1
00:00:00,270 --> 00:00:01,090
Hello everybody

2
00:00:01,110 --> 00:00:04,500
and let us continue from where we previously stopped.

3
00:00:04,530 --> 00:00:10,170
So, what we did is basically we ran this command, in the previous video, and we created our Windows

4
00:00:10,380 --> 00:00:13,380
payload. Or, basically, our Windows reverse shell.

5
00:00:13,800 --> 00:00:19,770
So what we want to do right now is, first of all, if you just want to deliver this to someone,

6
00:00:19,920 --> 00:00:21,180
there are two things you need to do.

7
00:00:21,180 --> 00:00:26,370
Basically, set up a listener on the same port that you specified in the payload.

8
00:00:26,370 --> 00:00:29,450
And, of course, you need to have the same IP address as well.

9
00:00:29,550 --> 00:00:33,730
And what you want to do next is basically just deliver the payload.

10
00:00:34,170 --> 00:00:40,100
anyway you want. Over e-mail, over USB drive, over some line, or however you want to deliver it.

11
00:00:40,230 --> 00:00:46,380
But before we do that, let us see how we can actually craft a little bit better payload.

12
00:00:46,390 --> 00:00:48,460
It will not be much better.

13
00:00:48,480 --> 00:00:52,130
The real antivirus bypass we will do in the next section.

14
00:00:52,200 --> 00:00:59,180
Basically, where we will actually code our own tools, and actually add the binary in order to prevent antiviruses

15
00:00:59,280 --> 00:01:02,160
from actually detecting our program.

16
00:01:02,580 --> 00:01:07,830
But since this is a well known payload that everybody uses, it will be known to the antiviruses.

17
00:01:07,860 --> 00:01:13,620
So, first of all, what you want to do is go to the Firefox, and there is a site, as I said in the previous

18
00:01:13,620 --> 00:01:20,370
video, which is called VirusTotal, or something like that, which basically allows you...let

19
00:01:20,370 --> 00:01:27,150
me just, just type in your Google search bar VirusTotal and it should be the first thing that pops up,

20
00:01:27,270 --> 00:01:28,900
I believe.

21
00:01:29,130 --> 00:01:35,040
As I said, it is the website that allows us to upload our files, and it will print out a list of how

22
00:01:35,040 --> 00:01:38,820
many antiviruses detect that file as the virus.

23
00:01:38,820 --> 00:01:45,150
But, be careful if you're creating a serious virus, or a serious payload, or something like that,

24
00:01:45,210 --> 00:01:50,910
make sure to not actually use this website. Since every time you upload something to this website it

25
00:01:50,910 --> 00:01:53,700
gets sent to the antivirus databases.

26
00:01:53,760 --> 00:02:00,150
So, if you, for example, upload a virus that you created or coded which gets detected by like 2 percent

27
00:02:00,150 --> 00:02:08,290
or 3 percent of antivirus, which is really, really good, in a few days or weeks it actually will be

28
00:02:08,290 --> 00:02:14,740
detected by a lot more, since this website actually sends that value of that virus to the databases.

29
00:02:14,770 --> 00:02:21,160
And then they update it, and then every other antivirus software will actually start detecting your program

30
00:02:21,280 --> 00:02:25,670
as a virus as well. In case it is a virus, of course.

31
00:02:25,670 --> 00:02:27,710
So what you want to do right here...

32
00:02:27,740 --> 00:02:34,140
But, first of all, since the payload that we created is just a simple reverse TCP meterpreter

33
00:02:34,180 --> 00:02:40,520
shell which has already been uploaded on this website a thousand times,

34
00:02:40,970 --> 00:02:45,780
we can safely upload it since it will get detected by every antivirus, anyway.

35
00:02:45,830 --> 00:02:52,440
So where we want to go is navigate to our root directory where we saved the file. So here it is, reverse.exe

36
00:02:52,500 --> 00:02:55,910
Size is 7.2 kilabytes.

37
00:02:55,970 --> 00:03:02,660
Then we basically double click on this file, or we can click on open, and it will say confirm file upload.

38
00:03:02,660 --> 00:03:05,000
You have chosen the file named reverse.exe

39
00:03:05,030 --> 00:03:06,320
Do we want to continue?

40
00:03:06,440 --> 00:03:07,570
We click here on yes,

41
00:03:07,580 --> 00:03:09,770
and it will basically upload the file for us.

42
00:03:09,800 --> 00:03:11,370
It will scan it.

43
00:03:11,690 --> 00:03:17,420
And what it will do is it will print out all of the antiviruses that detect and that do not attack this

44
00:03:17,810 --> 00:03:18,980
program as a virus.

45
00:03:19,460 --> 00:03:31,720
So we can already see that a lot of them detected it. Basically, out of 70, 44 detected it already.

