Tuesday, February 27, 2018

Metasploit Loader (II): loader-modified.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (II): loader-modified.exe (x86_32 bits)

- Layout for this exercise:


- This exercise is based in the previous one:

1 - Modifying the source code

- The objective of this exercise is to get an executable easier to use than the previous loader.exe, so that it is not necessary to go through the command line with the arguments of the IP and port of the attacker, embedding both parameters in the payload code.

- To achieve this goal we need to modify the source code main.c:

- Opening main.c:

- First this section of the code must be removed, because the executable is not going to take arguments any more from the user through the command line:

- Now, this section must be altererd, because the socket will be established with constant parameters, and not passed as arguments to the function:

- Kali's IP and port 9999 are introduced, replacing the older connection parameters:

- To finalize, the source code must be compiled again (using mingw32 with version for x86_32 bits architecture), outputting a new executable called loader-modified.exe:

2 - Checking the functionality of loader-modifed.exe

- Setting a simple web server on Kali:

- Connecting from the victim Windows 10  (x86_32 bits) and downloading loader-modified.exe:

- Setting up a Metasploit handler session on Kali Linux, waiting to the victim Windows 10 to run the executable:

- Running the executable on Windows 10 (x86_32 bits) :

- The attack is successful:

3 - Checking the Anti Virus evasion rate

- Checking loader-modified.exe against Virus Total, a rate of 68.2% of evasion success is achieved:

- Checking loader-modified.exe against No Distribute, a rate of 71.8% of evasion success is achieved:

- So comparing to the previous exercise the rate detection is slightly smaller, but on the brigth side the payload is a lot easier to be used.

Metasploit Loader (I): loader.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (I): loader.exe (x86_32 bits)

- Layout for this exercise:


1 - Installing loader.exe

- Metasploit Loader is a client compatible with Metasploit's staging protocol.

- Metasploit Loader implements the functionality of the first stage of the Materpreter payload. Then receives the DLL and finally it passes the control.

- The project can be cloned from here:


- Cloning to Kali Linux machine:

- Inside the newly created folder we can find both the executable loader.exe (already compiled) and the source code of the program main.c:

- The source code will be of particular interest to later facilitate the attack (as seen in the next exercises):

2 - Checking the funcionality

- Setting a web server in Kali:

- Downloading loader.exe to Windows 10 machine :

- Setting up a Metasploit handler, waiting for the victim's reverse connection:

- Now, loader.exe is executed from the Windows 10 (x86-32 bits) command line (in the next exercise this annoying issue will be resolved):

- The attack is successful:

3 - Checking the Anti Virus evasion rate

- Checking loader.exe against Virus Total, a rate of 71.8% of evasion success is achieved:

- Checking loader.exe against No Distribute, a rate of 83.3% of evasion success is achieved:

Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)

ANTIVIRUS EVASION / Veil Framework  (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)

- Layout for this exercise:

- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework adding up encryption (ARC / PYHERION) plus encoding (XOR)

1 - Veil-Evasion encryption with ARC and Pyherion

- Launching the program:

- Listing the available tools:

- At first, using Evasion:

- Listing available payloads, let's take number 30) that uses the encryption ARC algorithm:

- Using the payload number 30):

- Setting option USE_PYHERION (encrypter) to Yes:

2 - Generating the shellcode with Ordnance and encoding with XOR

- Generating the payload:

- Taking Ordnance as default:


- Listing Ordnance payloads:

- Let's take rev_tcp_all_ports:

 - Options for this payload: first of all setting BadChars to \x00 (NULL character) and \x0A (Carriage Return):

- Encoder to XOR:


- LHOST to Kali's IP:

- LPORT to Kali's port 1111:

- Generating the shellcode:

- Entering the name test3:

- Using Pyinstaller to generate the .exe file:

3 - Files created by Veil-Evasion

- The Veil files are created and stored in these folders:

- Going to /usr/share/veil-output:

- The folders compiled, handlers and source contain the generated Veil files:

- The source file is encrypted, as expected:

4 - Transferring the .exe file to Windows 10

- The folder compiled holds the executable test3.exe, to be transferred to the victim Windows 10:

- Setting a simple HTTP server:

- Downloading the executable test3.exe to Windows 10:

5 - Getting a Meterpreter session with Metasploit processing .rc reference file

- The folder handlers holds the file test3.rc that can be used directly as a reference by Metasploit:

- Processing test3.rc from msfconsole:


- Executing test3.exe in Windows 10:

- A meterpreter session is succesfully created:

6 - Checking the Anti Virus evasion rate

- Checking test3.exe against Virus Total, a rate of 56% of evasion is achieved:

- Checking test3.exe against NoDistribute, a rate of 58.8% of evasion is achieved: