1
00:00:00,540 --> 00:00:01,830
Instructor: Welcome back.

2
00:00:01,830 --> 00:00:06,570
In this video, I want to talk about bypassing antivirus,

3
00:00:06,570 --> 00:00:11,130
and this video is not going to be that practical.

4
00:00:11,130 --> 00:00:12,633
You might be asking why?

5
00:00:13,765 --> 00:00:16,650
Well, I could show you a way to bypass antivirus right here

6
00:00:16,650 --> 00:00:20,400
in this video, but chances are that will not work

7
00:00:20,400 --> 00:00:22,470
once you watch the video

8
00:00:22,470 --> 00:00:25,950
in a month or two months or in a year.

9
00:00:25,950 --> 00:00:28,770
A fully undetectable payload is not something

10
00:00:28,770 --> 00:00:30,540
that lasts forever,

11
00:00:30,540 --> 00:00:33,150
especially when I show it inside of something

12
00:00:33,150 --> 00:00:36,570
like a course that many people are going to watch.

13
00:00:36,570 --> 00:00:38,430
So instead, I would like to tell you

14
00:00:38,430 --> 00:00:41,760
about few different techniques that you can apply

15
00:00:41,760 --> 00:00:44,280
to generate an undetectable payload.

16
00:00:44,280 --> 00:00:45,960
So how it all goes.

17
00:00:45,960 --> 00:00:48,420
Well, many people start using a payload

18
00:00:48,420 --> 00:00:51,930
and sooner or later antiviruses start detecting it

19
00:00:51,930 --> 00:00:53,700
as a malicious program.

20
00:00:53,700 --> 00:00:56,580
That could be due to people using it a lot,

21
00:00:56,580 --> 00:00:59,080
or it could be that some of you uploaded it

22
00:01:00,184 --> 00:01:01,740
to the virus total and it got sent

23
00:01:01,740 --> 00:01:04,080
to all the antivirus vendors.

24
00:01:04,080 --> 00:01:06,180
However, let me talk about the rules

25
00:01:06,180 --> 00:01:09,240
that you can apply to bypass antivirus.

26
00:01:09,240 --> 00:01:12,600
Now, the best thing that you can do to create a fully

27
00:01:12,600 --> 00:01:16,740
undetectable payload is to code your own programs

28
00:01:16,740 --> 00:01:18,540
or your own payloads.

29
00:01:18,540 --> 00:01:22,030
For example, I coded the back door in C language

30
00:01:23,021 --> 00:01:25,740
and when I scanned it, it was fully undetectable

31
00:01:25,740 --> 00:01:29,493
no antivirus was able to flag it as a malicious program.

32
00:01:31,074 --> 00:01:33,870
Then I created a course on creating that backdoor

33
00:01:33,870 --> 00:01:37,260
and soon enough that backdoor was no longer fully

34
00:01:37,260 --> 00:01:42,090
undetectable and was getting caught by most antiviruses.

35
00:01:42,090 --> 00:01:45,330
it was FUD at first because it was a new payload

36
00:01:45,330 --> 00:01:48,363
with a new code or a new source code.

37
00:01:49,522 --> 00:01:51,919
Once you have a unique and different code

38
00:01:51,919 --> 00:01:54,720
and you compile it, that code becomes a different binary

39
00:01:54,720 --> 00:01:56,670
which makes it undetectable

40
00:01:56,670 --> 00:01:59,040
until many people start using it.

41
00:01:59,040 --> 00:02:00,840
So just remember

42
00:02:00,840 --> 00:02:04,231
best way to create undetectable payload is to

43
00:02:04,231 --> 00:02:06,750
code it yourself in a unique way.

44
00:02:06,750 --> 00:02:10,650
However, this requires you to know a programming language

45
00:02:10,650 --> 00:02:13,593
and for many, this will present a problem.

46
00:02:14,550 --> 00:02:16,810
There are other ways as well.

47
00:02:16,810 --> 00:02:19,660
So one of them is to update your pay tools if possible

48
00:02:20,925 --> 00:02:24,581
and you also want to keep an eye for the tools that are new

49
00:02:24,581 --> 00:02:26,400
or the tools that just came out.

50
00:02:26,400 --> 00:02:30,240
Why? Well, they might have different payloads that aren't

51
00:02:30,240 --> 00:02:35,040
widely used yet, so that is another way that you can do it.

52
00:02:35,040 --> 00:02:38,580
You can also try creating different types of payloads.

53
00:02:38,580 --> 00:02:41,230
Try out PowerShell payloads, python payloads

54
00:02:42,065 --> 00:02:42,960
C sharp payloads.

55
00:02:42,960 --> 00:02:46,350
All of them have higher chances of of not getting detected.

56
00:02:46,350 --> 00:02:49,290
Another cool thing you can do once you generate your payload

57
00:02:49,290 --> 00:02:52,200
is to change its binary a little bit.

58
00:02:52,200 --> 00:02:53,730
Let me show you what they mean.

59
00:02:53,730 --> 00:02:57,120
We can do this by using hacks editor.

60
00:02:57,120 --> 00:02:58,750
So let us just real quick

61
00:02:59,700 --> 00:03:04,023
generate a normal Windows Meter, reverse DCP payload.

62
00:03:05,373 --> 00:03:06,840
Let us go with L host

63
00:03:06,840 --> 00:03:11,840
L port, and let's specify file to be EXC

64
00:03:12,381 --> 00:03:15,580
and output to be Shell.dxc.

65
00:03:15,580 --> 00:03:17,010
Okay, great.

66
00:03:17,010 --> 00:03:19,470
This is a regular Meter payload.

67
00:03:19,470 --> 00:03:23,433
It gets detected by almost every antivirus in the world.

68
00:03:24,737 --> 00:03:26,657
It is matter of fact, the most known payload

69
00:03:26,657 --> 00:03:28,560
in the world for malicious activities.

70
00:03:28,560 --> 00:03:31,060
But what you can do, if I show you right here

71
00:03:32,019 --> 00:03:34,680
the MD5sum hash of this payload

72
00:03:34,680 --> 00:03:36,423
you will see it is this one.

73
00:03:37,595 --> 00:03:40,710
So some antiviruses work by getting the hash

74
00:03:40,710 --> 00:03:44,223
of the executable and storing it in their database.

75
00:03:45,342 --> 00:03:47,580
Then once you change this hash and you change this hash

76
00:03:47,580 --> 00:03:49,430
by changing the binary of the program

77
00:03:50,988 --> 00:03:52,689
this hash becomes different

78
00:03:52,689 --> 00:03:55,950
and it is no longer inside of the databases of antiviruses.

79
00:03:55,950 --> 00:03:58,807
Let me show you a simple way to change it.

80
00:03:58,807 --> 00:04:01,581
So what we can do is we can type hexeditor

81
00:04:01,581 --> 00:04:04,080
which is a tool that is already installed in Cal Linux

82
00:04:05,075 --> 00:04:07,620
and we can specify the payload name.

83
00:04:07,620 --> 00:04:10,800
This will open the payload's binary

84
00:04:10,800 --> 00:04:14,490
and here we want to change some of the binary.

85
00:04:14,490 --> 00:04:16,142
Just be careful.

86
00:04:17,382 --> 00:04:19,796
Don't change something that you don't know what it is

87
00:04:19,796 --> 00:04:22,680
because even changing a single bite right here could result

88
00:04:22,680 --> 00:04:24,210
in a program not working

89
00:04:24,210 --> 00:04:28,140
if that bite was essential for the program to run.

90
00:04:28,140 --> 00:04:30,817
Now, there are few things right here

91
00:04:30,817 --> 00:04:33,693
that we can change for sure, and that is this right here.

92
00:04:34,814 --> 00:04:37,800
This is a program that cannot be run in dos mode.

93
00:04:37,800 --> 00:04:39,030
Now what is this?

94
00:04:39,030 --> 00:04:41,261
Well, this is a string.

95
00:04:41,261 --> 00:04:43,950
It is nothing really too important for the program

96
00:04:43,950 --> 00:04:46,420
so we can go navigate with our arrows

97
00:04:49,140 --> 00:04:51,753
and we can change this string.

98
00:04:52,627 --> 00:04:55,127
As you can see, when I type hex decimal right here

99
00:04:56,110 --> 00:04:59,223
it changes the output inside of this right column.