46
00:03:31,760 --> 00:03:38,090
Now, all of these that actually didn't detect it, let me just reload this page so it can print it out as well.

47
00:03:38,360 --> 00:03:46,090
So we can see the final result is 45/71 antiviruses detected this as a virus.

48
00:03:46,580 --> 00:03:53,000
So, if you scroll down to those who didn't really detect it as a virus, you will see that these are not

49
00:03:53,150 --> 00:03:57,230
some of the, basically, these are not some of the more known antiviruses.

50
00:03:57,230 --> 00:04:01,390
So these, basically, I don't know if they even get updated.

51
00:04:01,490 --> 00:04:04,240
Some of these I have never even heard of.

52
00:04:04,580 --> 00:04:07,400
Most known antiviruses are up,

53
00:04:07,490 --> 00:04:13,670
and those are the ones that actually detected it. Such as BitDefender, Avast, which, actually, you need to

54
00:04:13,670 --> 00:04:20,090
know that BitDefender is probably the best antivirus that you can get for free.

55
00:04:20,480 --> 00:04:22,240
It detects a lot of viruses.

56
00:04:22,280 --> 00:04:27,740
And, basically, it will be really hard to bypass this antivirus, as I will show you later on.

57
00:04:28,550 --> 00:04:34,640
But, for example, Avast, which is I believe one of the most used ones in the world, is actually not that

58
00:04:34,640 --> 00:04:35,670
hard to bypass.

59
00:04:36,440 --> 00:04:40,340
So what we want to do, so let's check out the result.

60
00:04:40,400 --> 00:04:43,440
So, 45/71.

61
00:04:43,490 --> 00:04:45,770
So what we want to do right now...

62
00:04:45,770 --> 00:04:51,410
First of all, we want to refresh this page, and let us see if we can lower that number even a little bit.

63
00:04:51,410 --> 00:04:55,790
So, even two or three antiviruses will be good.

64
00:04:56,000 --> 00:04:58,430
I mean it will not be good, but better something than nothing.

65
00:04:58,520 --> 00:04:58,850
Right?

66
00:04:58,850 --> 00:05:04,180
So let us actually run the same command that we ran before and create a second payload.

67
00:05:04,190 --> 00:05:12,080
But before we do that, let us see our available, actually let me just change my directory, our available

68
00:05:12,450 --> 00:05:14,070
encoders. So not payloads,

69
00:05:14,090 --> 00:05:20,240
we want to go to the encoders. And since we created a 64 bit version of the meterpreter reverse TCP, we want

70
00:05:20,240 --> 00:05:25,250
to go to x64. And as I said, there are not many for this,

71
00:05:25,280 --> 00:05:27,500
so we can actually use this one for, example.

72
00:05:31,540 --> 00:05:34,800
So let us change to the root directory once again.

73
00:05:35,530 --> 00:05:38,020
And so we do not type the command.

74
00:05:38,050 --> 00:05:39,260
Let me just find it.

75
00:05:40,030 --> 00:05:40,510
OK,

76
00:05:40,510 --> 00:05:41,720
so here it is.

77
00:05:41,820 --> 00:05:53,810
And what we want to specify is -e, and then I believe /x64/, and then the name of the encoder.

78
00:05:55,870 --> 00:06:01,300
I believe it is specified with -e and then after that -i for the number of iterations it

79
00:06:01,300 --> 00:06:02,320
should actually pass.

80
00:06:02,350 --> 00:06:05,230
So we will do specify 5 iterations,

81
00:06:05,230 --> 00:06:07,480
I believe that is by default.

82
00:06:07,640 --> 00:06:13,150
Now I hope this is the syntax. If it is not we will have to run the help command in order to see what

83
00:06:13,150 --> 00:06:18,350
the correct syntax for this is. But, let's see what this will do.

84
00:06:18,410 --> 00:06:24,180
Now if this does work...skipping invalid encoder.

85
00:06:24,310 --> 00:06:31,750
So let me just see, maybe we do not need to specify the .Ruby file...

86
00:06:35,470 --> 00:06:41,820
skipping invalid encoder.

87
00:06:41,970 --> 00:06:44,550
So, let us see msfvenom

88
00:06:44,850 --> 00:06:46,490
--help.

89
00:06:46,500 --> 00:06:54,090
Well, let's see for the encoder. The encoder to use, use --list encoders to list. So, let us see...msfvenom

90
00:06:54,090 --> 00:07:01,840
-c and I believe list, or something like that. So attempting to read payload from standard input. We do not want

91
00:07:01,840 --> 00:07:02,340
that.

92
00:07:05,610 --> 00:07:06,890
List encoders to list,

93
00:07:06,890 --> 00:07:07,390
okay.

94
00:07:07,430 --> 00:07:15,470
So what we want to type is msfvenvom --list encoders so we can see our available encoder.

95
00:07:19,560 --> 00:07:19,970
OK.

