Bypassing Antivirus with MSFvenom

Wow – so my first blog post. This is interesting.

There are tons of write ups out there on payload creation and bypassing AV but i’d like to write up my own. Hopefully this can help blue teamers understand why defense in depth is king!

Let’s start off with the basics: MSFvenom is a powerful payload generator that is included in Kali Linux. It makes it incredibly easy to generate reverse TCP shells or Meterpreter shells. Additionally, it offers the ability to encode payloads with an encoder called Shikata Ga Nai. I thought it would be fun to show you how to do this!

Once you have a terminal open – You’ll have to fire up msfvenom and provide it with some options. Using the following example we’ll walk through what the options are and what they do.

Here’s a quick breakdown of the options we have here:

  • The -p switch is our payload which is set to a reverse tcp shell.
  • LHOST is our listening host (attacker machine) and LPORT is the listening port.
  • The -f switch is our format which is set to an executable.
  • The -e switch is the encoding which is Shikata Ga Nai.
  • The -i is the amount of iterations for encoding. In this case we encoded the payload 10 times.
  • The -x switch is the file template which in this case is Putty.exe.
  • The -o switch is the output file which we named defensehorizon.exe.

Now that we’ve generated our payload and encoded it, let’s see what Virustotal has to say!

Whoa! 42 out 67 scan engines detected this! Nice! Let’s see who we bypassed.

Wow! It looks like some big companies can’t detect this! How cool!

This tutorial is just a quick and simple way to show how AV is not 100%. If I was an attacker, i’d leverage DNS cache snooping or some other form of reconnaissance to figure out what AV is being used in order to bypass it!

Now that you’ve seen this I encourage you to try it out for yourself and test your AV!

Thanks for reading!