever, you can do almost everything sploit can, or gather enough info to then use sploit. Reverse shell with the above method > Gather vulnerability details > Metasploit Edited May 6, 2016 by haze1434 Quote
0phoi5 Posted May 6, 2016 Posted May 6, 2016 (edited) there is no point in just having connection to windows command line I just re-read your post. Perhaps that's where you already got the details from! I disagree though. Why not use the method you've already had success with, to get CMD, then gather information to find an exploit you can use in 'sploit? For example, with CMD you can use... wmic product list brief ... to get all of the software and version numbers of the target PC, then try and find an exploit in Metasploit for it. Think of the CMD reverse shell as recon, rather than the exploit itself. But you are perhaps underestimating CMD. Yes, whilst it's not as 'classy' as other tools, you can do a lot with CMD. Amend registry, move files, open ports etc. Edited May 6, 2016 by haze1434 Quote
ZaraByte Posted May 9, 2016 Posted May 9, 2016 If you wanna it not detected it's a matter of using obfuscation with python im not 100% on how to obfuscate that but doing a exe would be something pretty simple a friend made a video on how to do that with a EXE. http://www.freecst.com/howto-hex-editing-bypass-antivirus/ Quote
shimsam Posted May 10, 2016 Author Posted May 10, 2016 Thanks for the help.. Yea i know i can use win cmd to gather info.. But if i already have the ability to drop exe file on the machine and have hem run it, i rather it will be a payload that will give me access to everything including to transfer files. Thanks for vid i'll watch it.. I found a C source code for a Reverse TCP Shell that work with Metasploit, but i dont understand C enough to change it to make it FUD. Maybe using the Hex editing like in the video. Quote
0phoi5 Posted June 1, 2016 Posted June 1, 2016 Can't you get the CMD access and use... wmic process where name="[Name of AV Program]" call terminate ? Quote
0phoi5 Posted June 3, 2016 Posted June 3, 2016 (edited) On 01/06/2016 at 2:44 PM, cooper said: Does AV honour this request? Good point. I believe maybe 60% of AV programs would honour the request if we send the command as admin. The rest would probably block it, but it'd be worth a try in the first instance. One could get the admin credentials using CMD by grabbing them from the SAM database (e.g; C:\WINDOWS\system32\config) and decrypting them. Again, this would depend on the password strength, but then a lot of hacks usually do. If this didn't work, I'd also try uninstalling the AV program using admin CMD. Maybe something like; product where name="[Name of AV program]" call uninstall or we could perhaps use wmic to get the reference for the program and then msiexec... wmic product list brief MsiExec.exe /X{0000-00000-00000-00000-00000} /qb Worth a try! Just don't forget to clear those logs Edited June 3, 2016 by haze1434 Amended script. Quote
0phoi5 Posted June 16, 2016 Posted June 16, 2016 One could also use... netsh firewall set opmode disable ... in CMD, to disable the firewall. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.