We run frequently, into antivirus programs that prevent the standard Meterpreter payload, or other common penetration testing tools. I will show you how to bypass an antivirus, which you should know, that they are mostly signature-based. Antivirus scanners look for strings inside each application and trigger an alert after that.
Windows Credential Editor is an important tool for penetration testers since it can take clear-text passwords from memory. This application is going to be our candidate for this tutorial.
- Download it first, using the wget command, download the WCE application.
- Unzip the downloaded file.
- Try to upload the WCE application into the https://www.virustotal.com address, and see what’s going to happen. 37 of 60 antivirus software detected the existence of this application.
- At this moment, we need to think about a solution for this. I will use
splitcommand in Linux to split it into multiple files.
split --bytes=5K wce.exe
- Assuming that you have a 20,000 bytes file, and you want to split it by 10,000 bytes.
splitcommand will make two different files. The first one contains the first 10k bytes, and the second one contains the first 10k and the second 10k.
- Do it for the WCE application. I will leave the default 5,000 bytes and type on split command. Owing to split command, splitted the WCE file by 5,000 bytes for each one.
- Next, we need to copy into the Windows host machine. As you can see, the antivirus detected the existence of the WCE application, so let’s clean it out.
- Open that folder and see what happened. The antivirus cleaned all the files after 40k. That means that our candidate is between 40k and 45k.
- Open a calculator, and try to convert 40,000 decimal to hexadecimal, and we get 9C40. Put that number in your head, because you are going to use it in the next step.
- Open a new console, and start the
hexeditorapplication. I will scroll down until I find the WCE application.
- After opening the file, press T to go to the address 9C40.
- Here, we have some texts on the right side and the equivalent in hexadecimal of each character on the left side. Start overriding them randomly with zeros. I will stop at AE30, and save it by pressing Ctrl+X.
- Try to copy the file.