Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,080 --> 00:00:02,480 where we will be introducing you to how 2 00:00:02,480 --> 00:00:04,480 antivirus solutions work and how they 3 00:00:04,480 --> 00:00:06,960 detect malware as well as how they can 4 00:00:06,960 --> 00:00:09,360 be evaded. All right. So, in this 5 00:00:09,360 --> 00:00:11,360 specific video, we're going to be taking 6 00:00:11,360 --> 00:00:14,080 a look at a very simple example uh where 7 00:00:14,080 --> 00:00:16,800 whereby we'll be injecting reverse shell 8 00:00:16,800 --> 00:00:19,720 shell code into a legitimate Windows 9 00:00:19,720 --> 00:00:21,920 executable. And that will serve two 10 00:00:21,920 --> 00:00:23,760 functions. is number one, it'll make the 11 00:00:23,760 --> 00:00:26,960 the actual final executable uh look 12 00:00:26,960 --> 00:00:29,199 legitimate because uh for example, we 13 00:00:29,199 --> 00:00:30,960 can we can actually take a look at how 14 00:00:30,960 --> 00:00:33,200 to inject uh you know our reverse shell 15 00:00:33,200 --> 00:00:35,920 shell code into a program like WinRAR or 16 00:00:35,920 --> 00:00:38,239 Google Chrome and uh again as I said 17 00:00:38,239 --> 00:00:39,760 that serves two functions that will make 18 00:00:39,760 --> 00:00:41,680 it look legitimate so that the end user 19 00:00:41,680 --> 00:00:44,160 or your target will not be able to tell 20 00:00:44,160 --> 00:00:45,760 outrightly that that program is 21 00:00:45,760 --> 00:00:48,079 malicious and secondly this is an actual 22 00:00:48,079 --> 00:00:51,120 antivirus evasion technique and this is 23 00:00:51,120 --> 00:00:53,199 pertinent to signaturebased detection. 24 00:00:53,199 --> 00:00:55,120 So, we're really going to be focused on 25 00:00:55,120 --> 00:00:57,199 the fundamentals within this section and 26 00:00:57,199 --> 00:00:58,800 within this course primarily because 27 00:00:58,800 --> 00:01:01,359 antivirus evasion or defense evasion in 28 00:01:01,359 --> 00:01:04,000 general is a very complex topic that is 29 00:01:04,000 --> 00:01:06,240 multi-tered and involves multiple 30 00:01:06,240 --> 00:01:08,720 techniques, tools uh and of course you 31 00:01:08,720 --> 00:01:10,560 also have to take into consideration the 32 00:01:10,560 --> 00:01:14,080 vast number of EDRs or antiv antivirus 33 00:01:14,080 --> 00:01:16,720 solutions out there. So, you might be 34 00:01:16,720 --> 00:01:18,400 asking yourself, well, why does all of 35 00:01:18,400 --> 00:01:20,159 this matter? Well, you know, if we are 36 00:01:20,159 --> 00:01:22,880 able to generate a an executable that 37 00:01:22,880 --> 00:01:25,040 when executed provides us with a reverse 38 00:01:25,040 --> 00:01:28,439 shell, uh that may evade Windows 39 00:01:28,439 --> 00:01:31,280 Defender, but it might not evade uh 40 00:01:31,280 --> 00:01:33,759 malware bites, for example. So again, 41 00:01:33,759 --> 00:01:35,600 given the fact that uh you know the 42 00:01:35,600 --> 00:01:37,759 actual landscape or the uh you know the 43 00:01:37,759 --> 00:01:40,880 digital IT industry currently has more 44 00:01:40,880 --> 00:01:43,520 than 100 antivirus solutions out there, 45 00:01:43,520 --> 00:01:46,399 it can be a very very complex process. 46 00:01:46,399 --> 00:01:48,000 So, we're essentially going to be 47 00:01:48,000 --> 00:01:49,920 focused on, you know, the fundamentals 48 00:01:49,920 --> 00:01:52,000 here. And as I said in this example, 49 00:01:52,000 --> 00:01:53,360 we're going to be taking a look at how 50 00:01:53,360 --> 00:01:56,640 to evade very basic uh signature based 51 00:01:56,640 --> 00:01:59,439 antivirus solutions by injecting our 52 00:01:59,439 --> 00:02:02,000 malicious shell code uh our malicious 53 00:02:02,000 --> 00:02:04,079 reverse shell shell code into a 54 00:02:04,079 --> 00:02:07,360 legitimate executable with shelter. So, 55 00:02:07,360 --> 00:02:08,959 before we actually get started, let's 56 00:02:08,959 --> 00:02:10,879 get an understanding of defense evasion 57 00:02:10,879 --> 00:02:13,760 as a topic. Right. So this definition is 58 00:02:13,760 --> 00:02:15,680 uh I actually pulled it from the MITER 59 00:02:15,680 --> 00:02:17,760 website and the reason I did that is 60 00:02:17,760 --> 00:02:20,520 because it uh perfectly encapsulates the 61 00:02:20,520 --> 00:02:23,599 complexity uh of this topic. So defense 62 00:02:23,599 --> 00:02:26,000 evasion consists of techniques that 63 00:02:26,000 --> 00:02:28,239 adversaries use to avoid detection 64 00:02:28,239 --> 00:02:30,319 throughout their compromise. Techniques 65 00:02:30,319 --> 00:02:32,080 used for defense evasion include 66 00:02:32,080 --> 00:02:34,319 uninstalling or disabling the security 67 00:02:34,319 --> 00:02:37,760 software or the antivirus or obfuscating 68 00:02:37,760 --> 00:02:40,000 or encrypting data and scripts. 69 00:02:40,000 --> 00:02:42,160 Adversaries also leverage and abuse 70 00:02:42,160 --> 00:02:44,160 trusted processes to hide and masquerade 71 00:02:44,160 --> 00:02:46,480 their malware now. The area that we're 72 00:02:46,480 --> 00:02:49,040 focusing on here is obfuscation and 73 00:02:49,040 --> 00:02:50,959 encryption. Right? So what we're trying 74 00:02:50,959 --> 00:02:52,879 to do is we're trying to change the 75 00:02:52,879 --> 00:02:55,680 signature of the malicious executable 76 00:02:55,680 --> 00:02:58,160 that we're generating. So for example, 77 00:02:58,160 --> 00:03:00,560 if I generate a interpreter payload with 78 00:03:00,560 --> 00:03:03,920 MSF Venom, if you transfer that onto a 79 00:03:03,920 --> 00:03:05,760 Windows system, a modern Windows system 80 00:03:05,760 --> 00:03:08,319 like Windows 10, that will be detected 81 00:03:08,319 --> 00:03:11,120 immediately. Well, why is that? Why how 82 00:03:11,120 --> 00:03:13,120 does an antivirus solution actually know 83 00:03:13,120 --> 00:03:15,440 that that is malicious? Well, that can 84 00:03:15,440 --> 00:03:17,680 be explained by getting an understanding 85 00:03:17,680 --> 00:03:19,840 of the various antivirus detection 86 00:03:19,840 --> 00:03:22,400 methods. So, antivirus software will 87 00:03:22,400 --> 00:03:25,120 typically utilize signature huristic and 88 00:03:25,120 --> 00:03:27,360 behavior-based detection. So, let's get 89 00:03:27,360 --> 00:03:29,440 started with signaturebased detection 90 00:03:29,440 --> 00:03:32,319 first. So this is the oldest and most 91 00:03:32,319 --> 00:03:34,480 commonly used detection method and it's 92 00:03:34,480 --> 00:03:36,400 still used by antivirus solutions out 93 00:03:36,400 --> 00:03:38,640 there even extremely powerful uh 94 00:03:38,640 --> 00:03:41,040 antivirus solutions one of which is 95 00:03:41,040 --> 00:03:43,360 Windows Defender but Windows Defender 96 00:03:43,360 --> 00:03:45,680 and uh you know some of the uh really 97 00:03:45,680 --> 00:03:47,159 advanced commercial 98 00:03:47,159 --> 00:03:49,599 antiviruses actually use a combination 99 00:03:49,599 --> 00:03:52,000 of more than one of these detection 100 00:03:52,000 --> 00:03:54,159 methods to ensure that they're able to 101 00:03:54,159 --> 00:03:57,519 uniquely or rather accurately identify 102 00:03:57,519 --> 00:03:59,519 malware whenever it's downloaded onto 103 00:03:59,519 --> 00:04:02,000 your system or whenever an attacker uh 104 00:04:02,000 --> 00:04:03,680 you know is able to get that malware 105 00:04:03,680 --> 00:04:06,480 onto your system. So the way signature 106 00:04:06,480 --> 00:04:09,040 based detection works is the antivirus 107 00:04:09,040 --> 00:04:11,680 software has a database of virus 108 00:04:11,680 --> 00:04:14,239 signatures or malware signatures right 109 00:04:14,239 --> 00:04:17,440 and uh so what is an antivirus or a 110 00:04:17,440 --> 00:04:20,000 malware or virus signature? A virus 111 00:04:20,000 --> 00:04:23,440 signature is a unique sequence of bytes 112 00:04:23,440 --> 00:04:26,320 or rather a unique string of text that 113 00:04:26,320 --> 00:04:29,840 uniquely identifies malware or files or 114 00:04:29,840 --> 00:04:32,320 executables that are malicious. Right 115 00:04:32,320 --> 00:04:34,479 now, how is this signature generated? 116 00:04:34,479 --> 00:04:36,960 Well, uh again, the easiest way that 117 00:04:36,960 --> 00:04:39,680 this is done is to just generate a hash 118 00:04:39,680 --> 00:04:41,840 of that executable or to get the hash 119 00:04:41,840 --> 00:04:44,560 value of that executable, right? And 120 00:04:44,560 --> 00:04:46,560 I'll not I'll not dive into that right 121 00:04:46,560 --> 00:04:48,639 now because that's really not within the 122 00:04:48,639 --> 00:04:52,160 scope of this course itself. Uh but the 123 00:04:52,160 --> 00:04:54,000 way this works is whenever there's a new 124 00:04:54,000 --> 00:04:55,680 virus that has been developed or you 125 00:04:55,680 --> 00:04:57,759 know for example new ransomware the 126 00:04:57,759 --> 00:05:00,960 antivirus company uh will actually have 127 00:05:00,960 --> 00:05:04,000 one of their engineers uh go ahead and 128 00:05:04,000 --> 00:05:05,919 download that malware sample into a 129 00:05:05,919 --> 00:05:08,479 secured environment. What then what they 130 00:05:08,479 --> 00:05:10,560 will then do is analyze it and part of 131 00:05:10,560 --> 00:05:12,800 their analysis and that's malware 132 00:05:12,800 --> 00:05:15,199 analysis will actually consist of 133 00:05:15,199 --> 00:05:17,440 generating a signature a unique 134 00:05:17,440 --> 00:05:20,080 signature that uniquely identifies that 135 00:05:20,080 --> 00:05:22,720 malware. That signature is then what is 136 00:05:22,720 --> 00:05:25,360 included within the antivirus solutions 137 00:05:25,360 --> 00:05:27,840 uh signature database. So whenever you 138 00:05:27,840 --> 00:05:29,919 download and install an antivirus 139 00:05:29,919 --> 00:05:32,320 solution that utilizes a signature based 140 00:05:32,320 --> 00:05:35,199 detection, it comes with a database of 141 00:05:35,199 --> 00:05:38,080 signatures. So let's take a look at a 142 00:05:38,080 --> 00:05:40,320 simple example. If I download uh Google 143 00:05:40,320 --> 00:05:41,919 Chrome for example, right? I download 144 00:05:41,919 --> 00:05:44,800 the Google Chrome setup. Once that file 145 00:05:44,800 --> 00:05:46,960 is saved on my disk, the antivirus 146 00:05:46,960 --> 00:05:49,280 solution goes to work and actually 147 00:05:49,280 --> 00:05:52,000 generates a hash of that executable and 148 00:05:52,000 --> 00:05:54,080 then compares that hash or that 149 00:05:54,080 --> 00:05:56,720 signature if you will uh to its own 150 00:05:56,720 --> 00:05:58,160 signatures within the signature 151 00:05:58,160 --> 00:06:00,560 database. If it matches, then that means 152 00:06:00,560 --> 00:06:03,280 that that executable is malware. If it 153 00:06:03,280 --> 00:06:05,280 doesn't find a match then again it's uh 154 00:06:05,280 --> 00:06:06,880 it's actually it's not flagged as 155 00:06:06,880 --> 00:06:10,319 malware or as a virus. So in terms of 156 00:06:10,319 --> 00:06:12,960 evading uh signature based detection we 157 00:06:12,960 --> 00:06:15,440 can do this by modifying the malicious 158 00:06:15,440 --> 00:06:17,440 executable or the malware's bite 159 00:06:17,440 --> 00:06:19,360 sequence therefore changing the 160 00:06:19,360 --> 00:06:21,840 signature. So uh whenever an exploit 161 00:06:21,840 --> 00:06:23,840 developer creates a new piece of malware 162 00:06:23,840 --> 00:06:26,960 or ransomware and a signature is 163 00:06:26,960 --> 00:06:29,360 generated or made for that particular 164 00:06:29,360 --> 00:06:32,400 piece of malware that that particular 165 00:06:32,400 --> 00:06:34,800 executable will be detected. So again 166 00:06:34,800 --> 00:06:36,479 going back to the example of generating 167 00:06:36,479 --> 00:06:39,280 a interpreter payload with MSF venom. If 168 00:06:39,280 --> 00:06:41,520 I generate a interpreter payload with MS 169 00:06:41,520 --> 00:06:43,039 of Venom, transfer it over to the 170 00:06:43,039 --> 00:06:45,520 target, the antivirus solution, uh we'll 171 00:06:45,520 --> 00:06:47,280 pretty much have a signature that 172 00:06:47,280 --> 00:06:49,199 matches that uh the the actual signature 173 00:06:49,199 --> 00:06:52,160 or hash of the interpreter payload. But 174 00:06:52,160 --> 00:06:55,360 if we modify the bite sequence of that 175 00:06:55,360 --> 00:06:58,240 interpreter payload, the actual hash of 176 00:06:58,240 --> 00:07:00,880 that executable or interpreter payload 177 00:07:00,880 --> 00:07:03,440 changes. Consequently meaning that if 178 00:07:03,440 --> 00:07:07,599 that new hash is not uh if that new hash 179 00:07:07,599 --> 00:07:09,680 cannot be matched to an existing 180 00:07:09,680 --> 00:07:12,000 signature within the antivirus signature 181 00:07:12,000 --> 00:07:13,360 database then it's not going to be 182 00:07:13,360 --> 00:07:15,280 flagged as malware. Now as I said 183 00:07:15,280 --> 00:07:17,759 antivirus companies have an extensive 184 00:07:17,759 --> 00:07:20,319 database of signatures. So you really 185 00:07:20,319 --> 00:07:22,000 have to uh you know you really have to 186 00:07:22,000 --> 00:07:24,160 be smart uh about you know what you're 187 00:07:24,160 --> 00:07:26,160 doing and the easiest way in this 188 00:07:26,160 --> 00:07:28,880 particular case is to inject our shell 189 00:07:28,880 --> 00:07:30,680 code that we will generate with 190 00:07:30,680 --> 00:07:33,199 interpreter into a legitimate 191 00:07:33,199 --> 00:07:36,000 executable. Therefore, masking or you 192 00:07:36,000 --> 00:07:38,720 know generating a signature that is uh 193 00:07:38,720 --> 00:07:40,960 that again in most cases will not be 194 00:07:40,960 --> 00:07:43,759 included or uh you know generating a new 195 00:07:43,759 --> 00:07:46,720 