AdSense
Tuesday, February 27, 2018
Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)
ANTIVIRUS EVASION / Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)
- Layout for this exercise:
- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework adding up encryption (ARC / PYHERION) plus encoding (XOR)
1 - Veil-Evasion encryption with ARC and Pyherion
- Launching the program:
- Listing the available tools:
- At first, using Evasion:
- Listing available payloads, let's take number 30) that uses the encryption ARC algorithm:
- Using the payload number 30):
- Setting option USE_PYHERION (encrypter) to Yes:
2 - Generating the shellcode with Ordnance and encoding with XOR
- Generating the payload:
- Taking Ordnance as default:
- Listing Ordnance payloads:
- Let's take rev_tcp_all_ports:
- Options for this payload: first of all setting BadChars to \x00 (NULL character) and \x0A (Carriage Return):
- Encoder to XOR:
- LHOST to Kali's IP:
- LPORT to Kali's port 1111:
- Generating the shellcode:
- Entering the name test3:
- Using Pyinstaller to generate the .exe file:
3 - Files created by Veil-Evasion
- The Veil files are created and stored in these folders:
- Going to /usr/share/veil-output:
- The folders compiled, handlers and source contain the generated Veil files:
- The source file test3.py is encrypted, as expected:
4 - Transferring the .exe file to Windows 10
- The folder compiled holds the executable test3.exe, to be transferred to the victim Windows 10:
- Setting a simple HTTP server:
- Downloading the executable test3.exe to Windows 10:
5 - Getting a Meterpreter session with Metasploit processing .rc reference file
- The folder handlers holds the file test3.rc that can be used directly as a reference by Metasploit:
- Processing test3.rc from msfconsole:
- Executing test3.exe in Windows 10:
- A meterpreter session is succesfully created:
6 - Checking the Anti Virus evasion rate
- Checking test3.exe against Virus Total, a rate of 56% of evasion is achieved:
- Checking test3.exe against NoDistribute, a rate of 58.8% of evasion is achieved:
Veil Framework (III): Evasion -> AES (encryption) -> Msfvenom
ANTIVIRUS EVASION /Veil Framework (III): Evasion -> AES (encryption) -> Msfvenom
- Layout for this exercise:
- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework with Evasion, AES (encryption) and Msfvenom
1 - Veil-Evasion with AES and Msfvenom
- Launching the program:
- Listing the available tools:
- Using Evasion:
- Listing Evasion payloads:
- Let's take the payload number 29, what injects an AES Python script:
- Generating the payload:
- Using MSFVenom:
- Entering a name test2.exe:
- Using Pyinstaller:
- The Veil files are created and stored in these folders:
2 - Setting up a Metasploit handler session on Kali Linux
- Using the newly created test2.rc as a reference file, Msfconsole opens a handler session:
3 - Running the .exe file on the victim Windows 10
- Establishing a simple web server on Kali Linux:
- Accesing test2.exe and downloading it to Windows 10:
- Running test2.exe:
- A successful Meterpreter session is created:
4 - Checking the Anti Virus evasion rate
- Checking test2.exe against Virus total, a rate of 60.3% evasion success is achieved:
- Checking test2.exe against No Distribute, a rate of 67.5% evasion success is achieved:
- Clearly, the use of encryption to generate the payload improves the success rate of Anti Virus evasion.
Subscribe to:
Posts (Atom)