AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.3 new stuff was introduced, for a complete overview have a look at the CHANGELOG file.
For basics about antivirus evasion, AVET & more information have a look here:
* PAPER AVET BLACKHAT USA ARSENAL 2018
* AVET VIDEO
* AV Evasion
* Why_Antivirus_Fails_-_Daniel_Sauder.pdf
* Daniel Sauder | Twitter
What and why:
* When running an exe file made with msfpayload, the exe file will often be recognized by the antivirus software.
* Avet is a antivirus evasion tool targeting windows machines with executable files.
* Assembly shellcodes can be used.
* make_avet can be used for configuring the sourcecode.
* With make_avet you can load ASCII encoded shellcodes from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation.
* Call MSF ASCII encoded shellcode as a parameter from CMD.
* For ASCII encoding the shellcode the tool format.sh and sh_format are included.
Install and run Avet:
Important Note about Avet: Not all techniques will evade every AV engine. If one technique or build script does not work please test another one.
How to use Avet?
The purpose of make_avet is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. This way the payload will be encoded as ASCII payload or with encoders from metasploit. You hardly can beat shikata-ga-nai.
Let's have a look at the options from make_avet, examples will be given below:
Of course it is possible to run all commands step by step from command line. In the "build" folder you will find preconfigured build scripts for relevant use cases. The build scripts themselves are written so as they have to be called from within the avet directory:
sudo ./build/build_win32_meterpreter_rev_https_20xshikata.sh
However, it is strongly recommended to use the avet_fabric.py! It makes the tool easier to use
The fabric provides a more convenient interface on the command line, where you can choose which build script you want to use. It also gives you the opportunity to alter build scripts on the fly (see below).
The latter is especially useful as you can define new LHOST and LPORT variables for msfvenom each time you run a build script via the fabric. You can define default LHOST and LPORT values in the /build/global_connect_config.sh file, which are used if you don't redefine.
Here's a quick example: sudo python3 avet_fabric.py
Build scripts: Some comments on what each script provides
AVET & metasploit psexec
New in version 1.2 is the support for metasploits psexec module. The corresponding make file looks like:
And on the metasploit site:
Comparison of Antivirus Evasion tools: AntiVirus Software Evasion: An Evaluation Of The AV Evasion Tools
No comments:
Post a Comment