Tuesday, 7 February 2017

Getting past Antivirus detection with Shellter

Introduction


In this post I will be showing you guys how to make your payloads undetectable from antivirus with the help of shellter, shellter works by injecting shellcode(your payload) into native Windows applications, right now it only works with 32-bit applications. You can read more about the details of shellter here.

Installing Shellter


Go to the download page on the shellter project website to download and install shellter, they have instructions on installing shellter for windows and linux. However, it is recommended that you use windows or kali linux as the other linux distros repositories might be outdated. Your anti-virus will probably flag the file as malicious in windows, just allow it through your anti-virus.

Using Shellter


First we need to get the executable we want to infect, this can be any 32-bit exe. I am going to be using putty.exe for this example. I already downloaded it to /root/Downloads.

Open terminal and type in shellter to launch shellter.



Enter A for for auto mode and enter the path of the executable you want to infect.



It will start tracing instructions and it will take about a minute so just wait while it does it's thing.



You will then be asked if you want to enable stealth mode, stealth mode basically allows the executable to be able to function normally. It's up to you if you want to enable it.



You will then be prompted to choose a payload or use a custom one, enter L for a listed payload and C for a custom payload. I will be using reverse tcp for my payload.


Then it's just your reverse tcp settings, LHOST is the ip address of the machine you are going to be listening on and LPORT is the port you are going to listen on.



Since we are using auto mode, that's all that we need to do, everything else is automated.



Now the putty.exe at my /root/Downloads folder have been successfully injected with a reverse tcp payload. There is also a backup of the original file at /root/Shellter_Backups. You see if your infected executable is detectable by any anti-virus by scanning it at nodistribute.com as other online scanners will send the files to the anti-virus companies, which is not a good idea. This is the results i got after scanning the infected putty.exe. Only 2 out of 35 of the anti-virus flagged it as malicious, that is pretty amazing.




Now you just need get the infected putty.exe onto your target machine and run it, there are many ways to do this such as using a USB Rubber Ducky and I have a tutorial on making your own DIY USB Rubber Ducky if you are interested. 

Here I start listening for connections on kali before i run the putty.exe.



After I run putty.exe I now have a reverse tcp connection to my target.



Now getting past anti-virus detections shouldn't be a problem for you anymore :) here are some tips and tricks provided by the shellter project.


No comments:

Post a Comment