How do you bypass an antivirus? This is not a new question; everyone who are belongs to ethical hacking and penetration testing groups discuss this issue often. Even new users (script kiddies) are anxious to learn ways to overcome their keyloggers, stealer’s and RAT (remote administrator tools). Clearly, there is a pressing and widespread need by everyone need to bypass an anti-virus, even while in the process of penetration testing and ethical hacking anti-viruses in attempts to create a robust defense for an operating system. Let’s consider a simple example: suppose a company hired you to conduct a vulnerability assessment on their network. They give you a black box test but you aren’t equipped with much information about the network. If they are using an end-to-end anti-virus solution for their network, whenever you launch a test, the anti-virus system in place will defend it. So the first obstacle you’ll need to overcome is bypassing the anti-virus. It is very easy to discuss a tool that can hide any file from the eye of anti-virus systems, but it is probably more effective to understand the story behind the tools or techniques in order to best implement them. In this article we will cover :
Example:
Here’s an example to best understand the working mechanism of an anti-virus: let’s say you have installed an anti-virus on your computer. When you plug-in your flash drive (USB), there are two options:
This is the typical structure of the portable executive file. Each section can be divided into multiple sub-sections, but in this article we’ll discuss this with respect to the anti-virus detection methodology. PE (portable executive) file header is the most important section, containing:
Let’s take an example of a typical netcat backdoor listener, which bind cmd on port number 99 for connecting to the server. By doing a little analysis, we can see that the signature is located on offset E77E.
Now just imagine the importance of the signature in any portable executive file. There are different tools available to find it. If you want to bypass an anti-virus, then you’ll need to modify this signature so that the anti-virus treats it as a normal file.
Below is the list of some utilities that are based on netcat and have the ability to bypass anti-viruses.
The first part of our discussion focused on the importance of encoding to bypass an anti-virus. Metasploit is wonderful tool with many encoders to bypass the anti-viruses. Some of the encoders are based on polymorphic code (polymorphic virus). Polymorphic code changes the signature everytime it infects a new file. Shikata_ga_nai seems to be the best encoder to encode a virus so that your file easily bypass most of the anti-viruses. According to a wonderful blog post published on secmaniac, the best combinations to bypass almost 85 % of the anti-viruses are:
Within the social engineering toolkit encoder list, shikata_ga_nai is a particularly good encoder. Take a look at the picture below:
You can find a list of available encoders on metasploit. Please follow the commands below:
- How Anti-virus works
- What are the ways (techniques) to bypass an Anti-virus
- Metasploit tutorial to bypass an anti-virus
How Anti-virus Works
It is very important to discuss the working mechanism and phenomena of anti-viruses, because if you don’t know how an anti-virus works or how an anti-virus system detects viruses, you will limit your ability to effectively cheat or bypass an anti-virus. There are many companies that create their anti-virus in their own way, but they each share two main approaches to detecting a virus:- Signature based detection
- Suspicious Behavior
Example:
Here’s an example to best understand the working mechanism of an anti-virus: let’s say you have installed an anti-virus on your computer. When you plug-in your flash drive (USB), there are two options:
- Anti-virus will automatically detect viruses (based suspicious activities)
- You will launch a scan against your USB and then the anti-virus finds some virus (Signature based detection)
------------------ | DOS-stub | +-------------------+ |PE file-header | +-------------------+ | optional header | |- - - - - - - - - -| | | | data directories | | | +-------------------+ | | | Image pages | | | +-------------------+ | | | section tables | | | +-------------------+ | | | section 1 | | | +----------------+ | | | ... | | | +-------------------+ | | | section n | | | +-------------------+
This is the typical structure of the portable executive file. Each section can be divided into multiple sub-sections, but in this article we’ll discuss this with respect to the anti-virus detection methodology. PE (portable executive) file header is the most important section, containing:
- Signature bytes
- Time and date stamp
- Image base and image size
- Stack reverse size
- Debug table
- Fixup table
- Security table
- and more
Let’s take an example of a typical netcat backdoor listener, which bind cmd on port number 99 for connecting to the server. By doing a little analysis, we can see that the signature is located on offset E77E.
Now just imagine the importance of the signature in any portable executive file. There are different tools available to find it. If you want to bypass an anti-virus, then you’ll need to modify this signature so that the anti-virus treats it as a normal file.
Below is the list of some utilities that are based on netcat and have the ability to bypass anti-viruses.
- Cryptcat Project: This is an advanced utility based on netcat and one that uses an encryption technique with the ports of Windows, BSD and Linux.
- MOCAT backdoor: This one is based on the cryptcat project and works on client and server phenomena, meaning it has two executables: one for windows and the other for Linux. All communications of MOCAT are encrypted.
- Ncat : Ncat is a wonderful tool that has been designed by the nmap community. It works on both TCP and UDP ports and on Ipv4 as well as Ipv6.
Bypass an Anti-virus – Metasploit Tutorial
The first part of our discussion focused on the importance of encoding to bypass an anti-virus. Metasploit is wonderful tool with many encoders to bypass the anti-viruses. Some of the encoders are based on polymorphic code (polymorphic virus). Polymorphic code changes the signature everytime it infects a new file. Shikata_ga_nai seems to be the best encoder to encode a virus so that your file easily bypass most of the anti-viruses. According to a wonderful blog post published on secmaniac, the best combinations to bypass almost 85 % of the anti-viruses are:
- Shikata encoding 5 times
- Alpha_Upper encoding 2 times
- Shikata encoding 5 times
- Countdown encoding 5 times
Within the social engineering toolkit encoder list, shikata_ga_nai is a particularly good encoder. Take a look at the picture below:
You can find a list of available encoders on metasploit. Please follow the commands below:
root@bt:~# msfencode -h Usage: /opt/framework/msf3/msfencode OPTIONS: -a The architecture to encode as -b The list of characters to avoid: '\x00\xff' -c The number of times to encode the data -d Specify the directory in which to look for EXE templates -e The encoder to use -h Help banner -i Encode the contents of the supplied file path -k Keep template working; run payload in new thread (use with -x) -l List available encoders -m Specifies an additional module search path -n Dump encoder information -o The output file -p The platform to encode for -s The maximum size of the encoded data -t The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war -v Increase verbosity -x Specify an alternate executable template --------------------------------------------------------------------------------------------------------------------------- root@bt:~# msfencode -l Framework Encoders ================== Name Rank Description ---- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder generic/none normal The "none" Encoder mipsbe/longxor normal XOR Encoder mipsle/longxor normal XOR Encoder php/base64 great PHP Base64 encoder ppc/longxor normal PPC LongXOR Encoder ppc/longxor_tag normal PPC LongXOR Encoder sparc/longxor_tag normal SPARC DWORD XOR Encoder x64/xor normal XOR Encoder x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder x86/avoid_utf8_tolower manual Avoid UTF8/tolower x86/call4_dword_xor normal Call+4 Dword XOR Encoder x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder x86/context_stat manual stat(2)-based Context Keyed Payload Encoder x86/context_time manual time(2)-based Context Keyed Payload Encoder x86/countdown normal Single-byte XOR Countdown Encoder x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder x86/nonalpha low Non-Alpha Encoder x86/nonupper low Non-Upper Encoder x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder