29th March 2024

Bypassing the Anti-Virus with Kali

We run frequently, into antivirus programs that prevent the standard Meterpreter payload, or other common penetration testing tools. I will show you how to bypass an antivirus, which you should know, that they are mostly signature-based.  Antivirus scanners look for strings inside each application and trigger an alert after that.

Windows Credential Editor is an important tool for penetration testers since it can take clear-text passwords from memory. This application is going to be our candidate for this tutorial.

  • Download it first, using the wget command, download the WCE application.
wce
wce

 

  • Unzip the downloaded file.
Unzip the downloaded file.
Unzip the downloaded file

 

  • Try to upload the WCE application into the https://www.virustotal.com address, and see what’s going to happen. 37 of 60 antivirus software detected the existence of this application.

 

WCE application
WCE application

 

  •  At this moment, we need to think about a solution for this. I will use split command in Linux to split it into multiple files.
split --bytes=5K wce.exe

 

  •  Assuming that you have a 20,000 bytes file, and you want to split it by 10,000 bytes. split the command will make two different files. The first one contains the first 10k bytes, and the second one contains the first 10k and the second 10k.
  • Do it for the WCE application.  I will leave the default 5,000 bytes and type on split command. Owing to the split command, split the WCE file by 5,000 bytes for each one.
EvadeOut
EvadeOut

 

  • Next, we need to copy it into the Windows host machine. As you can see, the antivirus detected the existence of the WCE application, so let’s clean it out.
LEARN MORE  What is Netsparker? Netsparker Vulnerability Severity - Netsparker Installation
WCE application
WCE application

 

  • Open that folder and see what happened. The antivirus cleaned all the files after 40k. That means that our candidate is between 40k and 45k.
EvadeOut-TestFile_40000
EvadeOut-TestFile_40000

 

  • Open a calculator, and try to convert 40,000 decimal to hexadecimal, and we get 9C40. Put that number in your head, because you are going to use it in the next step.
calculator
calculator

 

  • Open a new console, and start the hexeditor application. I will scroll down until I find the WCE application.
hexeditor application
hex editor application

 

  • After opening the file, press T to go to the address 9C40.
address 9C40
address 9C40

 

  • Here, we have some texts on the right side and the equivalent in hexadecimal of each character on the left side. Start overriding them randomly with zeros. I will stop at AE30, and save it by pressing Ctrl+X.
stop at AE30
Stop at AE30

 

  • Try to copy the file.
copy the file
copy the file

 

Bingo!!!

Leave a Reply

Your email address will not be published. Required fields are marked *