A key consideration on every hacker's mind is how to bypass security devices such as an intrusion detection system (IDS) or antivirus (AV) software. This is not a problem if you create your own zero-day exploit or use someone else's zero-day. However, if you use someone else's exploit or payload, such as one from Metasploit or Exploit-DB, security devices are likely to detect it and spoil all the fun for you.
Security software works largely by identifying a malware signature. If you can change the signature of your malware, payload, or shellcode, it's likely to pass AV software and other security devices.
In this guide, we will be using Shellter. In my experience, it has proven more effective at re-encoding payloads to pass AV software than the other options.
How Shellter works
Shellter is capable of recoding any native 32-bit Windows standalone application. Since we're trying to avoid detection by AVs, we should avoid anything that might look suspicious to AV software, such as ready-made apps or apps that have more than one section containing executable code.
Shellter is able to take any of these 32-bit Windows applications and embed shellcode, either your own custom payload or one available from applications like Metasploit, in a way that is very often not detected by AV. Since you can use any 32-bit application, you can create an almost infinite number of signatures, making it nearly impossible for AV to detect.
Step 1: Download and install Shellter
The first step, of course, is to download and install Shellter. I'll run it on a Windows system, but Shellter can run on Kali using Wine. I find it faster and easier to run Shellter in the native Windows environment. You can download Shellter from here.
Step 2: Launch Shellter
Now that you have downloaded and installed Shellter, click on the executable file in the Shellter directory. This should launch the Shellter application as shown below.
Step 3: Move the Windows Binary to the Shellter directory
To test the effectiveness of Shellter in hiding a file, we will use a known malicious file for AV software. And that will be besbd.exe, a Netcat clone that has all the features of Netcat, but also has the ability to encrypt the connection with AES encryption.
We will integrate it with a Meterpreter payload from Metasploit. Basically, we'll take a known 32-bit .exe file, embed it with a known Meterpreter payload, and see if the AV software detects either. I think this is a great test of Shellter's capabilities, as detecting either will trigger the AV software. Both should be tricked to bypass the AV scan.
You can find sbd.exe in the Kali Windows binaries directory at:
kali > cd /usr/share/windows-binaries
kali > ls -l
Copy sdb.exe to the same directory as Shellter on your Windows system.
Step 4: Run Shellter
Now let's go back to the Shellter app. Type A (Auto) for mode and N (no) for version update. We just downloaded the current version so we don't need to update Shellter.
Shellter will ask you to enter the file it is going to re-encode. In our case, it's sbd.exe. Remember that it only accepts 32-bit standalone applications.
PE Target: sbd.exe
If the PE (portable executable) file is located somewhere other than the Shellter directory, you must provide the absolute path. Then just press enter and Shellter goes to work.
This time the program will stop and ask you for the type of payload you want to include in the file. Select L for “listed”. Then select 1 for the “meterpreter_reverse_tcp” payload.
You will then be asked to enter your LHOST IP (local) and LPORT. Enter the IP of the local machine and any port you want. Then press enter.
Step 5: Integration and recoding
After a few minutes, Shellter completes the checksum and PE verification.
When verification is complete, your file is ready to use!
Step 6: Test for detection
Now that we've created our own shellcode, the moment of truth has arrived. We need to test to see if the AV software can detect it.
In this system, I use Vipre AV software. I placed the recoded .exe file in a folder named “Exe folder” on my desktop, so let's scan just that folder with Vipre and see how well Shellter hid the malicious intent of this file.
This scan only took a few seconds and Vipre does not find any malicious files in the folder with sbd.exe. Our shellcode passed the test successfully! Our malware is not detected by this AV software!
This, of course, does not mean that all AV software will not be able to detect the malicious nature of our file. AV software from different publishers use different signatures and detection methods. Some may be able to detect the true nature of this file, but the key is to find a technique that gets past the AV to the system you're targeting. This may require multiple attempts with different files, different encoding and different payloads. It's easy to find at least one combination that works.
As you know, real hackers are persistent!
Step 7: Create Listener in Kali
Now that we know the malicious shellcode is undetectable at least by Vipre, we can send the file to our target system. Before it runs, we need to open a listener on the Kali system to connect.
We can use Metasploit's multi-handler for this purpose. Start by opening msfconsole by typing:
kali > msfconsole
Next, use the multi-handler exploit and set the payload (windows/meterpreter/reverse_tcp), then set the local host (LHOST) and local port (LPORT) to the same as those embedded in your application above.
Finally, type exploit and the multi-handler will "grab" the connection from the payload when executed on the target, opening a Meterpreter shell unbeknownst to the AV software and the target user!
Now with one Meterpreter prompt on the target system, we can use any of the commands or Meterpreter scripts on that system to gain full control.
Shellter is just another tool to avoid being tracked by AV software, but it might be the best. No one method works against all intrusion detection systems and antivirus software, but this app should definitely be in your toolbox.