signature that is not part of uh you 196 00:07:46,720 --> 00:07:49,800 know an antivirus uh solutions signature 197 00:07:49,800 --> 00:07:52,240 database. So that's signature based 198 00:07:52,240 --> 00:07:54,400 detection. We then have heristic based 199 00:07:54,400 --> 00:07:56,479 detection. This relies on rules or 200 00:07:56,479 --> 00:07:58,800 decisions to determine whether a binary 201 00:07:58,800 --> 00:08:02,080 or executable is malicious. uh it also 202 00:08:02,080 --> 00:08:04,160 looks for specific patterns within the 203 00:08:04,160 --> 00:08:05,919 code or program calls that have been 204 00:08:05,919 --> 00:08:08,039 made by uh you know a particular 205 00:08:08,039 --> 00:08:10,479 executable. We then have behavior based 206 00:08:10,479 --> 00:08:12,720 detection. This relies on identifying 207 00:08:12,720 --> 00:08:15,840 malware by monitoring its behavior. And 208 00:08:15,840 --> 00:08:18,000 this is typically used uh or is very 209 00:08:18,000 --> 00:08:19,800 effective against new strains of 210 00:08:19,800 --> 00:08:22,400 malware. And again the way behavior 211 00:08:22,400 --> 00:08:24,960 based detection works is uh this 212 00:08:24,960 --> 00:08:27,360 particular system involves taking a look 213 00:08:27,360 --> 00:08:29,199 at what a program does when it's 214 00:08:29,199 --> 00:08:31,599 executed. Is it uh is it actually taking 215 00:08:31,599 --> 00:08:33,279 a look at the Windows registry? Is it 216 00:08:33,279 --> 00:08:34,959 doing anything that is considered 217 00:08:34,959 --> 00:08:37,360 suspicious? And if so, then that's going 218 00:08:37,360 --> 00:08:40,399 to be flagged as malicious or a it's 219 00:08:40,399 --> 00:08:42,560 going to be flagged as dangerous. Right? 220 00:08:42,560 --> 00:08:44,240 So these are the antivirus detection 221 00:08:44,240 --> 00:08:47,120 methods. Now in terms of the evasion 222 00:08:47,120 --> 00:08:50,240 techniques, uh they really are you can 223 00:08:50,240 --> 00:08:52,480 really categorize these into two or 224 00:08:52,480 --> 00:08:54,640 split them up into two, right? So you 225 00:08:54,640 --> 00:08:56,640 have on disk evasion and this is your 226 00:08:56,640 --> 00:08:58,560 typical scenario, right? uh when you 227 00:08:58,560 --> 00:09:00,560 generate a interpreter payload that 228 00:09:00,560 --> 00:09:02,160 needs to be transferred over to the 229 00:09:02,160 --> 00:09:05,440 target and uh if it's then executed uh 230 00:09:05,440 --> 00:09:06,720 you know if it's if it's transferred 231 00:09:06,720 --> 00:09:08,160 over to the target it's going to be 232 00:09:08,160 --> 00:09:10,560 stored on the target systems disk. So 233 00:09:10,560 --> 00:09:12,800 this is where on disk evasion techniques 234 00:09:12,800 --> 00:09:15,120 come into play. So whenever a an 235 00:09:15,120 --> 00:09:17,519 executable or uh you know a malicious 236 00:09:17,519 --> 00:09:20,160 file is saved onto the disk uh we 237 00:09:20,160 --> 00:09:22,399 actually need to utilize different 238 00:09:22,399 --> 00:09:24,800 evasion techniques as opposed to 239 00:09:24,800 --> 00:09:27,519 in-memory evasion techniques. 240 00:09:27,519 --> 00:09:30,320 So uh number one in terms of on disk 241 00:09:30,320 --> 00:09:32,240 evasion techniques we have obfuscation. 242 00:09:32,240 --> 00:09:34,080 Obfuscation refers to the process of 243 00:09:34,080 --> 00:09:36,080 concealing something important, valuable 244 00:09:36,080 --> 00:09:38,959 or critical. And what obusiscation does 245 00:09:38,959 --> 00:09:41,200 is it reorganizes code in order to make 246 00:09:41,200 --> 00:09:43,040 it harder to analyze or to reverse 247 00:09:43,040 --> 00:09:45,600 engineer. You then have encoding, right? 248 00:09:45,600 --> 00:09:48,240 So encoding data is a process of uh that 249 00:09:48,240 --> 00:09:50,640 involves the changing of data into a new 250 00:09:50,640 --> 00:09:53,680 format using a an encoding scheme. An 251 00:09:53,680 --> 00:09:56,000 example of encoding is encoding a 252 00:09:56,000 --> 00:09:58,720 particular string of text into base 64. 253 00:09:58,720 --> 00:10:00,800 The problem with encoding is that it is 254 00:10:00,800 --> 00:10:03,440 easily reversible, right? Uh which means 255 00:10:03,440 --> 00:10:06,080 that if you know what a partic if you if 256 00:10:06,080 --> 00:10:08,720 you actually identify a piece of code 257 00:10:08,720 --> 00:10:11,120 that's been encoded in B 64, if you can 258 00:10:11,120 --> 00:10:13,519 tell that it's been encoded in B 64, 259 00:10:13,519 --> 00:10:15,600 then you can decode it very easily. 260 00:10:15,600 --> 00:10:18,320 Right? So that's encoding. You then have 261 00:10:18,320 --> 00:10:20,560 packing. So packing essentially in 262 00:10:20,560 --> 00:10:22,720 involves the process of generating an 263 00:10:22,720 --> 00:10:25,279 executable with a new binary structure 264 00:10:25,279 --> 00:10:27,120 with a smaller size and therefore 265 00:10:27,120 --> 00:10:28,640 provides the payload with a new 266 00:10:28,640 --> 00:10:32,160 signature. This is typically used by uh 267 00:10:32,160 --> 00:10:34,000 by various uh you know malicious 268 00:10:34,000 --> 00:10:35,760 attackers uh whenever they're trying to 269 00:10:35,760 --> 00:10:38,240 generate uh you know executables uh that 270 00:10:38,240 --> 00:10:39,600 you know will consequently give them 271 00:10:39,600 --> 00:10:43,120 remote access to a system uh etc etc. 272 00:10:43,120 --> 00:10:44,959 You then have cryptors. Cryptors 273 00:10:44,959 --> 00:10:47,120 essentially encrypt code or payload uh 274 00:10:47,120 --> 00:10:49,279 or payloads and decrypts the encrypted 275 00:10:49,279 --> 00:10:52,560 code in memory. The the decryption key 276 00:10:52,560 --> 00:10:55,519 or function is usually stored in a stub. 277 00:10:55,519 --> 00:10:57,920 So uh this is one of the techniques that 278 00:10:57,920 --> 00:10:59,839 typically used by new strains of 279 00:10:59,839 --> 00:11:03,120 ransomware whereby the actual um the 280 00:11:03,120 --> 00:11:06,160 actual code is encrypted right and uh 281 00:11:06,160 --> 00:11:09,519 encryption cannot be uh cannot you when 282 00:11:09,519 --> 00:11:11,519 whenever you come across encrypted code 283 00:11:11,519 --> 00:11:14,480 you cannot uh decode that you actually 284 00:11:14,480 --> 00:11:16,880 need the key uh the actual decryption 285 00:11:16,880 --> 00:11:18,959 key to decode it and uh in the case of 286 00:11:18,959 --> 00:11:21,440 ransomware uh only the ransomware 287 00:11:21,440 --> 00:11:24,160 developers have that key and that's why 288 00:11:24,160 --> 00:11:26,399 whenever you a system gets infected with 289 00:11:26,399 --> 00:11:28,800 ransomware, they ask you uh you know 290 00:11:28,800 --> 00:11:30,399 they essentially ask you to pay a 291 00:11:30,399 --> 00:11:32,480 specific amount of money. They'll then 292 00:11:32,480 --> 00:11:35,120 send you the decryption the actual 293 00:11:35,120 --> 00:11:37,760 decryption key to decrypt your files, 294 00:11:37,760 --> 00:11:39,959 right? So that's how cryptos 295 00:11:39,959 --> 00:11:42,399 work. So those are on disk evasion 296 00:11:42,399 --> 00:11:44,079 techniques. We then have uh you know 297 00:11:44,079 --> 00:11:47,240 your in-memory evasion techniques. So 298 00:11:47,240 --> 00:11:50,720 uh in the context of antivirus evasion 299 00:11:50,720 --> 00:11:53,040 uh inmemory evasion techniques focuses 300 00:11:53,040 --> 00:11:55,839 on manipulation of memory and does not 301 00:11:55,839 --> 00:11:58,160 write files to disk. Uh it involves 302 00:11:58,160 --> 00:12:00,480 injecting payloads into a process by 303 00:12:00,480 --> 00:12:03,519 leveraging various Windows APIs and 304 00:12:03,519 --> 00:12:05,440 payload uh again the payload is then 305 00:12:05,440 --> 00:12:07,920 executed in me uh in memory in a 306 00:12:07,920 --> 00:12:10,240 separate thread. So uh this involves 307 00:12:10,240 --> 00:12:13,760 evading antivirus antivirus detection uh 308 00:12:13,760 --> 00:12:16,079 in memory right. So this is an advanced 309 00:12:16,079 --> 00:12:17,839 technique that will we will not be 310 00:12:17,839 --> 00:12:20,079 covering within this section probably in 311 00:12:20,079 --> 00:12:22,040 an advanced course or 312 00:12:22,040 --> 00:12:24,160 certification. All right. So let's 313 00:12:24,160 --> 00:12:25,680 actually take a look at how we can 314 00:12:25,680 --> 00:12:28,320 inject uh you know shell code into a 315 00:12:28,320 --> 00:12:31,360 legitimate executable and uh you know 316 00:12:31,360 --> 00:12:33,440 how that can be used to evade uh an 317 00:12:33,440 --> 00:12:36,639 antivirus uh you know a very basic um 318 00:12:36,639 --> 00:12:39,519 antivirus detection. And in this case um 319 00:12:39,519 --> 00:12:40,959 what we'll be doing is we'll be trying 320 00:12:40,959 --> 00:12:43,200 to evade uh Windows Defender on a 321 00:12:43,200 --> 00:12:46,480 Windows 7 system. So this uh video does 322 00:12:46,480 --> 00:12:48,399 not have a lab environment attached to 323 00:12:48,399 --> 00:12:50,720 it. As I said you can uh you can follow 324 00:12:50,720 --> 00:12:52,240 along and take a look at the various 325 00:12:52,240 --> 00:12:54,160 tools I'm using. Uh all of these tools 326 00:12:54,160 --> 00:12:56,079 can be installed on Kali Linux without 327 00:12:56,079 --> 00:12:58,560 any issue and you can try and replicate 328 00:12:58,560 --> 00:13:00,959 this within your own lab environment. So 329 00:13:00,959 --> 00:13:03,120 I'll just switch over to my Kali VM and 330 00:13:03,120 --> 00:13:06,680 we can get started. 331 00:13:08,320 --> 00:13:11,680 All right. So, I'm back on my Kali VM 332 00:13:11,680 --> 00:13:13,680 and uh let's get an introduction to 333 00:13:13,680 --> 00:13:15,600 Shelter because that's the the the 334 00:13:15,600 --> 00:13:17,600 actual tool we're going to be using. 335 00:13:17,600 --> 00:13:19,600 Now, you can install Shelter on Kali 336 00:13:19,600 --> 00:13:22,000 Linux as uh the package is a part of the 337 00:13:22,000 --> 00:13:24,079 official Kali Linux repositories, but 338 00:13:24,079 --> 00:13:25,839 you can head over to the shelter 339 00:13:25,839 --> 00:13:28,240 project.com uh to learn more about 340 00:13:28,240 --> 00:13:30,160 Shelter and how it works. So, let's get 341 00:13:30,160 --> 00:13:32,079 an introduction to Shelter. All right. 342 00:13:32,079 --> 00:13:34,480 So, Shelter is a dynamic shell code 343 00:13:34,480 --> 00:13:36,800 injection tool and the first truly 344 00:13:36,800 --> 00:13:40,079 dynamic portable portable executable uh 345 00:13:40,079 --> 00:13:42,560 infectctor ever created. It can be used 346 00:13:42,560 --> 00:13:44,160 in order to inject shell code into 347 00:13:44,160 --> 00:13:46,079 native Windows applications currently 348 00:13:46,079 --> 00:13:48,240 32-bit applications only. So, keep that 349 00:13:48,240 --> 00:13:50,480 in mind. The shell code can be something 350 00:13:50,480 --> 00:13:52,880 yours or something generated through a a 351 00:13:52,880 --> 00:13:55,440 framework such as Metas-ploit. Um, 352 00:13:55,440 --> 00:13:57,519 shelter takes advantage of the original 353 00:13:57,519 --> 00:13:59,360 structure of the portable executable 354 00:13:59,360 --> 00:14:02,320 file and doesn't apply any modification 355 00:14:02,320 --> 00:14:04,000 such as changing memory access 356 00:14:04,000 --> 00:14:06,079 permissions in sections unless the user 357 00:14:06,079 --> 00:14:08,720 wants to do so. Adding an extra section 358 00:14:08,720 --> 00:14:11,440 with readr uh and execute access and 359 00:14:11,440 --> 00:14:13,360 whatever would look dodgy under an 360 00:14:13,360 --> 00:14:16,320 antivirus scan. Shelter uses a unique 361 00:14:16,320 --> 00:14:18,320 dynamic approach which is based on the 362 00:14:18,320 --> 00:14:20,480 execution flow of the target 363 00:14:20,480 --> 00:14:22,800 application. And this is just the tip 364 00:14:22,800 --> 00:14:24,880 the the actual tip of the iceberg. 365 00:14:24,880 --> 00:14:27,279 Shelter is not just an EPO infectctor 366 00:14:27,279 --> 00:14:29,279 that tries to find a location to inject 367 00:14:29,279 --> 00:14:31,440 an in uh to inject or insert an 368 00:14:31,440 --> 00:14:34,160 instruction into to redirect execution 369 00:14:34,160 --> 00:14:35,920 to the payload. Unlike any other 370 00:14:35,920 --> 00:14:38,240 infectctor, Shelter's advanced infection 371 00:14:38,240 --> 00:14:40,160 engine never transfers the execution 372 00:14:40,160 --> 00:14:43,120 flow to a code cave or to an added 373 00:14:43,120 --> 00:14:45,360 section in the infected portable 374 00:14:45,360 --> 00:14:48,160 executable file. All right. So, the 375 00:14:48,160 --> 00:14:50,240 really cool features with Shelter is 376 00:14:50,240 --> 00:14:52,639 that again it's compatible uh with 377 00:14:52,639 --> 00:14:56,160 Windows x86 and x 64 and it works on 378 00:14:56,160 --> 00:14:58,639 Windows XP Service Pack 3 and above or 379 00:14:58,639 --> 00:15:01,839 newer versions of Windows. And again, it 380 00:15:01,839 --> 00:15:04,240 works uh with Wine uh and of course 381 00:15:04,240 --> 00:15:06,800 Linux. Uh it works with Wine. Um so 382 00:15:06,800 --> 00:15:09,360 whenever you install the shelter package 383 00:15:09,360 --> 00:15:11,279 uh on your Linux system because it's an 384 00:15:11,279 --> 00:15:14,079 executable, you actually need Wine. Wine 385 00:15:14,079 --> 00:15:16,399 is a compatibility layer for Linux that 386 00:15:16,399 --> 00:15:19,120 allows uh users on Linux or Unix 387 00:15:19,120 --> 00:15:22,880 operating systems to execute .exe files. 