100
00:05:00,060 --> 00:05:03,060
So if I just type some random hex decimal numbers

101
00:05:03,060 --> 00:05:07,833
and letters to change this.

102
00:05:11,446 --> 00:05:13,950
And once you change some of it, this will change colors

103
00:05:15,091 --> 00:05:16,618
and if I go all the way down

104
00:05:16,618 --> 00:05:18,387
there is another thing that we can change

105
00:05:18,387 --> 00:05:20,324
and that is this text right here.

106
00:05:20,324 --> 00:05:21,990
This is also something that we can change.

107
00:05:21,990 --> 00:05:24,720
Just make sure you navigate to the correct line.

108
00:05:24,720 --> 00:05:26,670
In my case, I believe it is this one.

109
00:05:26,670 --> 00:05:28,690
The text should start with seven four

110
00:05:29,657 --> 00:05:31,703
and we can change it to whatever we want.

111
00:05:32,661 --> 00:05:34,200
Just once again, make sure you don't go

112
00:05:34,200 --> 00:05:37,260
over that word because changing, for example

113
00:05:37,260 --> 00:05:41,673
this bite right here will result in a program to not work.

114
00:05:42,540 --> 00:05:47,190
Okay, once you finish this, you can control, oh, save this.

115
00:05:47,190 --> 00:05:49,750
Now, if you remember how the MD5 hash started

116
00:05:51,109 --> 00:05:52,026
before we did this.

117
00:05:52,026 --> 00:05:52,859
If I do it again

118
00:05:55,140 --> 00:05:56,599
It is completely different.

119
00:05:56,599 --> 00:05:57,503
I believe it started

120
00:05:57,503 --> 00:06:00,819
with something like eight three or I don't even remember

121
00:06:00,819 --> 00:06:03,612
but right now it is completely different.

122
00:06:03,612 --> 00:06:04,470
We manage to change the hash

123
00:06:04,470 --> 00:06:08,100
of this executable by changing its binary, and this

124
00:06:08,100 --> 00:06:09,690
even though for many antiviruses

125
00:06:09,690 --> 00:06:12,582
this is something that will not bypass them.

126
00:06:12,582 --> 00:06:14,077
Even if you managed to bypass two

127
00:06:14,077 --> 00:06:16,050
or three additional antiviruses, that is good.

128
00:06:16,050 --> 00:06:17,670
You did a slight change.

129
00:06:17,670 --> 00:06:19,740
So this won't do much of a difference.

130
00:06:19,740 --> 00:06:22,579
But everything you can change, you should

131
00:06:22,579 --> 00:06:25,680
since you gain higher chances of bypassing antivirus

132
00:06:25,680 --> 00:06:28,949
as well as if you have, for example, the source code

133
00:06:28,949 --> 00:06:31,020
of a payload, what you can do is you can try to

134
00:06:31,020 --> 00:06:33,120
change it yourself a little bit.

135
00:06:33,120 --> 00:06:35,340
Just add some random functions

136
00:06:35,340 --> 00:06:37,600
or make your program not do anything

137
00:06:38,793 --> 00:06:40,253
for first minute or two after running.

138
00:06:41,961 --> 00:06:43,950
All of these things can help you bypass antivirus.

139
00:06:43,950 --> 00:06:47,697
Okay, So these are just some of the ways that you can apply.

140
00:06:47,697 --> 00:06:49,518
Next time you create a payload.

141
00:06:49,518 --> 00:06:51,750
Just remember one thing, whatever type

142
00:06:51,750 --> 00:06:54,518
of payload you create to be undetectable

143
00:06:54,518 --> 00:06:55,830
it won't last long.

144
00:06:55,830 --> 00:06:58,230
So this is something you will have to experiment

145
00:06:59,563 --> 00:07:00,443
with over and over again.

146
00:07:01,379 --> 00:07:03,030
In the next video, we're going to see one

147
00:07:03,030 --> 00:07:05,730
of the ways we can mask our payload to look

148
00:07:05,730 --> 00:07:07,950
like a different program.

149
00:07:07,950 --> 00:07:08,783
See you there.