Silly SET Tricks Part 2 : Bypassing Windows AV

Posted: December 9, 2011 in Guides
Tags: , ,

WHAT!!!! WINDOWS!??!?!?! NO WAY DT!!! Yes way guys… Just this once, plus you can use this trick for Linux payloads too if you make a few changes to a python script šŸ˜‰

Note : I know you can use shellcodeexec to execute payloads without SET, however SET automates the process quite nicely for you and it makes a nice addition to the Silly SET Tricks article collection. So please don’t fill up my comments box telling me I’m a moron, thank you šŸ™‚

I actually wrote this because a good friend of mine Dan Dieterle over at Cyber Arms sent me an email regarding bypassing Windows AV with meterpreter. Windows AV is a lot tougher to tip toe around than Linux AV (because Linux AV sucks) so for all you nix guys you’re gonna have to sit this one out and go read one of the many things I’ve written about Linux in the past few weeks.

Creating our Payload with SET

First things first make sure SET is updated and you have it fired up. This is essentially going to be a set of Screen caps, not so much an article.

Choose 1 for Social Engineering Attacks

Choose 4 for Create Payload and Listener

Choose 13 For Shellcodeexec

Then configure the port of your listener and payload settings however you wish…

Configure payload as you see fit.

You can then set up the listener now , or start it later with Metasploit ā€“ just remember to set the options you set earlier in SET for the payload for multi/handler šŸ˜‰

Note : don’t be an idiot like me, make sure your path is correct for UPX (although it won’t effect the outcome here).

Set up Payload

Your payload will be stored in the root directory of SET (/pentest/exploits/set on Back Track 5). We can go ahead and change our filename and make it executable (not needed for Windows Binaries)

mv /pentest/exploits/set/msf.exe  ~/badbadfile.exe

Then just get it onto the target system šŸ˜‰

Confirm that it will bypass AV

Run it against virus-total and we’ll see surprisingly happy results šŸ™‚

Virustotal report

Enjoy

Advertisements
Comments
  1. dangertux says:

    Why WORDPRESS WHY MUST YOU BREAK ALL MY LINKS!!! I HATE YOU SOOO MUCH…

    I kid… I love this wonderful free service please don’t ban me from using it thanks šŸ˜€

  2. D. Dieterle says:

    Hey bro, I played with this a little bit more today. If I choose number 2 – “Website Attack Vectors”, then do the Java attack, and select the shellcodeexec option, whenever I surf to the page and let the Java script run, my AV detects it and quarantines it on my “victim” machine.

    If I do number 4 – “Create Payload and Listener”, I get a exe file that virus total does not detect, but when I run it on my “Victim” machine, I get nothing. What is odd is I don’t even get a message in my AV. It just doesn’t do anything.

    I’ll keep playing with it. What can I say Adam, Linux hates me!!! šŸ™‚

    Thanks so much for the help, I appreciate it!

    Dan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s