AdSense

Tuesday, February 27, 2018

Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)



ANTIVIRUS EVASION / Veil Framework  (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)


- Layout for this exercise:






- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework adding up encryption (ARC / PYHERION) plus encoding (XOR)


1 - Veil-Evasion encryption with ARC and Pyherion

- Launching the program:




- Listing the available tools:




- At first, using Evasion:







- Listing available payloads, let's take number 30) that uses the encryption ARC algorithm:






- Using the payload number 30):




- Setting option USE_PYHERION (encrypter) to Yes:









2 - Generating the shellcode with Ordnance and encoding with XOR

- Generating the payload:




- Taking Ordnance as default:





 

- Listing Ordnance payloads:




- Let's take rev_tcp_all_ports:







 - Options for this payload: first of all setting BadChars to \x00 (NULL character) and \x0A (Carriage Return):




- Encoder to XOR:

 


- LHOST to Kali's IP:




- LPORT to Kali's port 1111:




- Generating the shellcode:




- Entering the name test3:




- Using Pyinstaller to generate the .exe file:




3 - Files created by Veil-Evasion

- The Veil files are created and stored in these folders:




- Going to /usr/share/veil-output:




- The folders compiled, handlers and source contain the generated Veil files:




- The source file test3.py is encrypted, as expected:





4 - Transferring the .exe file to Windows 10

- The folder compiled holds the executable test3.exe, to be transferred to the victim Windows 10:




- Setting a simple HTTP server:




- Downloading the executable test3.exe to Windows 10:









5 - Getting a Meterpreter session with Metasploit processing .rc reference file

- The folder handlers holds the file test3.rc that can be used directly as a reference by Metasploit:




- Processing test3.rc from msfconsole:

 





- Executing test3.exe in Windows 10:





- A meterpreter session is succesfully created:






6 - Checking the Anti Virus evasion rate

- Checking test3.exe against Virus Total, a rate of 56% of evasion is achieved:





- Checking test3.exe against NoDistribute, a rate of 58.8% of evasion is achieved: