Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,160 --> 00:00:02,320 Hello everyone, just a disclaimer before 2 00:00:02,320 --> 00:00:04,560 the video. This video is presented 3 00:00:04,560 --> 00:00:06,560 solely for educational and knowledge 4 00:00:06,560 --> 00:00:08,880 sharing purposes. All demonstrations are 5 00:00:08,880 --> 00:00:11,040 conducted in a legal isolated lab 6 00:00:11,040 --> 00:00:13,599 environment on systems I own or have 7 00:00:13,599 --> 00:00:15,759 explicit authorization to test. The 8 00:00:15,759 --> 00:00:17,440 channel does not condone illegal 9 00:00:17,440 --> 00:00:19,680 activities. Misuse of the tools or 10 00:00:19,680 --> 00:00:21,520 techniques demonstrated may violate 11 00:00:21,520 --> 00:00:23,439 applicable laws and organizational 12 00:00:23,439 --> 00:00:26,080 policies, and viewers are responsible 13 00:00:26,080 --> 00:00:28,320 for ensuring their own actions comply 14 00:00:28,320 --> 00:00:31,279 with all legal and ethical requirements. 15 00:00:31,279 --> 00:00:33,600 Hello everyone. It has been a long time 16 00:00:33,600 --> 00:00:36,239 since the last upload. And here it is a 17 00:00:36,239 --> 00:00:38,079 new video that demonstrates how a 18 00:00:38,079 --> 00:00:40,239 publicly available tool published in 19 00:00:40,239 --> 00:00:43,280 2024 can still be utilized today to 20 00:00:43,280 --> 00:00:45,840 bypass the latest Windows Defender on a 21 00:00:45,840 --> 00:00:48,399 Windows 11 machine to execute a 22 00:00:48,399 --> 00:00:51,600 metasloit meta reverse shell. This is 23 00:00:51,600 --> 00:00:53,920 the tool that we will be showing today. 24 00:00:53,920 --> 00:00:55,920 A shell code loader or a shell code 25 00:00:55,920 --> 00:00:59,120 packer known as super mega. There are a 26 00:00:59,120 --> 00:01:01,280 few writeups and references that detail 27 00:01:01,280 --> 00:01:03,600 about the tool. We won't be reading off 28 00:01:03,600 --> 00:01:05,840 them to save time. So feel free to do so 29 00:01:05,840 --> 00:01:07,680 to have a deeper understanding of the 30 00:01:07,680 --> 00:01:10,680 tool. 31 00:01:12,400 --> 00:01:14,479 We will need Visual Studio and Python 32 00:01:14,479 --> 00:01:16,560 installed to run this. The actual 33 00:01:16,560 --> 00:01:18,720 payload generator will be independent 34 00:01:18,720 --> 00:01:21,439 and standalone. So the payload will work 35 00:01:21,439 --> 00:01:23,840 without any dependencies on your victim 36 00:01:23,840 --> 00:01:26,240 machine. If we were to try downloading 37 00:01:26,240 --> 00:01:28,560 Super Mega directly, it will get picked 38 00:01:28,560 --> 00:01:30,960 up by Windows Defender. This is due to 39 00:01:30,960 --> 00:01:32,799 the default shell code templates that 40 00:01:32,799 --> 00:01:35,119 come with the two source files. Let's 41 00:01:35,119 --> 00:01:37,360 create a Windows Defender exclusion on 42 00:01:37,360 --> 00:01:39,920 our downloads folder to get around it. 43 00:01:39,920 --> 00:01:42,079 Of course, the actual Windows Defender 44 00:01:42,079 --> 00:01:44,720 bypass will be executed from a folder 45 00:01:44,720 --> 00:01:46,799 that is not part of Windows Defender 46 00:01:46,799 --> 00:01:49,799 exclusion. 47 00:02:07,119 --> 00:02:09,039 All right, the download works. Now, 48 00:02:09,039 --> 00:02:12,480 let's extract the zip file. 49 00:02:12,480 --> 00:02:14,879 If we were to look at the data binary 50 00:02:14,879 --> 00:02:16,959 folder, this is where you can add your 51 00:02:16,959 --> 00:02:19,440 own legitimate .exe executables and 52 00:02:19,440 --> 00:02:22,760 shell codes. 53 00:02:34,000 --> 00:02:36,000 We will need to use the Visual Studio 54 00:02:36,000 --> 00:02:38,480 developer command prompt to launch this. 55 00:02:38,480 --> 00:02:40,560 Else the build tools will not be part of 56 00:02:40,560 --> 00:02:42,959 our path and the following error will be 57 00:02:42,959 --> 00:02:45,959 encountered. 58 00:03:03,840 --> 00:03:05,599 All right, it is [music] working. Now 59 00:03:05,599 --> 00:03:07,519 let's browse to the super mega web 60 00:03:07,519 --> 00:03:10,640 portal. It has a nice UI to generate our 61 00:03:10,640 --> 00:03:13,040 payload. The web portal has some 62 00:03:13,040 --> 00:03:15,519 descriptions of the usage of the tool. 63 00:03:15,519 --> 00:03:17,760 Again, reading the references provided 64 00:03:17,760 --> 00:03:19,680 in the GitHub page is strongly 65 00:03:19,680 --> 00:03:22,680 recommended. 66 00:03:35,360 --> 00:03:37,440 The injectable should be a legitimate 67 00:03:37,440 --> 00:03:39,680 .exe executable that you want to back 68 00:03:39,680 --> 00:03:42,080 door your shell code into. And the shell 69 00:03:42,080 --> 00:03:43,760 code should be the payload that you want 70 00:03:43,760 --> 00:03:46,879 to deliver such as a reverse shell. Now 71 00:03:46,879 --> 00:03:48,879 let's hop over to our Kali machine and 72 00:03:48,879 --> 00:03:54,440 generate a meta https reverse shell. 73 00:03:57,767 --> 00:03:59,680 [music] 74 00:03:59,680 --> 00:04:01,519 >> Now let's create a listener for the 75 00:04:01,519 --> 00:04:06,120 reverse shell with MSF [music] console. 76 00:04:14,400 --> 00:04:16,239 Let's transfer the shell code over to 77 00:04:16,239 --> 00:04:18,400 our Windows machine so that Super Mega 78 00:04:18,400 --> 00:04:23,639 can build our own custom .exe payload. 79 00:04:33,680 --> 00:04:35,919 The Metrop shell code should show up now 80 00:04:35,919 --> 00:04:40,440 in our Super Mega web portal. 81 00:04:44,000 --> 00:04:46,400 By default, the shell code location is 82 00:04:46,400 --> 00:04:49,120 set to R data. And in this case, this 83 00:04:49,120 --> 00:04:51,199 will cause an error as the size is 84 00:04:51,199 --> 00:04:53,440 insufficient to insert the shell code 85 00:04:53,440 --> 00:04:56,560 into. Let's switch to text instead. 86 00:04:56,560 --> 00:04:58,639 Let's leave the other options as default 87 00:04:58,639 --> 00:05:02,440 and see how it goes. 88 00:05:08,160 --> 00:05:10,560 Great. Super Mega was able to create the 89 00:05:10,560 --> 00:05:13,039 payload successfully. 90 00:05:13,039 --> 00:05:15,199 Now, let's transfer the compound .exe 91 00:05:15,199 --> 00:05:17,440 payload to a folder that is not part of 92 00:05:17,440 --> 00:05:20,240 Windows Defender exclusion, such as our 93 00:05:20,240 --> 00:05:24,199 desktop folder instead. 94 00:05:25,759 --> 00:05:27,919 Oh dear, it seems like Windows Defender 95 00:05:27,919 --> 00:05:30,400 is able to pick up the .exe payload 96 00:05:30,400 --> 00:05:33,039 immediately. Again, this tool was 97 00:05:33,039 --> 00:05:35,840 published in 2024, so not really a 98 00:05:35,840 --> 00:05:37,680 surprise that the default options get 99 00:05:37,680 --> 00:05:41,800 picked up by Windows Defender. 100 00:05:43,280 --> 00:05:45,280 Let's try again by changing the option 101 00:05:45,280 --> 00:05:47,680 just a little bit. Let's set the decoy 102 00:05:47,680 --> 00:05:50,320 option to win exec and recompile the 103 00:05:50,320 --> 00:05:53,320 payload. 104 00:06:03,280 --> 00:06:05,280 Now let's try transferring the compile 105 00:06:05,280 --> 00:06:10,360 ESC payload again to our desktop folder. 106 00:06:13,120 --> 00:06:15,840 Nice. There is no Windows Defender 107 00:06:15,840 --> 00:06:17,600 detection anymore. This [music] is 108 00:06:17,600 --> 00:06:19,759 looking good. Let's trigger a manual 109 00:06:19,759 --> 00:06:22,720 scan on the ESE binary itself. Nice. No 110 00:06:22,720 --> 00:06:24,160 threads were found. That [music] is 111 00:06:24,160 --> 00:06:27,160 good. 112 00:06:28,800 --> 00:06:30,960 Let's double click on the EXE payload to 113 00:06:30,960 --> 00:06:33,759 execute it. 114 00:06:33,759 --> 00:06:36,319 Awesome. We have a Metrop reverse shell 115 00:06:36,319 --> 00:06:38,240 call back. Now we have successfully 116 00:06:38,240 --> 00:06:40,560 bypassed the latest Windows Defender and 117 00:06:40,560 --> 00:06:42,720 obtain a functional Metrop reverse 118 00:06:42,720 --> 00:06:47,000 shell. This is pretty easy. 119 00:06:50,240 --> 00:06:52,240 We can even do a quick scan on our 120 00:06:52,240 --> 00:06:54,720 Windows 11 and see if it detects the 121 00:06:54,720 --> 00:06:59,400 established Metrop reverse shell. 122 00:06:59,919 --> 00:07:02,080 Nice. No detections and no threats were 123 00:07:02,080 --> 00:07:04,960 found. Our Metaper reverse shell is also 124 00:07:04,960 --> 00:07:06,880 still functional after the Windows 125 00:07:06,880 --> 00:07:10,440 Defender scan. 126 00:07:11,360 --> 00:07:13,199 All right, all this is it to today's 127 00:07:13,199 --> 00:07:15,199 video. A quick and straightforward 128 00:07:15,199 --> 00:07:17,840 demonstration with no BS. I hope you 129 00:07:17,840 --> 00:07:19,840 have enjoyed the video and the hands-on 130 00:07:19,840 --> 00:07:21,680 demonstration. Please help to like the 131 00:07:21,680 --> 00:07:23,360 video and subscribe to the channel. It 132 00:07:23,360 --> 00:07:25,039 will really help out the channel a lot. 133 00:07:25,039 --> 00:07:26,560 Thanks all. I will see you all soon in 134 00:07:26,560 --> 00:07:30,240 the next one. Bye.9299