h0ner Posted August 21, 2016 Share Posted August 21, 2016 Hello fine people of the Hak.5 forms. I have forums my self with quite a substantial problem. The issue is that I have no idea how to change the hash of a program so that it can get around common anti virus programs. Previous to this when having to encrypt files(reverse TCP) I have just used veil evasion as I do not posies the skill and know how to encrypt files on my own. Now today is the day that all that changes(with help from you guys 'hopefully'). I have found myself with a problem that just using veil ain't going to solve(well to my knowledge at least to my knowledge) so I put it to you kind people of this great form how would I encrypt the file that I will link below. - h0ner Quote Link to comment Share on other sites More sharing options...
digip Posted August 25, 2016 Share Posted August 25, 2016 (edited) file signature these days is still used, but many AV's can tell what a program does even without a sig to match against via heuristics and various mathematical methods to assess the executable. What you really need to do is test with various AV, and have the payload run only in memory, never touch disk, at least not in executable native code. Simple base64 or hexadecimal output and reversing the string, will bypass most AV for transport, but it can't be run like this. You need to use something on the system, to recode it back to an executable, but only in memory, and then execute it from there. Google powershell UAC bypasses and running programs in memory only via powershell (If on windows) https://www.google.com/search?client=opera&q=how+to+make+a+program+run+in+memory+only+via+powershell&sourceid=opera&ie=UTF-8&oe=UTF-8 By the way, you should not upload executables to the forums..mods need to remove it. https://www.virustotal.com/en-gb/file/7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2/analysis/1472129530/ Edited August 25, 2016 by digip Quote Link to comment Share on other sites More sharing options...
anode Posted August 27, 2016 Share Posted August 27, 2016 shellter Quote Link to comment Share on other sites More sharing options...
h0ner Posted September 3, 2016 Author Share Posted September 3, 2016 Thanks a lot digip that was very helpful :) Quote Link to comment Share on other sites More sharing options...
netzwerg Posted September 29, 2016 Share Posted September 29, 2016 Depends on what you are trying to do on the endpoint. If you are trying to deploy pre-compiled executable, into which you want to embed shellcode, then something like shellter (as mentioned by @anode) is a good choice. I have used it to deploy putty with an embedded meterpreter reverse_tcp shell to an endpoint. The handy thing that shellter can keep the executable functional, which is really cool when used with putty, when you consider that it is used by IT professionals, and they make for good targets (holding the keys to the kingdom and all). If you want to take an existing executable and make it bypass AV, then you can use any number of packers and/or crypters. One that I have had a lot of success with recently was Hyperion. As @digip says, there are other ways that ensure that executables don't even land on the endpoint. An example of this is the reflective DLL injection used by the Invoke-Mimikatz.ps1 powershell script, which was demonstrated by Hak5 with the USB-RD in their 15 sec credential hack, a la Mr Robot. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted September 29, 2016 Share Posted September 29, 2016 Exactly what digip said. If you specifically wish to know what software/scripts are capable of changing a malicious file's signature, then look at Shellter, Veil Evasion and MsfVenom. Quote Link to comment Share on other sites More sharing options...
pentestgeek Posted September 29, 2016 Share Posted September 29, 2016 If you want to get around any Antivirus you simply need to identify which part of the file contains a malicious signature and alter the signature. In the method described here. https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm You disassemble a binary file into raw ASM. Manually obfuscate each section of the code until all existing signatures have been changed, then repackage the binary. You could call this the point and spray machine gun method. A more surgical method would be to take each individual chunk of ASM and create individual compiled binaries off of them. Point the AV you wish to bypass at the smaller chunks and see which one triggers the malicious signature. Then you can take the original binary and simply obfuscate that code section. Hope that helps! Quote Link to comment Share on other sites More sharing options...
anode Posted October 1, 2016 Share Posted October 1, 2016 Basic Windows Defender (or what ever its called now) has flagged *every* MSVenom payload I've thrown at it (no matter the encoding/encryption). AV is starting to flag Veil, Empire, etc, Ben0xA did a talk at this past Derbycon about running powershell on a machine where powershell.exe was removed and even doing it in memory. http://www.irongeek.com/i.php?page=videos/derbycon6/106-powershell-secrets-and-tactics-ben0xa (Plus he's a fun speaker) Quote Link to comment Share on other sites More sharing options...
netzwerg Posted October 3, 2016 Share Posted October 3, 2016 On 10/1/2016 at 10:57 PM, anode said: Basic Windows Defender (or what ever its called now) has flagged *every* MSVenom payload I've thrown at it (no matter the encoding/encryption). AV is starting to flag Veil, Empire, etc, Ben0xA did a talk at this past Derbycon about running powershell on a machine where powershell.exe was removed and even doing it in memory. http://www.irongeek.com/i.php?page=videos/derbycon6/106-powershell-secrets-and-tactics-ben0xa (Plus he's a fun speaker) That was a sensational presentation. Some really cool stuff in there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.