Tuesday, February 27, 2018

Metasploit Loader (I): loader.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (I): loader.exe (x86_32 bits)

- Layout for this exercise:


1 - Installing loader.exe

- Metasploit Loader is a client compatible with Metasploit's staging protocol.

- Metasploit Loader implements the functionality of the first stage of the Materpreter payload. Then receives the DLL and finally it passes the control.

- The project can be cloned from here:


- Cloning to Kali Linux machine:

- Inside the newly created folder we can find both the executable loader.exe (already compiled) and the source code of the program main.c:

- The source code will be of particular interest to later facilitate the attack (as seen in the next exercises):

2 - Checking the funcionality

- Setting a web server in Kali:

- Downloading loader.exe to Windows 10 machine :

- Setting up a Metasploit handler, waiting for the victim's reverse connection:

- Now, loader.exe is executed from the Windows 10 (x86-32 bits) command line (in the next exercise this annoying issue will be resolved):

- The attack is successful:

3 - Checking the Anti Virus evasion rate

- Checking loader.exe against Virus Total, a rate of 71.8% of evasion success is achieved:

- Checking loader.exe against No Distribute, a rate of 83.3% of evasion success is achieved:

Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)

ANTIVIRUS EVASION / Veil Framework  (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)

- Layout for this exercise:

- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework adding up encryption (ARC / PYHERION) plus encoding (XOR)

1 - Veil-Evasion encryption with ARC and Pyherion

- Launching the program:

- Listing the available tools:

- At first, using Evasion:

- Listing available payloads, let's take number 30) that uses the encryption ARC algorithm:

- Using the payload number 30):

- Setting option USE_PYHERION (encrypter) to Yes:

2 - Generating the shellcode with Ordnance and encoding with XOR

- Generating the payload:

- Taking Ordnance as default:


- Listing Ordnance payloads:

- Let's take rev_tcp_all_ports:

 - Options for this payload: first of all setting BadChars to \x00 (NULL character) and \x0A (Carriage Return):

- Encoder to XOR:


- LHOST to Kali's IP:

- LPORT to Kali's port 1111:

- Generating the shellcode:

- Entering the name test3:

- Using Pyinstaller to generate the .exe file:

3 - Files created by Veil-Evasion

- The Veil files are created and stored in these folders:

- Going to /usr/share/veil-output:

- The folders compiled, handlers and source contain the generated Veil files:

- The source file is encrypted, as expected:

4 - Transferring the .exe file to Windows 10

- The folder compiled holds the executable test3.exe, to be transferred to the victim Windows 10:

- Setting a simple HTTP server:

- Downloading the executable test3.exe to Windows 10:

5 - Getting a Meterpreter session with Metasploit processing .rc reference file

- The folder handlers holds the file test3.rc that can be used directly as a reference by Metasploit:

- Processing test3.rc from msfconsole:


- Executing test3.exe in Windows 10:

- A meterpreter session is succesfully created:

6 - Checking the Anti Virus evasion rate

- Checking test3.exe against Virus Total, a rate of 56% of evasion is achieved:

- Checking test3.exe against NoDistribute, a rate of 58.8% of evasion is achieved: