Most of us have heard of msfvenom and metasploit backdoors and have tested them many times. They normally get detected by anti-virus programs such as Windows Defender etc , we also know about a tool Veil-Evasion that generate backdoors that bypass most anti-virus programs. But sometimes backdoors generated by Veil get detected by several AV programs, So we have to use other tools like Empire (click here for a post on how to use Empire). But sometimes the novice learners can find it a bit difficult to use and understand tools like Empire. Alternatively , we can use a tool called Phantom-Evasion to generate Multibyte Xor Encrypted FUD Payloads that are completely invisible to AVs , its easy to install , simple to use and effective.
As Phantom-Evasion is not included in kali , we have to install it separately, but before that , we have to manually install a Windows python interpreter and pyinstaller so that we don’t get the following erros:
Note : I strongly recommend the 64 bit version of Kali as some dependencies of phantom are not for the 32 bit version , so it may still show errors.
Step one – Installing a Windows Python interpreter:
1. Add the i386 architecture , to do this run the following command in your terminal:
dpkg --add-architecture i386 apt-get update
2. Install wine32 and wine64 :
apt-get install wine32 apt-get install wine64
3. now download python installer 2.7.14 from its website :
4. Install python in wine :
wine msiexec /i python-2.7.14.msi
Ignore the terminal lines , click install for all users,
Keep clicking next until installed ,click finish at last.
5. Navigate to the directory where python is installed
6. Install pip :
wine python.exe -m pip install pyinstaller
Done !!! Now that everything is sorted , we can move to install Phantom Evasion without any errors.
Step two – Installing Phantom Evasion:
1. Optional : change directory to /opt :
2. Clone the Phantom project from github :
git clone https://github.com/oddcod3/Phantom-Evasion.git
3. Now go to Phantom-evasion directory :
4. Finally run the program and it will automatically install any missing dependencies :
Note : It will show an option to install monero miner to support the developer , I will leave this choice to you. If you want to do this , then type y and press enter. If you don’t want to , then type n and press enter.
If everything goes well you should see a screen similar to this : (it may be a little bit different for your first time installation , so don’t panic , if everything shows in green , then you’re good to go )
Using Phantom Evasion:
Now it will load the tool and you will be able to use it. You can make any kind of backdoors for almost every platform like windows , linux , Mac OS X , android etc. You can also use custom shell code from Veil to make a custom backdoor. Next article coming up on this , stay tuned !!
Let me show you an example of how this tool works :
1. Go to the location where you cloned Phantom Evasion, for me its /opt/Phantom-evasion :
2. run phantom evasion :
You will see a screen similar to this :
3. Select the windows module option 2 as shown in the screenshot and press enter.
4. Now you will see a screen similar to this , I suggest you experiment with these modules and see which one works best for you, I’m going to select option 4 :
5. This next screen will show you more details about this module . Press enter to continue.
6. The next screen will ask you how to supply the shell code , choose option 1 msfvenom for now and press enter.
7. Now it will ask you to enter the msfvenom payload you want to use .
eg. if you want to use 32 bit payload , then type windows/meterpreter/reverse_tcp
if you want to use 64 bit payload , the type windows/x64/meterpreter/reverse_tcp
8. Set the LHOST (your local IP) and the LPORT (the listening port which you want to receive the connections on).
8. Now it will ask which encoding to use , select whatever you prefer and hit enter , I would recommend using the 3rd or 4th one for better effectiveness . Also give an output name for your backdoor.
Finally it will start the encoding and compiling process. Once it is completed , exit phantom and you will find the backdoor in the same phantom directory.
If you want to check whether its undetectable or not , go to https://nodistribute.com and upload your file and scan it. You will find this :
Since the backdoors use msfvenom payloads, you can listen for incoming connections using Metasploit’s multi handler module, this is covered in the 2nd part of following video (fast forward till 9:50):
Now you are ready to use the tool as you probably have got the idea of how to use this tool in general , so you can practice on windows and other platforms as well by generating different backdoors using Phantom Evasion. You can also combine with different attacks by using backdoors created by Phantom with others as evilgrade etc. You can change the extensions and use them to exploit various windows systems. You can also compile backdoors with existing Android APKs and use them with AhMyth (stay tuned for next article). So the possibilities are much more. It depends on you how you use it.