1
00:00:00,510 --> 00:00:01,260
Welcome back.

2
00:00:01,830 --> 00:00:10,320
In this video, I want to talk about bypassing antivirus, and this video is not going to be that practical.

3
00:00:11,100 --> 00:00:12,480
You might be asking why.

4
00:00:12,900 --> 00:00:19,590
Well, I could show you a way to bypass antivirus right here in this video, but chances are that will

5
00:00:19,590 --> 00:00:25,230
not work once you watch the video in a month or two months or in a year.

6
00:00:26,070 --> 00:00:32,490
Fully undetectable payload is not something that lasts forever, especially when I show it inside of

7
00:00:32,490 --> 00:00:36,020
something like a course that many people are going to watch.

8
00:00:36,570 --> 00:00:42,570
So instead, I would like to tell you about a few different techniques that you can apply to generate

9
00:00:42,570 --> 00:00:43,870
an undetectable payload.

10
00:00:44,280 --> 00:00:45,540
So how it all goes?

11
00:00:45,960 --> 00:00:52,590
Well, many people start using a payload and sooner or later antivirus start detecting it as a malicious

12
00:00:52,590 --> 00:00:56,550
program that could be due to people using it a lot.

13
00:00:56,580 --> 00:01:03,030
Or it could be that some of you uploaded it to the virus total and it could send to all the antivirus

14
00:01:03,030 --> 00:01:03,460
vendors.

15
00:01:04,050 --> 00:01:08,360
However, let me talk about the rules that you can apply to bypass antivirus.

16
00:01:09,210 --> 00:01:16,770
Now, the best thing that you can do to create a fully undetectable payload is to code your own programs

17
00:01:16,770 --> 00:01:18,350
or your own payloads.

18
00:01:18,480 --> 00:01:22,020
For example, I call that the backdoor in C language.

19
00:01:22,020 --> 00:01:25,230
And when I scanned it, it was fully undetectable.

20
00:01:25,740 --> 00:01:29,370
No antivirus was able to flag it as a malicious program.

21
00:01:30,290 --> 00:01:37,280
Then I created a course on creating that backdoor, and soon enough that back door was no longer fully

22
00:01:37,280 --> 00:01:41,140
undetectable and was getting caught by most antivirus.

23
00:01:42,080 --> 00:01:48,260
It was fired at first because it was a new payload with a new coat or a new source code.

24
00:01:48,740 --> 00:01:54,740
Once you have a unique and different code and you compounded that code becomes a different binary,

25
00:01:54,740 --> 00:01:58,530
which makes it undetectable until many people start using it.

26
00:01:59,030 --> 00:02:05,850
So just remember, the best way to create undetectable payload is to code it yourself in a unique way.

27
00:02:06,710 --> 00:02:13,460
However, this requires you to know a programming language and for many, this will present a problem.

28
00:02:14,530 --> 00:02:20,530
There are other ways as well, so one of them is to update your payload tools if possible, and you

29
00:02:20,530 --> 00:02:25,800
also want to keep an eye out for the tools that are new or the tools that just came out.

30
00:02:26,380 --> 00:02:26,760
Why?

31
00:02:27,070 --> 00:02:31,890
Well, they might have different payloads that aren't widely used yet.

32
00:02:32,170 --> 00:02:34,300
So that is another way that you can do it.

33
00:02:34,990 --> 00:02:41,170
You can also try creating different types of payloads, try out power, shell payloads, python payloads,

34
00:02:41,290 --> 00:02:42,520
C sharp payloads.

35
00:02:42,940 --> 00:02:45,960
All of them have higher chances of not getting detected.

36
00:02:46,270 --> 00:02:51,820
Another cool thing you can do once you generate your payload is to change its binary a little bit.

37
00:02:52,210 --> 00:02:53,350
Let me show you what they mean.

38
00:02:53,710 --> 00:03:01,710
We can do this by using hex editor solitaires just real quick, generate on normal windows.

39
00:03:02,050 --> 00:03:03,960
Better reverse this payload.

40
00:03:03,970 --> 00:03:14,360
Let this go with our host Bellport and let's specify file to be EXI and output to be shell data.

41
00:03:15,460 --> 00:03:16,490
OK, great.

42
00:03:17,020 --> 00:03:18,940
This is a regular at their payload.

43
00:03:19,450 --> 00:03:23,350
It gets detected by almost every antivirus in the world.

44
00:03:23,620 --> 00:03:27,820
It is matter of fact the most known payload in the world for malicious activities.

45
00:03:28,540 --> 00:03:35,290
But what you can do if I show you right here the M the five some hash of this payload, you will see

46
00:03:35,290 --> 00:03:36,270
it is this one.

47
00:03:36,760 --> 00:03:44,950
So some antivirus work by getting the hash of the executable and storing it in their database, then

48
00:03:44,950 --> 00:03:50,530
once you change this hash and you change this hash by changing the binary of the program, this hash

49
00:03:50,530 --> 00:03:55,390
becomes different and it is no longer inside of the databases of antivirus.

50
00:03:55,960 --> 00:03:57,930
Let me show you a simpler way to change it.

51
00:03:57,970 --> 00:04:04,360
So what we can do is we can type Hex editor, which is a tool that is already installed in Linux and

52
00:04:04,360 --> 00:04:06,490
we can specify the payload.

53
00:04:07,630 --> 00:04:13,870
This will open the payload binary and here we want to change some of the binary.

54
00:04:14,500 --> 00:04:16,000
Just be careful.

55
00:04:16,300 --> 00:04:21,460
Don't change something that you don't know what it is, because even changing a single byte right here

56
00:04:21,820 --> 00:04:27,220
could result in a program not working if that byte was essential for the program to run.

57
00:04:28,120 --> 00:04:33,550
Now, there are few things right here that we can change for sure, and that is this right here.

58
00:04:34,060 --> 00:04:37,250
This is a program that cannot be run endorsement.

59
00:04:37,780 --> 00:04:38,860
Now, what is this?

60
00:04:39,010 --> 00:04:40,380
Well, this is a string.

61
00:04:40,450 --> 00:04:43,510
It is nothing really too important for the program.

62
00:04:43,930 --> 00:04:46,360
So we can go navigate with our arrows.

63
00:04:49,140 --> 00:04:56,430
And we can change this strength, as you can see when I type hexadecimal right here, it changes the

64
00:04:56,430 --> 00:04:59,110
output inside of this right column.

65
00:05:00,090 --> 00:05:03,780
So if I just type some random hexadecimal numbers and letters

66
00:05:06,780 --> 00:05:07,680
to change this

67
00:05:10,590 --> 00:05:13,410
and want to change some of it, this will change colors.

68
00:05:13,990 --> 00:05:19,230
And if I go all the way down, there is another thing that we can change, and that is this text right

69
00:05:19,230 --> 00:05:19,480
here.

70
00:05:19,500 --> 00:05:21,760
This is also something that we can change.

71
00:05:22,020 --> 00:05:24,540
Just make sure you navigate to the correct line.

72
00:05:24,690 --> 00:05:26,370
In my case, I believe it is this one.

73
00:05:26,670 --> 00:05:31,080
The text should start with seven four and we can change it to whatever we want.

74
00:05:31,860 --> 00:05:37,980
Just once again, make sure you don't go over that word because changing, for example, this bit right

75
00:05:37,980 --> 00:05:41,520
here will result in a program to not work.

76
00:05:42,510 --> 00:05:49,710
OK, once you finish this, you can control oh, save this now if you remember how the five has started

77
00:05:49,860 --> 00:05:50,940
before we did this.

78
00:05:50,970 --> 00:05:55,760
If I do it again, it is completely different.

79
00:05:55,770 --> 00:05:59,720
I believe it started with something like eight, three or I don't even remember.

80
00:06:00,030 --> 00:06:02,780
But right now it is completely different.

81
00:06:02,790 --> 00:06:06,990
We managed to change the hash of this executable by changing its binary.

82
00:06:07,140 --> 00:06:11,460
And this even though for many anti viruses, this is something that will not bypass them.

83
00:06:11,760 --> 00:06:15,630
Even if you managed to bypass two or three additional anti viruses, that is good.

84
00:06:16,050 --> 00:06:17,490
You did a slight change.

85
00:06:17,640 --> 00:06:19,710
So this won't do much of a difference.

86
00:06:19,710 --> 00:06:25,890
But everything you can change, you should, since you gain higher chances of bypassing antivirus as

87
00:06:25,890 --> 00:06:31,050
well as if you have, for example, the source code of a payload, what you can do is you can try to

88
00:06:31,050 --> 00:06:37,590
change it yourself a little bit, just add some random functions or make your program not do anything

89
00:06:37,590 --> 00:06:39,660
for first minute or two after running.

90
00:06:40,110 --> 00:06:43,050
All of these things can help you bypass antivirus.

91
00:06:43,950 --> 00:06:48,390
OK, so these are just some of the ways that you can apply next time you create the payload.

92
00:06:48,690 --> 00:06:50,250
Just remember one thing.

93
00:06:51,090 --> 00:06:55,530
Whatever type of payload you create to be undetectable, it won't last long.

94
00:06:55,800 --> 00:06:59,820
So this is something you will have to experiment with over and over again.

95
00:07:00,570 --> 00:07:06,660
In the next video, we're going to see one of the ways we can mask our payload to look like a different

96
00:07:06,660 --> 00:07:07,210
program.

97
00:07:07,920 --> 00:07:08,550
See you there.