388 00:15:22,880 --> 00:15:24,160 Uh the great thing is that it's 389 00:15:24,160 --> 00:15:26,160 portable, so no setup is required. It 390 00:15:26,160 --> 00:15:27,680 doesn't require dependencies. That's 391 00:15:27,680 --> 00:15:30,639 fantastic. It doesn't have any static PE 392 00:15:30,639 --> 00:15:33,360 or portable executable templates. Uh it 393 00:15:33,360 --> 00:15:36,399 supports any 32-bit payload and it's 394 00:15:36,399 --> 00:15:38,680 compatible with all types of encoding by 395 00:15:38,680 --> 00:15:41,279 Metas-ploit. Uh compatible with custom 396 00:15:41,279 --> 00:15:43,360 encoding created by the user. So you can 397 00:15:43,360 --> 00:15:44,880 specify whether you want to go through 398 00:15:44,880 --> 00:15:47,120 additional encoding and I've already 399 00:15:47,120 --> 00:15:48,880 covered within the metas-ploit framework 400 00:15:48,880 --> 00:15:51,600 course how to encode a payload uh with 401 00:15:51,600 --> 00:15:54,480 MSF venom and uh you know how that can 402 00:15:54,480 --> 00:15:56,880 also be used to uh to evade very basic 403 00:15:56,880 --> 00:15:58,880 uh antivirus solutions that utilize 404 00:15:58,880 --> 00:16:01,920 signaturebased detection. All right so 405 00:16:01,920 --> 00:16:04,320 uh in order to install shelter you can 406 00:16:04,320 --> 00:16:07,600 simply type in pseudoapp get install uh 407 00:16:07,600 --> 00:16:10,160 shelter here and that should install the 408 00:16:10,160 --> 00:16:11,680 shelter package for you. However, 409 00:16:11,680 --> 00:16:14,000 there's a very important uh aspect uh 410 00:16:14,000 --> 00:16:15,680 that you need to take into consideration 411 00:16:15,680 --> 00:16:18,639 here. The shelter package is really a 412 00:16:18,639 --> 00:16:21,440 Windows executable. Now, how will you 413 00:16:21,440 --> 00:16:24,320 run a Windows executable on Linux? Well, 414 00:16:24,320 --> 00:16:26,320 that can be facilitated through the use 415 00:16:26,320 --> 00:16:29,040 of a tool called Wine. All right, so you 416 00:16:29,040 --> 00:16:31,120 may have heard of Wine before. Wine is a 417 00:16:31,120 --> 00:16:33,519 compatibility layer for Linux that 418 00:16:33,519 --> 00:16:35,480 allows you to execute Windows 419 00:16:35,480 --> 00:16:38,480 executables uh on a Linux system or on a 420 00:16:38,480 --> 00:16:41,279 Unix system like Mac. So after 421 00:16:41,279 --> 00:16:43,040 installing the pack the the actual 422 00:16:43,040 --> 00:16:45,120 shelter package, you then need to 423 00:16:45,120 --> 00:16:47,920 install wine. Now the specific uh 424 00:16:47,920 --> 00:16:49,839 architecture or the package that we'll 425 00:16:49,839 --> 00:16:52,320 be installing in in regards to wine is 426 00:16:52,320 --> 00:16:55,600 the wine 32bit package and uh this is 427 00:16:55,600 --> 00:16:57,839 primarily because shelter only supports 428 00:16:57,839 --> 00:17:00,560 32-bit payloads or rather supports the 429 00:17:00,560 --> 00:17:03,440 generation of shell code of 32-bit shell 430 00:17:03,440 --> 00:17:06,000 code, right? So uh we actually need to 431 00:17:06,000 --> 00:17:08,240 configure the Debian package management 432 00:17:08,240 --> 00:17:12,079 utility to uh essentially allow for uh 433 00:17:12,079 --> 00:17:14,240 you know allow us to install 32-bit 434 00:17:14,240 --> 00:17:16,959 packages because uh right now the the 435 00:17:16,959 --> 00:17:19,039 current Kali Linux VM that I'm utilizing 436 00:17:19,039 --> 00:17:21,199 is 64-bit and the Debian package 437 00:17:21,199 --> 00:17:24,000 management utility uh has of course been 438 00:17:24,000 --> 00:17:26,480 already configured to only install 439 00:17:26,480 --> 00:17:29,200 64-bit packages. So to install 32-bit 440 00:17:29,200 --> 00:17:31,400 packages we'll need to run the following 441 00:17:31,400 --> 00:17:34,960 command. So we can say DPKG. All right. 442 00:17:34,960 --> 00:17:36,559 So that that's the Debian package 443 00:17:36,559 --> 00:17:39,720 management utility. So DPKG and we say 444 00:17:39,720 --> 00:17:43,559 add and we can say 445 00:17:43,559 --> 00:17:45,679 architecture. Uh let me just type that 446 00:17:45,679 --> 00:17:47,160 in correctly. So that's 447 00:17:47,160 --> 00:17:50,640 architecture. And we then specify I386. 448 00:17:50,640 --> 00:17:53,240 That's for 32bit. So 449 00:17:53,240 --> 00:17:56,039 i386. And we can then hit 450 00:17:56,039 --> 00:17:58,799 enter. And uh in some cases it may ask 451 00:17:58,799 --> 00:18:00,640 you for root permissions. So I'll say 452 00:18:00,640 --> 00:18:03,360 sudo dpkg add architecture and that's 453 00:18:03,360 --> 00:18:06,320 done. I can now install uh you know wine 454 00:18:06,320 --> 00:18:11,160 32. So I can say sudo apt get 455 00:18:11,160 --> 00:18:15,039 install wine 32 which I currently 456 00:18:15,039 --> 00:18:16,640 already have as you can see and I'm 457 00:18:16,640 --> 00:18:18,960 currently using the latest version and 458 00:18:18,960 --> 00:18:20,720 that has been installed successfully. So 459 00:18:20,720 --> 00:18:23,039 at this point you can now execute the 460 00:18:23,039 --> 00:18:26,320 shelter executable with wine uh or with 461 00:18:26,320 --> 00:18:28,240 wine 32 in this case. So let's take a 462 00:18:28,240 --> 00:18:31,440 look at how we can do that. 463 00:18:32,080 --> 00:18:35,440 uh you can head over into user share 464 00:18:35,440 --> 00:18:38,400 Windows resources not Windows binaries 465 00:18:38,400 --> 00:18:40,559 but Windows resources and you'll have a 466 00:18:40,559 --> 00:18:42,960 folder called shelter. So within the 467 00:18:42,960 --> 00:18:45,520 shelter directory you can see that uh 468 00:18:45,520 --> 00:18:47,600 you'll pretty much only have the shelter 469 00:18:47,600 --> 00:18:49,919 executable. Disregard these two folders 470 00:18:49,919 --> 00:18:52,559 as these folders will be created uh once 471 00:18:52,559 --> 00:18:55,120 you actually execute shelter itself. 472 00:18:55,120 --> 00:18:57,440 Right? So we have shelter.exe. So, how 473 00:18:57,440 --> 00:18:59,840 do you execute an exe file on Linux? 474 00:18:59,840 --> 00:19:02,320 Well, we can do that with wine. So, in 475 00:19:02,320 --> 00:19:04,320 order to um in order to execute it, it 476 00:19:04,320 --> 00:19:06,960 will say sudo wine and then the the 477 00:19:06,960 --> 00:19:10,280 actual exe. So, shelter uh 478 00:19:10,280 --> 00:19:12,520 shelter.exe. There we are. I'll hit 479 00:19:12,520 --> 00:19:14,720 enter and that's going to start up 480 00:19:14,720 --> 00:19:16,240 shelter. So, we don't have any issues 481 00:19:16,240 --> 00:19:19,039 there and we can get started. So, uh 482 00:19:19,039 --> 00:19:21,919 let's get started with um with the 483 00:19:21,919 --> 00:19:23,600 actual injection process. However, 484 00:19:23,600 --> 00:19:25,679 before we do that, we need to identify a 485 00:19:25,679 --> 00:19:28,240 legitimate executable uh that we can 486 00:19:28,240 --> 00:19:30,720 actually inject our shell code into. So, 487 00:19:30,720 --> 00:19:32,080 this is where the whole social 488 00:19:32,080 --> 00:19:34,240 engineering um you know aspect of things 489 00:19:34,240 --> 00:19:36,720 comes uh into play. So, you can download 490 00:19:36,720 --> 00:19:38,880 an executable. Uh I would recommend that 491 00:19:38,880 --> 00:19:41,919 the executable is uh very small and very 492 00:19:41,919 --> 00:19:43,760 uh very simplistic in terms of its 493 00:19:43,760 --> 00:19:46,000 functionality. uh this will probably not 494 00:19:46,000 --> 00:19:47,840 work if you try and inject you know your 495 00:19:47,840 --> 00:19:50,720 shell code into an an executable like 496 00:19:50,720 --> 00:19:54,240 the Chrome installer or VLC or anything 497 00:19:54,240 --> 00:19:56,960 like that. So uh on the Kali Linux 498 00:19:56,960 --> 00:19:59,600 system um if I head over into the file 499 00:19:59,600 --> 00:20:01,240 system here under 500 00:20:01,240 --> 00:20:04,600 user and under 501 00:20:04,600 --> 00:20:07,280 share we have a directory called Windows 502 00:20:07,280 --> 00:20:09,760 binaries that contains a list of 503 00:20:09,760 --> 00:20:12,400 executables uh that uh again I used 504 00:20:12,400 --> 00:20:15,440 during a pentest or uh during a security 505 00:20:15,440 --> 00:20:17,919 assessment and one of them is VNC 506 00:20:17,919 --> 00:20:19,440 viewer. So if you're not familiar with 507 00:20:19,440 --> 00:20:22,080 VNC viewer this is a very simple Windows 508 00:20:22,080 --> 00:20:24,000 program. It's not malicious at all. it's 509 00:20:24,000 --> 00:20:26,559 completely legitimate. Uh, and it's 510 00:20:26,559 --> 00:20:29,039 essentially used to connect to a VNC uh, 511 00:20:29,039 --> 00:20:31,200 session or to essentially establish a 512 00:20:31,200 --> 00:20:33,360 VNC session, right? So, it's just a 513 00:20:33,360 --> 00:20:35,440 utility that allows you to uh, to 514 00:20:35,440 --> 00:20:37,280 essentially connect to a server or to a 515 00:20:37,280 --> 00:20:39,760 target system and establish a VNC 516 00:20:39,760 --> 00:20:42,000 session. So, we can inject our shell 517 00:20:42,000 --> 00:20:43,760 code into this executable. So, I'll just 518 00:20:43,760 --> 00:20:45,919 make a copy and I'll head over into my 519 00:20:45,919 --> 00:20:48,159 desktop and I'll go into the folder 520 00:20:48,159 --> 00:20:51,039 called AV bypass which I created and I 521 00:20:51,039 --> 00:20:53,039 recommend that you do the same. So this 522 00:20:53,039 --> 00:20:55,360 is the original executable. Now the 523 00:20:55,360 --> 00:20:56,799 great thing with shelter is that 524 00:20:56,799 --> 00:20:58,640 whenever you perform the injection, a 525 00:20:58,640 --> 00:21:00,640 copy of this will be made. Uh so a 526 00:21:00,640 --> 00:21:03,039 backup of the original will be made and 527 00:21:03,039 --> 00:21:04,880 it will actually be stored under the 528 00:21:04,880 --> 00:21:07,039 user share Windows resources shel uh 529 00:21:07,039 --> 00:21:09,679 shelter directory uh within shelter 530 00:21:09,679 --> 00:21:11,280 backups. So you can always get the 531 00:21:11,280 --> 00:21:13,679 original back. Uh but now that we've 532 00:21:13,679 --> 00:21:15,840 identified the the actual legitimate 533 00:21:15,840 --> 00:21:17,840 executable that we would like to inject 534 00:21:17,840 --> 00:21:20,240 our shell code into and we've saved it 535 00:21:20,240 --> 00:21:22,159 within a directory that we are familiar 536 00:21:22,159 --> 00:21:23,440 with, we can actually begin the 537 00:21:23,440 --> 00:21:26,480 injection process. So I'll just launch 538 00:21:26,480 --> 00:21:27,559 shelter 539 00:21:27,559 --> 00:21:29,840 again and it's going to ask you to 540 00:21:29,840 --> 00:21:32,000 choose your operation mode. For the 541 00:21:32,000 --> 00:21:33,679 purpose of this demonstration, I'm going 542 00:21:33,679 --> 00:21:37,200 to say auto. We then have the PE target. 543 00:21:37,200 --> 00:21:39,280 This is the portable executable target 544 00:21:39,280 --> 00:21:41,360 or the legitimate executable that you'd 545 00:21:41,360 --> 00:21:43,840 like to inject your shell code into. You 546 00:21:43,840 --> 00:21:46,120 need to specify the path to the actual 547 00:21:46,120 --> 00:21:48,640 executable. In this case, mine is being 548 00:21:48,640 --> 00:21:51,280 stored under home under the Cali 549 00:21:51,280 --> 00:21:53,320 directory on my 550 00:21:53,320 --> 00:21:58,400 desktop in a folder called AV 551 00:21:58,440 --> 00:22:00,960 bypass. And the name of the executable 552 00:22:00,960 --> 00:22:03,559 is VNC 553 00:22:03,559 --> 00:22:06,000 viewer.exe. So I'll hit enter. You can 554 00:22:06,000 --> 00:22:07,840 see it's going to make a backup and it 555 00:22:07,840 --> 00:22:10,760 will store it under shelter backups VNC 556 00:22:10,760 --> 00:22:13,440 viewer.exe. It's then going to again 557 00:22:13,440 --> 00:22:14,960 take a look at whether or not the 558 00:22:14,960 --> 00:22:17,120 executable has been packed. You can see 559 00:22:17,120 --> 00:22:19,360 that it's not packed. Uh it'll then move 560 00:22:19,360 --> 00:22:22,880 on to PE info elimination. It'll take a 561 00:22:22,880 --> 00:22:25,520 look at the DLL characteristics and 562 00:22:25,520 --> 00:22:27,280 it'll uh it'll provide you the status 563 00:22:27,280 --> 00:22:29,120 here. So all related information has 564 00:22:29,120 --> 00:22:31,280 been eliminated. So that's changing the 565 00:22:31,280 --> 00:22:33,360 signature as much as possible. You then 566 00:22:33,360 --> 00:22:36,000 have your tracing mode. So again uh if 567 00:22:36,000 --> 00:22:37,440 you take a look at the note here you can 568 00:22:37,440 --> 00:22:39,280 see that in auto mode shelter will trace 569 00:22:39,280 --> 00:22:41,280 a random number of instructions for a 570 00:22:41,280 --> 00:22:44,159 maximum time of approximately 30 seconds 571 00:22:44,159 --> 00:22:46,559 in native Windows hosts and uh for 60 572 00:22:46,559 --> 00:22:48,640 seconds when used in wine. So it's 573 00:22:48,640 --> 00:22:51,039 essentially tracing and identifying uh 574 00:22:51,039 --> 00:22:53,120 instructions where the shell code can be 575 00:22:53,120 --> 00:22:55,919 injected into. So I'll give this as it 576 00:22:55,919 --> 00:22:58,200 says up to 60 577 00:22:58,200 --> 00:23:00,480 seconds. All right. So, as you can see, 578 00:23:00,480 --> 00:23:01,840 that's done. And it's going to tell you 579 00:23:01,840 --> 00:23:05,880 instructions, instructions traced, uh, 580 00:23:05,880 --> 00:23:08,320 18,574. Uh, it's then going to start the 581 00:23:08,320 --> 00:23:10,240 first stage filtering. So, it's going to 582 00:23:10,240 --> 00:23:11,679 ask you whether you want to enable 583 00:23:11,679 --> 00:23:13,760 stealth mode. Uh, stealth mode where 584 00:23:13,760 --> 00:23:15,360 this is a very important step because 585 00:23:15,360 --> 00:23:17,840 what it's asking you is whether you want 586 00:23:17,840 --> 00:23:21,440 the executable to function as intended. 587 00:23:21,440 --> 00:23:23,280 So, for example, in this case, we are 588 00:23:23,280 --> 00:23:25,320 injecting the shell code into VNC 589 00:23:25,320 --> 00:23:27,840 viewer.exe. So it's asking us whether or 590 00:23:27,840 --> 00:23:30,480 not we want VNC viewer to to actually 591 00:23:30,480 --> 00:23:32,799 function as normal or to to actually 592 00:23:32,799 --> 00:23:35,360 function normally when executed. So if 593 00:23:35,360 --> 00:23:36,880 we want that to happen, which I 594 00:23:36,880 --> 00:23:39,360 recommend that you do, I would uh I 595 00:23:39,360 --> 00:23:41,679 would enable stealth mode. So what what 596 00:23:41,679 --> 00:23:43,679 that means is that whenever the target 597 00:23:43,679 --> 00:23:45,919 will click on the new VNC viewer that we 598 00:23:45,919 --> 00:23:47,120 have uh that we're going to be 599 00:23:47,120 --> 00:23:49,280 generating or that contains the injected 600 00:23:49,280 --> 00:23:51,840 shell code, uh VNC viewer will function 601 00:23:51,840 --> 00:23:53,840 as normal, but the shell code will be 602 00:23:53,840 --> 00:23:56,240 executed in the background. Right? So 603 00:23:56,240 --> 00:23:58,960 we'll say yes. It's then going to ask 604 00:23:58,960 --> 00:24:01,120 you for the payload that you'd like to 605 00:24:01,120 --> 00:24:03,039 uh that you'd like to use. So this is 606 00:24:03,039 --> 00:24:04,799 where the shell code injection process 607 00:24:04,799 --> 00:24:07,679 comes into play. So uh again you can you 608 00:24:07,679 --> 00:24:09,520 can obtain a interpreter session on the 609 00:24:09,520 --> 00:24:12,159 target and you can again identify which 610 00:24:12,159 --> 00:24:14,080 of these stages or payloads you'd like 611 00:24:14,080 --> 00:24:16,400 to use and based on your option it's 612 00:24:16,400 --> 00:24:17,840 then going to gen it's then going to 613 00:24:17,840 --> 00:24:20,000 generate the shell code appropriately. 614 00:24:20,000 --> 00:24:21,840 So for example if I wanted to obtain an 615 00:24:21,840 --> 00:24:23,600 interpreter session I could use uh 616 00:24:23,600 --> 00:24:25,039 option one. So it's going to ask you 617 00:24:25,039 --> 00:24:27,279 whether you want to use a listed payload 618 00:24:27,279 --> 00:24:29,919 or custom. Now uh if you want to go 619 00:24:29,919 --> 00:24:32,559 ahead and encode a payload with MSF 620 00:24:32,559 --> 00:24:35,360 Venom uh firstly or you want to generate 621 00:24:35,360 --> 00:24:36,960 an interpreter payload and then encode 622 00:24:36,960 --> 00:24:39,440 it with MSF Venom, you can do that and 623 00:24:39,440 --> 00:24:42,559 then specify a custom the DC option here 624 00:24:42,559 --> 00:24:45,039 and then use that that actual payload 625 00:24:45,039 --> 00:24:47,120 itself. However, in this case, we're not 626 00:24:47,120 --> 00:24:48,799 going to be doing that. So I'll just say 627 00:24:48,799 --> 00:24:51,760 option one or I'll say L first to use a 628 00:24:51,760 --> 00:24:54,240 listed payload and then I'll say it it's 629 00:24:54,240 --> 00:24:55,600 going to ask you to select the payload 630 00:24:55,600 --> 00:24:58,080 by index. So I'll say option one. It's 631 00:24:58,080 --> 00:24:59,520 going to ask me for my L-host 632 00:24:59,520 --> 00:25:00,960 information. So this is going to be the 633 00:25:00,960 --> 00:25:03,840 attacker's IP address and in my case my 634 00:25:03,840 --> 00:25:08,320 Kali Linux IP is 10 10 10. Uh the port 635 00:25:08,320 --> 00:25:11,400 is 1 2 3 4. I'll hit 636 00:25:11,400 --> 00:25:14,080 enter and it's now going to begin the 637 00:25:14,080 --> 00:25:15,640 obus uh basic 638 00:25:15,640 --> 00:25:18,080 obuscation and uh we can see it right 639 00:25:18,080 --> 00:25:20,720 over here polymorphic junk code. It's 640 00:25:20,720 --> 00:25:23,000 going to generate some junk code 641 00:25:23,000 --> 00:25:26,720 there and uh the most important stage is 642 00:25:26,720 --> 00:25:28,880 right over here. So injection stage it's 643 00:25:28,880 --> 00:25:30,400 going to tell you where the shell code 644 00:25:30,400 --> 00:25:33,120 has been injected and you can see right 645 00:25:33,120 --> 00:25:34,960 over here 646 00:25:34,960 --> 00:25:38,000 um under P checksum fix uh the valid P 647 00:25:38,000 --> 00:25:41,120 checksum has been set and uh under 648 00:25:41,120 --> 00:25:43,520 verification you can see that that uh 649 00:25:43,520 --> 00:25:45,279 right over here injection verified and 650 00:25:45,279 --> 00:25:48,640 we can hit enter to continue. So the uh 651 00:25:48,640 --> 00:25:51,840 we now have uh VNC viewer but the new 652 00:25:51,840 --> 00:25:54,320 executable has the injected shell code. 653 00:25:54,320 --> 00:25:56,799 So remember when I said that shelter 654 00:25:56,799 --> 00:25:58,559 actually takes a backup, it does that 655 00:25:58,559 --> 00:26:00,960 for a reason because uh the new 656 00:26:00,960 --> 00:26:03,120 executable is going to replace the one 657 00:26:03,120 --> 00:26:05,200 that was stored uh within the directory, 658 00:26:05,200 --> 00:26:06,880 right? Um so we're within this 659 00:26:06,880 --> 00:26:08,559 particular directory. So remember I 660 00:26:08,559 --> 00:26:11,120 copied over the legitimate VNC viewer 661 00:26:11,120 --> 00:26:14,799 exe to the AV bypass folder and this is 662 00:26:14,799 --> 00:26:16,960 now the malicious executable. So it will 663 00:26:16,960 --> 00:26:18,720 take a backup first. It'll then perform 664 00:26:18,720 --> 00:26:20,880 the injection and uh it's going to 665 00:26:20,880 --> 00:26:22,799 replace the older one with the new 666 00:26:22,799 --> 00:26:25,279 malicious one. So I can now copy this 667 00:26:25,279 --> 00:26:27,279 over to the target system and you'll see 668 00:26:27,279 --> 00:26:29,520 that it looks exactly like VNC viewer. 669 00:26:29,520 --> 00:26:31,279 It will function exactly like VNC 670 00:26:31,279 --> 00:26:33,279 viewer. The only difference is that when 671 00:26:33,279 --> 00:26:35,360 it will be executed, it'll execute the 672 00:26:35,360 --> 00:26:37,919 shell code uh our interpreter payload 673 00:26:37,919 --> 00:26:39,760 shell code and it'll then connect back 674 00:26:39,760 --> 00:26:42,400 to our reverse TCP handler that we will 675 00:26:42,400 --> 00:26:44,080 set up in the metas-ploit framework 676 00:26:44,080 --> 00:26:46,240 right now. So the first thing I want to 677 00:26:46,240 --> 00:26:48,240 do is I'm just going to set up uh or 678 00:26:48,240 --> 00:26:50,480 launch MSF console to set up the handler 679 00:26:50,480 --> 00:26:52,240 to receive the connection once the shell 680 00:26:52,240 --> 00:26:54,960 code is executed on the target. So I'll 681 00:26:54,960 --> 00:26:57,200 give this a couple of seconds and I'll 682 00:26:57,200 --> 00:27:00,159 split my terminal vertically here 683 00:27:00,159 --> 00:27:01,679 because we actually need to transfer 684 