Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to use VENOM tools to bypass anti-virus detection, the article is very detailed, has a certain reference value, interested friends must read it!

Solemn statement: this article is only used for the purpose of security education, please do not use it for malicious activities.

Preface

Nowadays, many malware and Payload use a variety of encryption and encapsulation techniques to bypass the detection of antivirus software, because it is difficult for AV products to detect encrypted or shelled malware (Payload).

Overview

According to VENOM, the script uses MSF venom (Metasploit) to generate Shellcode in different formats, such as c | python | ruby | dll | msi | hta-psh, and injects the generated Shellcode into a function (such as the Python function).

The Python function will execute Shellcode in RAM, build the executable using a compilation tool like gcc, mingw32, or Pyinstaller, and then open a multiprocessor to handle remote connections (reverse Shell Meterpreter sessions).

Step one:

Since this tool is not native to Kali, we need to download and install it on Kali Linux. You can click [download link] to download VENOM directly from the Sourceforge website.

After downloading and unzipping, you can run VENOM.

Step 2:

After you start the tool, the tool asks to continue working on subsequent options.

Step 3:

Next, the tool will show you options such as code build, target device, Payload format, and data output.

The tool provides 20 different types of Shellcode build options, all of which are listed in the following figure. In this article, we choose to use option 10 to demonstrate.

Enter 10 and press enter.

Step 4:

In this step, we need to set the local host IP address, enter the local device IP address to listen for Payload, and press the OK key.

After setting up our LHOST, the tool will ask you to set LPORT, provide the LPROT number you want to set, and press the OK key.

Step 5:

VENOM comes with many default msf Payload, and we choose to use "windows/meterpreter/reverse_tcp" here.

Step 6:

Enter the name of the Payload you want to generate, and then click OK.

Step 7:

After the encrypted Payload is generated, the tool will store the Payload in the file output directory of VENOM:

Root/Desktop/shell/output/gbhackers.hta

Step 8:

After successfully generating the encrypted Payload, we can use the antivirus product to detect:

Next, let's look at how to use Metasploit and our generated Payload to bypass antivirus products.

Step 9:

We need to open the Apache server to send malicious Payload to the target host, select the server and click OK to continue.

Step 10:

In this step, we need to connect the post-penetration module, here we can choose one at will. Since all I need to access is the system information, I chose sysinfo.rc for post-penetration operations.

This is an optional operation, so you can even execute the module manually and then bypass it with Metasploit implementation.

Step 11:

Finally, I need to establish a Meterpreter session between the target host and my Windows 7 host using the generated encrypted Payload.

Before booting the session processor, make sure that your Payload has been successfully injected into the target host. The URL I use here is http://192.168.56.103.

Note: before you begin, check that the LPORT and LHOST settings are correct.

Finally, we successfully bypassed the antivirus product of the target host and obtained full access to the target device.

The above is all the contents of the article "how to use VENOM tools to bypass antivirus detection". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.