RSS

Creating an Undetectable Backdoor

16 Apr

Metasploit framework except of the scanners and the exploits that it has also provides the penetration testers the ability to create executables files from the payloads that it contains.In this article we will examine how we can create executable payloads that it can be used as backdoors and the effectiveness of writing our own backdoors that will be undetectable from antivirus.

Lets say that we want to convert a payload to an executable file.The first step of course is to decide which payload we are going to use.In this tutorial we will use the windows/meterpreter/reverse_tcp payload.The -S option will give us a summary of the payload and the available options that requires.

Summary of payload options

 

As you can see the only option that it requires is to configure the LHOST address.So In order to make this payload an .exe file we will use the command that you will see in the image below.

Creating an executable payload

 

In the LHOST obviously we will put our local IP address,the X parameter will make this payload an .exe file and then we need to specify a name for the executable which in this case we have given the name pentestlab.exe.Now we need to open metasploit framework and to use the module exploit/multi/handler.

Configuring the multi/handler module

 

When our file pentestlab.exe will executed on the target machine it will connect back to us.

Returning a meterpreter session

 

This method will only work on systems that are not running any antivirus software.Most popular antivirus will identify this as a backdoor/Trojan/virus so you have to find a way to bypass them.The best way of course is to create your own backdoor.

We have created a new file with the name pentestlab.bin which will encoded with the shikata_ga_nai 1 time and it will avoid the characters \x00\x0a\x0d.

Creating the .bin file

 

We are opening the file with a hex editor in order to check if this file doesn’t contain the characters that we have instruct it before to avoid.

pentestlab.bin file opened with a hex editor

 

The image below is a sample of the code that we have used for our backdoor which it has the name pentestlab.exe

Sample of the Backdoor code

 

Lets say that we have deliver the pentestlab.exe to our target and the victim has executed the malicious file.

Execution of pentestlab.exe

 

The execution of the backdoor it will generate HTTP request to the malicious web server where the pentestlab.bin is located.

Malicious Web Server

 

A meterpreter session it will return to us.

Meterpreter Session Opened after the execution of the backdoor

 

But what about the antivirus?This backdoor doesn’t contain any known signatures and have been encoded with the shikata_ga_nai which is a polymorphic encoder so it will bypass most of the well-known antivirus.

Detection ratio

 

As you can see and from the image below antivirus such as Kaspersky,McAfee,NOD32,Panda Sophos,Symantec and Microsoft did not detect the backdoor so any machine can be compromised easily.

Well known antivirus did not detect the backdoor

 

Conclusion

In the first method that we had created an executable from the existing metasploit payloads without any encoding the detection ratio was bigger and most of the antivirus had identify the malicious payload.From our observation we have seen that shikata_ga_nai is not so effective in executables that haven been created by existing metasploit payloads.So it doesn’t matter how well you will use that encoder or any other packer because most of the antivirus have already in their signatures database the signatures of these payloads.

From the other hand when we used as a backdoor something that we have created the detection ratio was very low.So the only effective way to bypass antivirus is to know how to modify the signature of the payload or to write your own shellcode and to play with different packers and encoders until you have an executable which will be undetectable.

 
11 Comments

Posted by on April 16, 2012 in Maintaining Access

 

Tags: , , , , ,

11 responses to “Creating an Undetectable Backdoor

  1. laerciomotta

    April 16, 2012 at 2:03 pm

    pls, show the rest of C++ code :P

     
  2. re8el

    April 16, 2012 at 5:40 pm

    Great blog and post! Can you make available the steps on how to build the fud and the html code? Thanks!

     
  3. netbiosX

    April 16, 2012 at 6:27 pm

    @laerciomotta Unfortunately I cannot do that because the purpose of this blog is not to distribute any backdoors.You have to create your own code depending on your needs if you are penetration tester.

    @re8el In this article there isn’t any html code.This backdoor is written in c++ and I cannot distribute it for ethical reasons.However I am planning to focus in future articles on the techniques that you can accomplish antivirus evasion.

     
    • re8el

      April 16, 2012 at 7:49 pm

      @netbiosX ok but to get the correct idea, the c++ code creates the exe that will download -bin from the site, is this correct?

       
      • netbiosX

        April 16, 2012 at 7:59 pm

        The c++ code creates the .exe.If the user runs that .exe then an HTTP request will be produced to the web server where the .bin is located.The .bin file is stored on a web server (which is our machine) and not on the victim’s computer.The only file that it is necessary to be executed by the victim is the .exe file.Nothing else.

         
  4. laerciomotta

    April 16, 2012 at 7:41 pm

    Ok, thanks! I just like test in my VM’s… :P
    I found the C++ code, but it did not work!

     
  5. basil

    May 25, 2012 at 1:30 pm

    how u edited pentestlab.exe for adding pentestlab.bin path can u elaborate on it “””” BUT the techniques is ossom bro “””””

     
  6. zero

    December 11, 2012 at 1:38 pm

    wew… all of you are already a pro…
    I’m just starting to learn…. =)

     
  7. yasser

    February 9, 2013 at 5:05 pm

    plz, What is the exactly function of pentestlab.exe ??

     
  8. Peyman

    March 2, 2013 at 3:36 pm

    Hi all,
    It isn’t possible to run binary code through Internet Explorer or any browser, So
    this Idea is not correct and dosen’t work !!

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 621 other followers

%d bloggers like this: