Can this BYPASS Windows Defender???

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

greetings everyone and welcome back to my cyber security show got a question for you you ever played around with Metasploit sure you have right you you're into cyber secur why you're watching this this channel have you ever created a payload with uh msf Venom and got that and you're like oh this is going to be awesome I'm going to get that reverse shell and you drop it on the disc of a Windows operating system and and then all of a sudden Windows Defender jumps up like a a man on fire and says what the hell is this no sir yeah I've been there I've been there I'm sure if you're watching this you probably have been as well and that kind of that kind of burns my biscuits I hate that right you know what I hate even more is if I wanted to work I can go in and shut off window is Defenders real-time protection and then yeah it works but then you feel dirty you feel icky you're like I mean that it it doesn't seem fair I want it to work when those defenses are turned on and I thought yeah I want it to work when those defenses turned on well if meit's not going to do it or not without some severe massaging can I build my own thing that does it welcome to today's episode I built my own thing that does it yay it's fun in here we have it in a GitHub repo I call it update script honestly I've called it many things but update script is the uh traditional name for it the original name the OG name for this thing because I actually did this a while ago and it worked for forever like a couple of years but recently it has been uh been getting hit by W's Defender and I thought well back to the drawing board ladies and gentlemen we got to fix that so I did it fixed it work and here it is so we got a few things going on I have transitioned from using a batch file as my initial like compromise my drop or whatever you'd like to call it my my implant and I've I've switched using go because I've been learning go and it helps me learn more about go and I have more go skills go go right so I've got SEC up.go which is kind of the main engine of of what's going on here it's going to start my HTTP server so that I can serve up the payloads that are going to also be generated by SEC up.go which utilize these template files for creating payloads such as wind seup which is wind security update this is all like framed or or with the premise of a fishing campaign kind of thing going on so that your computer is having trouble updating and therefore you know your it security team is is trying to get it to update please download and and run this file kind of thing going on and I I did run a fish let me get that fish up so that we're talking about it let's let's take a look at it so I'm going to need you to hit the I believe button pretend we're opening our email and we've opened this email and wait for it there it goes and here is our email it says your PC is having issues with downloading and installing the latest updates yes thank you Microsoft Edge no please snooze there we go uh downloading installing the latest updates this can negatively affect your organization's security leaving it open to a security breach so the whole social engineering thing it's it's a fishing lure whereas please oh I even messed this up please AIX please a fix is it really does look like a fishing email doesn't it because I did bad grammar and everything so please a fix has been issued by your it Department click here to download the zip file extract the file the password to extract the file is update double click the extracted file congratulations you've successfully updated your system sorry for the inconvenience thank you for your cooperation so we got ourselves a lovely little lure a little link they click on that and it's going to reach out to that HTTP server and it's going to grab this file updater doz which we will have to create you can you can do anything you want create your lures like you like your fish can do anything you want to do but that's that's basically what we got going on here all right let's jump back over here so what I'm going to need to do is uh you know clone this repo get it fired up and then we should be able to plus I need to start a listener and all that I always forget to do that so I I prompt myself when I run seup go so when we run setup go it starts the HTTP server it generates the necessary payloads and we it also generates the go file will need to compile into a binary which we will then create the zip and the fishing Laura will do its job from there okay let's see if we can make all this action work so let's go here and in this corner I will do a gets clone of htps col and it is github.com Danel I I can't spell my own name Lowry SL updator script so github.com danani Lowry updat script bam looks like we're going everything looks good do an LS and Bam there it is so we'll CD into the new folder and now we have all the files that we just saw because that's that's pretty simple all right first thing we need to do is run setup. go so I will go run seup SEC up up.go and I will give it the IP address of my attacking machine my my command and control we'll call it that just for ease of of reference so let's get the ip- br-c a and my IP address is 1921 16813 this is a testing environment ladies and gentlemen that's how it works that's why we use those so I'll just paste that in there and then fire it off all right so we can see our lhost is 1921 16813 and then there's Port 443 is the listening Port that's for firewalling right it wants to look like normal traffic it says start your listener on Port 443 and then press enter to continue all right let's jump over to here I've fired off um Metasploit it's right there Daniel Metasploit and then you make sure you Su do that because we will need 443 and that requires privilege so we will use exploit multi Handler and we'll take a look at the options and yeah right here we need to set that lhost right so set lhost to 192.168.1.3 and then we need to change this L port to 443 so set L port to 443 and then just make sure all that's set correctly which does look like it and we're using the generic shell reverse TCP just the stock the stock stuff from metas and I just hit run and now once that gets fired up there we go started reverse TCP Handler everything's ready to go let's jump back to seup I can now hit enter and it says cool um you can see that it it actually says attack files have been generated there they are updates script .go R1 and win seup the HTTP server is running on Port 8000 which of course this is all open source so you could change that if you like 80 is probably a better idea but I was just using 8,000 for right now and then it says compile and upload updat script. exe to the Target and execute check the