antivirus bypass

All posts tagged antivirus bypass

Good afternoon friends. Recently we have seen about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.

Let’s start by cloning Hercules framework from github as shown below.

2hercules1

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

2hercules2

The setup automatically installs Hercules as shown below and

2hercules3

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

2hercules4

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

2hercules6

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

2hercules7

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory.  Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target.  Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

2hercules8

Here I have only enabled the UPX function so the packing process begins as shown below.

2hercules9

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

2hercules10

Next start the listener on Metasploit as shown below and send the  binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

2hercules11

In our part2 of this howto, we will see how to bind our payload to other executables.