• Home
  • Hacking & Security
    • Network Hacking
    • Web Hacking
    • Social Engineering
    • Kali Linux
    Submit An Article
  • Courses
    • All Courses
    • Bundles
    • Masterclass
    • VIP Membership
    • FAQ

    Popular Courses

  • Shop
    • Hardware Bundles
    • Wireless Adapters
    • Pentesting Tools
    • Security
    • Accessories
    • Clothing
    • Books
    • All
  • Competition
  • Services
    Penetration Testing
    Consulting
    Code Review
    One on one Training
    Online Courses
    VPN
  • Blog
      • Cart

    VIP Membership Masterclass
    Got a question?
    [email protected]
    RegisterLogin
    zSecurity
    • Home
    • Hacking & Security
      • Network Hacking
      • Web Hacking
      • Social Engineering
      • Kali Linux
      Submit An Article
    • Courses
      • All Courses
      • Bundles
      • Masterclass
      • VIP Membership
      • FAQ

      Popular Courses

    • Shop
      • Hardware Bundles
      • Wireless Adapters
      • Pentesting Tools
      • Security
      • Accessories
      • Clothing
      • Books
      • All
    • Competition
    • Services
      Penetration Testing
      Consulting
      Code Review
      One on one Training
      Online Courses
      VPN
    • Blog
        • Cart

      Hacking & Security

      Antivirus Evasion with Shelter

      • Posted by solo walker
      • Date February 22, 2021

      Anti-Virus (AV) scanners are that they are there to stop the script kiddies or old malware. If you are using the default settings for Metasploit or using files you downloaded from the internet, chances are that you are going to not only get caught, but your whole engagement could be over. so In an attempt to compromise a target machine, We must disable or otherwise bypass antivirus software installed on the target systems. As penetration testers we must understand these techniques in order to demonstrate this potential threat.

      Finding a universal solution to bypass all antivirus products is difficult and time consuming, if not impossible. Considering time limitations during a typical penetration test, it is far more efficient to target the specific antivirus product deployed in the client network.

      For this Article we will use Shellter, Shellter is a dynamic shellcode injection tool and one of the most popular Powerful tool capable of bypassing antivirus software. It uses a number of novel and advanced techniques to essentially backdoor a valid and non-malicious executable file with a malicious shellcode payload. it essentially performs a thorough analysis of the target PE(Portable Executable) file and the execution paths. It then determines where it can inject our shellcode, without relying on traditional injection techniques that are easily caught by AV engines. Those include changing of PE (Portable Executable) file section permissions, creating new sections, and so on.

      With a little bit of theory behind us, we can start with installing Shellter, We can install Shellter in Kali using apt

      sudo apt install shellter

      Since Shellter is designed to be run on Windows operating systems, we will also install wine,a compatibility layer capable of running win32 applications on several POSIX-compliant(Portable Operating System Interface for Unix).

      apt install wine

      Once everything is installed, running shellter in a terminal will provide us with a new console running under wine.

      Shellter can run in either Auto or Manual mode. In Manual mode, the tool will launch the PE we want to use for injection and allow us to manipulate it on a more granular level. We can use this mode to highly customize the injection process in case the automatically selected options fail.

      For the purposes of this example however, we will run Shellter in Auto mode by selecting β€˜A’ at the prompt.

      Next, we must select a target PE. Shellter will analyze and alter the execution flow to inject and execute our payload. For this example, we will use Macrium Reflect(its free best backup software)

      Before analyzing and altering the original PE in any way, Shellter will first create a backup of the file

      As soon as Shellter finds a suitable place to inject our payload, it will ask us if we want to enable Stealth Mode, which will attempt to restore the execution flow of the PE after our payload has been executed. We will choose to enable Stealth Mode as we would like the Macrium Reflect installer to behave normally in order to avoid any suspicion

      At this point, we are presented with the list of available payloads. These include popular selections such as meterpreter but Shellter also supports custom payloads.

       

      Note that in order to restore the execution flow through the Stealth Mode option, custom payloads need to terminate by exiting the current thread.

      select any payload that best for you, After selecting the payload, you are presented with the default options from Metasploit, such as the reverse shell host (LHOST) and port (LPORT)

      With all parameters set, Shellter will inject the payload into the Macrium Reflect installer and attempt to reach the first instruction of the payload.

       

      Now that the test succeeded, before transferring over the malicious PE file to our Windows client, we will configure a listener on our Kali machine to interact with the meterpreter payload.

       

      Now we can scan our PE with VirusTotal, Since Shellter obfuscates both the payload as well as the payload decoder before injecting them into the PE, many AV scaner does not consider the binary malicious.

      Once we execute the file, we are presented with the default Macrium Reflect installation window, which will install the software normally without any issues. Looking back at our handler shows that we successfully received a Meterpreter session but the session appears to die after the installation either finishes or is cancelled, This makes sense because the installer execution has completed and the process has been terminated. In order to overcome this problem, we can set up an AutoRunScript to migrate our Meterpreter to a separate process immediately after session creation. If we re-run the Macrium Reflect setup file after this change to our listener instance, we should receive a different result

      msf exploit(multi/handler) > set AutoRunScript post/windows/manage/migrate

      After the migration completes, the session will remain active even after we complete the Macrium Reflect installation process or cancel it.

      Conclusion

      Penetration testing is all about trying out different tools, techniques, and tactics to find what works in that particular environment. There are many different techniques to evade AV i give you my favorites AV Evasion.

      Thank you πŸ™‚

      • Share:
      author avatar
      solo walker

      i am solo walker am Ethical hacker , Open Source Intelligence (OSIN1) investigator and bug bounty hunter i love cybersecurity industry because i love the challenges of cyber security

      Previous post

      Root The Bank Machine From HackTheBox
      February 22, 2021

      Next post

      Intro to Reflected XSS
      February 23, 2021

      You may also like

      domain-controllers_370x208
      Identifying Domain controller in a network
      24 March, 2023
      storm-braker_370x208
      Access Location, Camera & Mic of any Device πŸŒŽπŸŽ€πŸ“πŸ“·
      23 March, 2023
      Common-Authentication-Bypass-Techniques_370x208
      Common Authentication Bypass Techniques
      16 March, 2023

        1 Comment

      1. Hussein Muhaisen
        February 22, 2021
        Log in to Reply

        What a great article keep it up!

      Leave A Reply Cancel reply

      You must be logged in to post a comment.

      Categories

      • Cryptography
      • Cryptography
      • CTF
      • Forensics
      • Hacking & Security
      • Hardware
      • IOT
      • Kali Linux
      • Network Hacking
      • News
      • OSINT
      • Post Exploitation
      • Post Exploitation
      • Privacy
      • Programming
      • Security
      • Social Engineering
      • Uncategorized
      • Web Hacking

      Popular Posts

      Got a Blank Screen After Importing Kali in Virtual Box ? Here’s How To Fix It
      25Jan2018

      Connect with us

      • Facebook
      • Twitter
      • LinkedIn
      • Instagram
      • Youtube

      β€œEverything related to ethical hacking

      & cyber security in one place.”

      Quick Links

      • Home
      • About Us
      • Hacking & Security
      • Download Custom Kali
      • Contact
      • FAQ

      Services

      • Penetration Testing
      • Consulting
      • Code Review
      • One on one training
      • VPN
      • VIP Membership

      Company

      • About Us
      • Contact
      • Vulnerability Disclosure

      Support

      • FAQ
      • Forums

      Copyright Β© 2022 Z IT SECURITY LTD t/a zSecurity. All rights reserved.

      • Privacy
      • Shipping
      • Refunds
      • Terms

      Contribute

      Share your knowledge with the world

      SUBMIT AN ARTICLE

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account


      Are you a member? Login now

      Enroll in this course to access this lesson!

      All of our courses include:

      βœ” Lifetime, unlimited access to course materials & training videos.

      βœ” Watch online or download lectures for offline use.

      βœ” Verifiable certificate of completion from zSecurity, signed by the course instructor, Zaid.

      βœ” Get answers from our Support Team within a maximum of 15 hours.

      βœ” Unlimited Updates.

      Get free 1 month VIP membership per course with:

      βœ” Live mentorship and Q&A session with the course instructor, Zaid.

      βœ” Instant support from community members through our private discord channel.

      βœ” Daily updates with the latest tutorials & news in the hacking world.

      βœ” Daily resources like CTFs, bug bounty programs, onion services and more!

      βœ” Access our VIP community & connect with like-minded people.

      βœ” Discounts on other zSecurity products and services.

      We are using cookies to give you the best experience on our website. This includes but is not limited to:

      • Storing your settings and preferences.
      • Remember your access information
      • Track website performance and make our website more relevant to you.

      You can find out more about which cookies we are using or switch them off in settings.

      Privacy Overview

      This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

      Strictly Necessary Cookies

      Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

      3rd Party Cookies

      This website uses Google Analytics and Linkedin to collect anonymous information such as the number of visitors to the site, and the most popular pages.

      Keeping this cookies enabled helps us to improve our website.

      Please enable Strictly Necessary Cookies first so that we can save your preferences!

      Powered by  GDPR Cookie Compliance