00:27:01,679 --> 00:27:03,440 that executable to the target. So I'll 685 00:27:03,440 --> 00:27:05,360 navigate to the directory where the 686 00:27:05,360 --> 00:27:07,600 malicious VNC viewer executable is 687 00:27:07,600 --> 00:27:10,960 stored. So that's under AV bypass and I 688 00:27:10,960 --> 00:27:13,520 can start a simple web server. So I can 689 00:27:13,520 --> 00:27:16,679 use uh the Python module uh so I'll say 690 00:27:16,679 --> 00:27:18,279 sudo 691 00:27:18,279 --> 00:27:22,480 python I can say python 3 uh m we can 692 00:27:22,480 --> 00:27:26,240 say https server and on port 80. So I'll 693 00:27:26,240 --> 00:27:28,559 host the uh I'll host all the files 694 00:27:28,559 --> 00:27:31,039 within the av bypass directory on the 695 00:27:31,039 --> 00:27:33,159 kali linux IP on port 696 00:27:33,159 --> 00:27:35,919 80. So there we are that's serving all 697 00:27:35,919 --> 00:27:37,360 of those files. Uh now in the 698 00:27:37,360 --> 00:27:39,279 metas-ploit window here I'll say use 699 00:27:39,279 --> 00:27:41,200 multi- handler to set up the handler or 700 00:27:41,200 --> 00:27:43,760 the listener and then I'll specify the 701 00:27:43,760 --> 00:27:46,080 payload that I used when I was when I 702 00:27:46,080 --> 00:27:47,760 was essentially generating the shell 703 00:27:47,760 --> 00:27:50,080 code within shelter which in this case 704 00:27:50,080 --> 00:27:51,679 uh in the case of Windows if you 705 00:27:51,679 --> 00:27:54,080 selected the interpret option is always 706 00:27:54,080 --> 00:27:56,880 going to be the 30 the actual 32-bit 707 00:27:56,880 --> 00:27:59,640 interpreter payload. So Windows 708 00:27:59,640 --> 00:28:03,080 interpreter reverse 709 00:28:03,080 --> 00:28:04,960 TCP. All right. Right. I then need to 710 00:28:04,960 --> 00:28:06,640 set up my Lost option and of course 711 00:28:06,640 --> 00:28:08,159 these have to match the ones that you 712 00:28:08,159 --> 00:28:10,559 had set when generating uh the actual 713 00:28:10,559 --> 00:28:12,880 shell code within shelter. So my Kali 714 00:28:12,880 --> 00:28:16,000 Linux IP and then Lport we had specified 715 00:28:16,000 --> 00:28:20,440 as uh 1 2 3 4 and I can hit 716 00:28:20,440 --> 00:28:24,080 run and uh we can now again transfer 717 00:28:24,080 --> 00:28:25,919 over that executable. So I'll switch 718 00:28:25,919 --> 00:28:27,679 over to the Windows 7 system. Now the 719 00:28:27,679 --> 00:28:30,159 Windows 7 system has Windows Defender 720 00:28:30,159 --> 00:28:32,159 enabled but it's an older version of 721 00:28:32,159 --> 00:28:36,279 Windows 7. It's Windows 7 uh build 76 uh 722 00:28:36,279 --> 00:28:41,120 7600 or and uh build 7601 and uh it has 723 00:28:41,120 --> 00:28:43,200 um it's it's actually a service pack one 724 00:28:43,200 --> 00:28:45,600 installation. So let's actually see if 725 00:28:45,600 --> 00:28:48,080 we are able to bypass uh you know basic 726 00:28:48,080 --> 00:28:50,159 Windows Defender. So let me just switch 727 00:28:50,159 --> 00:28:51,480 over to the Windows 728 00:28:51,480 --> 00:28:54,240 system. All right. So, I'm back on the 729 00:28:54,240 --> 00:28:57,200 Windows system and uh again, now the 730 00:28:57,200 --> 00:28:59,440 method of delivering the the actual 731 00:28:59,440 --> 00:29:02,159 malicious executable is entirely up to 732 00:29:02,159 --> 00:29:03,840 you. I'm just going to be downloading it 733 00:29:03,840 --> 00:29:05,760 from the web server that I set up. So, 734 00:29:05,760 --> 00:29:06,840 10 735 00:29:06,840 --> 00:29:09,520 10. And we have VNC viewer there. So, 736 00:29:09,520 --> 00:29:12,159 I'll click on that there. Save. I'll 737 00:29:12,159 --> 00:29:14,720 save it in downloads. And it looks like 738 00:29:14,720 --> 00:29:17,840 we haven't had any um detection yet. So, 739 00:29:17,840 --> 00:29:20,240 it's been saved on disk there. If we 740 00:29:20,240 --> 00:29:21,919 take a look at the downloads folder, you 741 00:29:21,919 --> 00:29:24,080 can see that it looks exactly like VNC 742 00:29:24,080 --> 00:29:26,240 viewer here. So, I can also move it to 743 00:29:26,240 --> 00:29:27,919 the desktop just so that you can see the 744 00:29:27,919 --> 00:29:30,159 icon even more clearly. Uh, I think I've 745 00:29:30,159 --> 00:29:32,480 zoomed in too much there. So, let me 746 00:29:32,480 --> 00:29:33,480 just zoom 747 00:29:33,480 --> 00:29:36,880 out and let me refresh that there. And 748 00:29:36,880 --> 00:29:39,840 we can see the VNC viewer icon here. And 749 00:29:39,840 --> 00:29:41,600 let me just get rid of that there. So, 750 00:29:41,600 --> 00:29:44,080 again, if I click on it, it should work 751 00:29:44,080 --> 00:29:46,799 exactly the way VNC viewer should work. 752 00:29:46,799 --> 00:29:48,559 However, in the background, what's going 753 00:29:48,559 --> 00:29:50,960 to happen is it's going to execute the 754 00:29:50,960 --> 00:29:52,559 uh the actual shell code that we 755 00:29:52,559 --> 00:29:54,320 injected into it. So, I'll double click 756 00:29:54,320 --> 00:29:57,600 on it. Run. And you can see it works u 757 00:29:57,600 --> 00:29:59,520 you know it works as intended. And a 758 00:29:59,520 --> 00:30:00,960 person can actually use this for 759 00:30:00,960 --> 00:30:03,760 legitimate purposes. Uh but it had um 760 00:30:03,760 --> 00:30:05,360 you know it had malicious shell code 761 00:30:05,360 --> 00:30:09,039 injected into it. So we this particular 762 00:30:09,039 --> 00:30:10,880 executable has not been detected by 763 00:30:10,880 --> 00:30:12,640 Windows Defender. So if I switch back 764 00:30:12,640 --> 00:30:15,039 over to Kali Linux, uh you should see 765 00:30:15,039 --> 00:30:16,960 that I have received a interpreter 766 00:30:16,960 --> 00:30:20,679 session on my uh on on my multi-Handler 767 00:30:20,679 --> 00:30:23,039 listener. All right. So I'm back on Kali 768 00:30:23,039 --> 00:30:25,120 Linux and as you can see we made a get 769 00:30:25,120 --> 00:30:27,200 request or we downloaded VNC viewer on 770 00:30:27,200 --> 00:30:29,840 the target system and uh once it was 771 00:30:29,840 --> 00:30:32,000 executed we obtained a interpreter 772 00:30:32,000 --> 00:30:34,159 session on the target system. So I can 773 00:30:34,159 --> 00:30:37,120 say sis info and you can see windows 7 774 00:30:37,120 --> 00:30:40,480 build 7601 service pack 1 and I can say 775 00:30:40,480 --> 00:30:42,559 get use ID for example and we're 776 00:30:42,559 --> 00:30:45,440 currently as the Windows 7 user. So that 777 00:30:45,440 --> 00:30:47,760 is how to inject SH code into a 778 00:30:47,760 --> 00:30:49,760 legitimate executable for the purpose of 779 00:30:49,760 --> 00:30:52,919 evading uh signature based antivirus 780 00:30:52,919 --> 00:30:55,279 solutions. And uh that is going to 781 00:30:55,279 --> 00:30:57,039 conclude the practical demonstration 782 00:30:57,039 --> 00:31:00,240 side of this video.56438