listener for connection cool so anybody that grabs that link should show up here to log this to the screen so we can see anybody that that hits that fishing link so let's jump down here now let's clear the screen we do an LS it helps if we go to update script we now have a few more files right we've got R1 which was generated from r1. template we've got updat script.google.com this is going to be our implant file so we need to compile that into an exe simple I know I'm on Linux but why I love go because I can just compile for Windows so go OS equals windows and then go run oh no I'm sorry go build uh updat script.google.com [Music] H fun so now we've got ourselves an update script. exe I want to change that so I'm just going to move it to updater.exe oh man I am just messing up all over the place move updat script. exe to updater.exe man this just not my day is it my head is in the clouds now that we have all that there's updator now we just need to zip it up so let's do a zip I like to do A- e give a little encryption it's going to uh prompt us for a password just to help us you know be more safe uh as far as defenses go so let's see here we need to create a zip file which we will call updator doz and then we put our file in it of updater.exe fire that off I will make the password updater updater there we go looks like we now have a zip file bada bing right there and we've got our listener running I think everything's ready to rock so let's jump back over to our Target we have successfully fished somebody they click the link we get a download box which is rocking and rolling updater do zip got nail okay perfect notice so far we're not getting any any you know Anger from any defensive system so that's good we still might see like hey sample submissions turned off just be prepared for that if that does happen let's see here open the file no we'll go I'll go here open the folder that it's in and then of course we follow the the prompting from our our fish back there so I will right click I will extract all which should give me this hit extract and then hit updater is the password looks like that went well cool now we have a folder called updater and this this machine is kind of sluggish it's a virtual machine so it's just on the struggle bus today I guess all right so there's our updater.exe if we doubleclick this hopefully that creates a shell connection and bypasses Windows Defender let's see what happens double click we're going to get something there we go okay so we do get the first thing this is smart screen right the Windows Defender smart screen prevented an unrecognized app from starting running this app might put your PC at risk this is the difficult thing to get around without some like serious code signing or or something to that effect um so it just says unknown publer you can make that a part of your Social Engineering campaign is to say hey yeah you might get prompted about this un you know smart screen might jump up just hit run anyway I've worked on help desks so if I were able to actually like if I was doing vising or something and I was speaking with someone about this they would they would bypass bypass this without even thinking they would just click run anyway and this this might be enough honestly to get uh some people to click runaway it won't make everybody some people will be like hey that's weird I'm going to hit don't run and call somebody but there will be those that just go oh yeah I'm trying to update this thing hit run anyway so we do we hit run anyway it says you couldn't see it because it runs by pretty fast but it says updating just in case someone was looking it says uh uh contacting Windows update server which guess what it actually does it actually does reach out to Windows update and say hey are there any updates that I'm I'm requiring it does not install them but it does reach out to Windows update so if def fences are looking at hey where is this reaching out to the first thing it sees is Windows update and not anything like you know that it shouldn't but looks like that went well I don't see anything crazy going on uh didn't get any alerts that's cool so smart screen was our big complaint right that was the was the one big deal let's jump back over to our attack box and see what happened so there we can see see that updater do zip got downloaded when seup got downloaded A1 got so these are the different stages of payloads that got download it everything looks good if I run over here to metas sploit oh yeah there we go we have won the game because there it is we got a Powershell prompt ip config works like a charm right Windows IP configuration there's the IP address of this target device I can do things like who am I which tells me I am saitama because I just got done watching one punch Man series 1 and I'm stinking hooked to that it was very entertaining so it's uh it's on my brain so we are logged in saitama I can do net user saitama and I can see that saitama oh great saitama's an administrator that's awesome stuff now I can start doing more fun things on this machine creating persistence and on and on and on we go and you'll notice we got nothing from Windows Defender and that's what we were looking for so we have won the game this was a lot of fun please again don't upload these things to like virus total turn off sample submission if you are playing with it otherwise it's just going to reduce the shelf life of this being an effective tool for you so make sure that those things are done in your testing environments before you get too crazy that said thanks for watching everyone hopefully you really enjoyed this episode and you enjoy the channel if you do show me support find that thumbs up and just smack that thing right it's a simple little thing just go thumbs up it's probably one of the best things you can do for the channel if you wanted to gain uh a little more traction there on the YouTube world and I would really appreciate it don't forget to leave me a comment as well do the uh subscribe thing is I got them all right I got like subscribe comment notification Bell that's the last one until next time everyone thanks for watching and keep hacking

Info

Channel: Daniel Lowrie

Views: 3,855

Rating: undefined out of 5

Keywords: cybersecurity, cyber security, cyber, ethicalhacking, ethical hacking, ethical hacker, hacker, hackers, hacking, penetration testing, pentesting, pentester, red team, red teaming, red teamer, redteam, blue team, blueteam, windows defender, av bypass, fud, malware, malwareanalysis, malware analysis, information security, infosec, cybersec, metasploit, kali, kali linux, kalilinux, reverse shell, revshell, c2, c&c, command and control, command&control

Id: LjoAV3O40og

Channel Id: undefined

Length: 15min 58sec (958 seconds)

Published: Mon Jan 15 2024