0

I have tried many different tools to avoid being detected by an AV while using meterpreter exploit. Here is a list of tools I have tried: Shellter, Posh C2, Hack the World, Veil, Fat Rat, and many more. But they keep getting detected. I have read on the web, that the best way to evade AVs is to program and build your own payload. I know the Python programming language. I just don't know where to start, because couldn't find any useful info on the web. Where should I start from and what should I learn?

Mani
  • 7
  • 5

2 Answers2

3

A payload is simply the thing that you actually want to do on a machine. Typical payloads are:

  • Interactive Shells (Meterpreter, OS Shell, etc.)
    • Dumping Hashes
    • Adding Users
    • Download/Upload Files
  • Install Malware (Keyloggers, Ransomware, etc.)
  • Persist Access (SSH, RDP, etc.)

So if your question is "How do I write my own payload?", the actual task for you is to pick one thing you would like to do (e.g. download a file from the remote host) and then write a program that does that.

Will this actually bypass AV?

Maybe. Depends on the AV, and what the AV actually detects. What I can tell you is that AVs do more than just comparing hashes of already known files. They also do heuristics, in which the behavior of a process is analyzed and if it does "something suspicious" 1, the process is interrupted.

For example, what about a process that reads a local executable file, then connects to some remote host, downloads a new executable file, overwrites the first executable and then launches it. Could be suspicious, could also just be a regular update process.

1 It is completely up to the AV vendor to decide what that means.

  • Dumping hashes, adding new users and file manipulation are tasks typically done trough an interactive shell, but they can be done standalone as well. –  Jan 14 '21 at 11:28
1

Making a non detected payload is an art, basically you need to know the internals of the destination machine (if is windows, architecture, linux?) and learn assembler. In general AVs tries to find patterns on payloads, for example in linux they will try to find the common int 0x80 (in 32 bits), this is a basic. The main techniques that you can apply for evading is basically encryption, sometimes called polymorphism or encoders on the exploit world, and metamorphism. This is a good source for start https://github.com/offensive-security/exploitdb

My suggestion is that you start working on basic payloads that execute a shell and try to understand how works in your target architecture and then when you master that you can starting to learn how polymorphism and metamorphism works (you can google those words and find information)

camp0
  • 2,172
  • 1
  • 10
  • 10