Hack Like a Pro: How to Evade AV Software with Shellter

How to Evade AV Software with Shellter

Welcome back, my tenderfoot hackers!

One key area on the minds of all hackers is how to evade security devices such as an intrusion detection system (IDS) or antivirus (AV) software. This is not an issue if you create your own zero-day exploit, or capture someone else's zero-day. However, if you are using someone else's exploit or payload, such as one from Metasploit or Exploit-DB, the security devices are likely to detect it and spoil all your fun.

Security software largely works by recognizing a signature of malicious software. If you can change the signature of your malware, payload, or shellcode, it will likely get past the AV software and other security devices.

I have written tutorials on using Veil-Evasion and Metasploit's msfvenom to re-encode payloads to get past these devices, but no method is foolproof. The more options you have to re-encode your malware, the better chance you have of re-encoding malware to get past these devices.

In this tutorial, we will be using Shellter. From my experience, it has proven more effective in re-encoding payloads to get past AV software than the other options.

How Shellter Works

Shellter is capable of re-encoding any native 32-bit standalone Windows application. Since we are trying to avoid AV detection, we need avoid anything that might look suspicious to AV software such as packed applications or applications that have more than one section containing executable code.

Shellter is capable of taking any of these 32-bit Windows applications and embedding shellcode, either your custom payload or one available from such applications as Metasploit, in a way that is very often undetectable by AV software. Since you can use any 32-bit application, you can create almost an infinite number of signatures making it nearly impossible for AV software to detect.

Step 1: Download & Install Shellter

The first step, of course, is to download and install Shellter. I will be running it on a Windows system, but Shellter can be run on Kali using Wine. I find that it is faster and easier to run Shellter in its native Windows environment. You can download Shellter here.

Step 2: Start Shellter

Now that you have downloaded and installed Shellter, click on the executable in the Shellter directory. This should start the Shellter application like below.

Step 3: Move a Windows Binary to the Shellter Directory

To test the effectiveness of Shellter at obfuscating the nature of a file, we will be using a well-known malicious file to AV software. And that would be sbd.exe, a Netcat clone that has all the capabilities of Netcat, but also has the ability to encrypt the connection with AES.

We will be embedding it with a Meterpreter payload from Metasploit. In essence, we will be taking a known 32-bit .exe file, embedding it with a known Meterpreter payload, and seeing whether AV software will detect either. I think that this is an excellent test of Shellter's capabilities as detection of either will trigger the AV software. Both will need to be obfuscated to bypass the AV scan.

You can get sbd.exe in the Windows binaries directory in Kali at:

kali > cd /usr/share/windows-binaries

kali > ls -l

Copy sdb.exe to the same directory as Shellter on the Windows system for simplicity.

Step 4: Run Shellter

Now let's go back to our Shellter application. Enter A (Auto) for the operation mode and N (no) for a version update. Since we just downloaded the current version, we don't need to update Shellter.

Shellter will prompt you to enter the file that it is to re-encode. In our case, it is sbd.exe. Remember, it only accepts 32-bit standalone applications.

PE Target: sbd.exe

If your PE (portable executable) file is some place other than the Shellter directory, you will need to provide the absolute path here. Then just hit enter and Shellter begins its work.

It eventually stops and, once again, prompts you for the type of payload you want to embed in the file. Choose L for "listed". Then, select 1 for the "meterpreter_reverse_tcp" payload.

You will next be prompted for the LHOST (local) IP and the LPORT. Enter the IP of the local machine and any port you want. Then hit enter.

Step 5: Embedding & Re-Encoding

After a few minutes, Shellter completes the PE checksum and verification.

When the verification is complete, your file is ready!

Step 6: Test for Detection

Now that we have created the obfuscated shellcode, this is the moment of truth. We need to test to see whether AV software can detect it.

On this system, I am using the Vipre AV software. I placed the re-encoded .exe file in a folder named "Exe folder" on my desktop, so let's scan just that folder with Vipre and see how well Shellter hid the malicious intent of that file.

This scan only took a few seconds and Vipre does not detect any malicious files in the folder with sbd.exe. Success! Our malicious software is undetected by THIS AV software!

This, of course, does not mean that all AV software will be unable to detect the malicious nature of our file. AV software from different publishers use different signatures and methods for detection. Some may be be able to detect the true nature of this file, but the key is to find an obfuscation technique that gets past the AV on the system you are targeting. This might require multiple attempts with different files, different encoding, and different payloads. Eventually, you are likely to find at least one combination that works.

True hackers are nothing if not persistent.

Step 7: Create Listener on Kali

Now that we know the malicious shellcode is undetectable by at least Vipre, we can send the file to the target system. Before it is executed, we need to open a listener on our Kali system to connect.

We can use Metasploit's multi-handler for this purpose. Start by opening the msfconsole by typing:

kali > msfconsole

Then, use the multi-handler exploit and set the payload (windows/meterpreter/reverse_tcp), then set the local host (LHOST) and local port (LPORT) to the same as that embedded in your application above.

Finally, type exploit and the multi-handler will "catch" the connection from the payload when it is executed on the target, opening a Meterpreter shell unbeknownst to the AV software and the targeted user!

Now with a Meterpreter prompt on the target system, we can use any of the Meterpreter commands or scripts on that system to gain complete control.

Shellter is just one more tool to evade AV software, but it may be the best. No one method works against all intrusion detection systems and antivirus software, but this one should be in your toolbox. We will continue to explore the capabilities of Shellter and other AV evasion software, so keep coming back, my tenderfoot hackers!

24 Comments

It would be really hilarious if OTW wins the contest. XD

OTW is not eligible to win the contest.

It would still be hilarious. But nice tutorial as always. :)

Did you update your AV database before running the scans on the encoded payloads?

-Phoenix750

OCCUPYTHEWEB:

Don't worry man, Phoenix750 is a well known Veil-lover and keeps questioning everyone that says anything that doesn't make it look great.

Instead of scanning their output with AVs in order to see if their work makes any sense, they tell you not to upload their stuff on online viruscanners. This shows how much confidence they have in their own work.

However, it's better to use nodistribute.com as I can understand their claims up to a certain point.
I've seen Phoenix750 being really rude to someone that tested on virustotal an executable produced by veil.

Veil is a very nice tool, nobody denies that, but what makes me angry is that they never accept their mistakes and failures. Never!

Probably this is also why they don't get any better. They think that by displaying a message telling to the user not to scan the executable online, they solve a problem. Ridiculous!

You can't clean up the dust by pushing it under the carpet. Soon or later someone will notice. :)

Since when am I a veil lover? I never even stated that! In fact, veil has failed me many times. I'm FAR from liking it!

I simply asked if he updated his AV database because the "2012" next to the AV brand makes me worried. I'd ask the exact same question if OTW used veil/msfvenom/whatever. Please don't assume things just because I lost it one time when someone uploaded their encoded payload to a virus scanner (for which I apologised, but I guess you just chose to ignore that fact (oh, and I'd also probably lose it if that person uploaded a shellter payload, but I guess you also chose to just ignore that fact aswell)).

-Phoenix750

A close examination would reveal in the Vipre clean results screenshot a line that shows the current version of the virus definitions had been updated on Feb. 8, 2016.

I stand by my deleted comment that the question was insulting.

I'm sorry if it came out as offensive. It was never my intent to insult you in any way.

I see now. I didn't maximize the pictures last time I checked them. Again, I'm sorry for the inconvenience.

-Phoenix750

You have a point. I take back what I said about you specifically. ;0)

otw, i just update sbd.exe.bak to virustotal... and it shows it's malicious.
What do you think of it? Anyway, my own AV software does't think it a virus:) Here's the screenshot from virustoatal!

Blue:

As Fox says, don't use VirusTotal!

Second, sbd.exe.bak is the original file, not the re-encoded file. Of course, it is malicious.

ok. So where can i find that re-encoded file? the sbd.exe in shellter dir?

Remember to not use VirusTotal!

-Phoenix750

RMEMERROR0 || Please Report To Author.

LastErrorCode: 5

That's what I get after setting the LPORT. Lucky me...

My bad, it works on windows, but not Linux. So how am I supposed to set the LHOST if when I restart the computer, it changes ?

It works in Linux if you use wine. Please see Step #1

You can use it in Linux with wine.

RTFM!

Hello OTW,

I have been following your tutorials and posts for quite some time now and i really love them. Aspiring to be a white hat one day, this provided the perfect opportunity to gain valuable skills. I had a 2 questions that i wonder after almost every tutorial,

  1. Why don't you post any tutorials about hacking a Mac system/OSX? I understand that they are considerably harder to hack and majority of the computers used are Windows based, but it would be useful to know how to hack a Mac/OSX (in my opinion of course)
  2. Will any windows based exploits, eg. meterpreter/reverse tcp, work on a Mac/OSX running Windows using Parallels?

Thanks

Hello guys :)

Thank for the great tutorial, everything works and its a great tool to have in the arsenal.

I understand the need for a bit of SE to make the target open the file, but one would have a greater chance of success if the file type was not an executable imo so can anyone pls help and point me in the right direction for solving or letting me know if the following is possible to do...

  1. Embedding the exe in a pdf/doc file, and have it run in background mode, so as not alert the "target".
  1. Obfuscating the file.
  1. Some newer versions don't recognize a W7 putty.exe, and prompts the user before executing, any suggestions to a generic file one could use?

Thank you and keep up the fantastic effort to build the best forum of this type.

MG

PS I have of course read and tried the solutions offered in tutorials on the site first incl. the msf adobe embed pdf exploit, route...

Ive tried shellter on a few payloads. For some reason only set toolkit made payloads work for me. Not msfvenom. Im sure its a user problem though. I tried on avira which did not detect it when I used a winrar setup file. But avast did pick it up. So that just goes to show remember to do your recon, As some antiviruses work better. Im probably going to stick with avast now thanks to that test.

This method can be used on android apk..?

Share Your Thoughts

  • Hot
  • Latest