96
00:07:19,970 --> 00:07:24,260
So let us find the one that we want to use. Now it is this one.

97
00:07:24,290 --> 00:07:28,220
So I didn't need to specify these forward slash at the beginning,

98
00:07:28,220 --> 00:07:29,950
so that's why it gave us an error.

99
00:07:30,380 --> 00:07:33,920
So let us run the same command once again.

100
00:07:33,920 --> 00:07:35,980
Now let's rename this to reverse1.exe

101
00:07:35,990 --> 00:07:43,160
so it actually differentiates it from the previous one, and I believe this is the command right

102
00:07:43,160 --> 00:07:48,200
now. So, it will use this encoder and it will run through 5 iterations, and you will notice that the

103
00:07:48,200 --> 00:07:53,210
file will be a little bit bigger than the previous reverse.exe file.

104
00:07:53,210 --> 00:07:56,980
So here we can see that it actually ran through five iterations.

105
00:07:56,980 --> 00:08:03,170
Now if you specify here more it will run through more. Basically, the more the better. But the more iterations

106
00:08:03,170 --> 00:08:05,070
you use, the file will be bigger.

107
00:08:05,300 --> 00:08:07,790
So we can see that the payload size is not anymore

108
00:08:07,790 --> 00:08:13,610
510 bytes, it is right now 768 bytes. And we can see that if

109
00:08:13,610 --> 00:08:18,290
I type here ls, our reverse1.exe is there.

110
00:08:18,290 --> 00:08:28,130
So, we used the encoder and now let us see if it will get the same results as this file right here.

111
00:08:28,130 --> 00:08:33,640
So this first file, which is the simplest one, got 45/71.

112
00:08:33,710 --> 00:08:34,870
So, let us go back.

113
00:08:34,880 --> 00:08:40,310
Just click on this icon right here which will lead you to the welcome page once again.

114
00:08:40,310 --> 00:08:46,670
And what we want to do right here is basically choose file as in the previous file, and we want to select

115
00:08:46,670 --> 00:08:49,170
the reverse1.exe

116
00:08:49,400 --> 00:08:52,790
If I click open here it will ask us once again if I want to confirm,

117
00:08:52,790 --> 00:08:53,530
so click here,

118
00:08:53,600 --> 00:08:54,310
OK.

119
00:08:54,350 --> 00:08:57,980
And it will upload the file, and let's see how many antiviruses

120
00:08:57,980 --> 00:08:58,900
catch it now.

121
00:08:58,910 --> 00:09:03,560
Now it'll still be a big number but I believe it should be smaller than 45,

122
00:09:06,320 --> 00:09:11,540
since this is an available encoder in metasploit and all the other people use it as well.

123
00:09:11,540 --> 00:09:18,560
So it is not that new of a process in order to create an undetectable payload.

124
00:09:18,560 --> 00:09:25,820
So, let us see. From now on we can see 3/3 antiviruses detected it. Not really sure why

125
00:09:25,880 --> 00:09:34,620
it goes this slow, it should go a little bit faster. Maybe it takes more time for antiviruses to detect it.

126
00:09:34,620 --> 00:09:41,650
Not really sure why that this is really slow for now.

127
00:09:41,650 --> 00:09:43,990
So, 5/8 for now on.

128
00:09:43,990 --> 00:09:50,170
We know that there is around 70, or something like that, 71 anti-viruses that are in this in

129
00:09:50,170 --> 00:09:53,850
this web site that actually scan the file that we upload.

130
00:09:53,920 --> 00:09:59,830
So, let's hope for a better result than in the previous scan.

131
00:10:01,510 --> 00:10:07,200
So for now 18/32 detected. As we can see, it is going.

132
00:10:07,330 --> 00:10:13,720
It is still going. I believe that we will not go over 45.

133
00:10:14,020 --> 00:10:19,330
So this should be a better result than in the previous scan. Which means that we were able to actually

134
00:10:19,330 --> 00:10:24,430
bypass some of the anti viruses in this web site, which is good.

135
00:10:24,430 --> 00:10:27,260
So better something than nothing.

136
00:10:27,400 --> 00:10:29,270
For now it's 32.

137
00:10:29,330 --> 00:10:31,900
Let's see how much this will grow,

138
00:10:31,900 --> 00:10:38,910
so we can calculate the exact number of anti viruses that we were able to bypass.

139
00:10:39,380 --> 00:10:41,780
So, 35/62.

140
00:10:42,170 --> 00:10:45,020
Not really sure why this scan is taking so long.

141
00:10:47,360 --> 00:10:58,690
But there is one thing that you might have noticed...let me just try to find it. Never mind.

142
00:10:58,770 --> 00:11:02,010
I was trying to find the Avast antivirus.

143
00:11:02,010 --> 00:11:07,730
I thought we actually were able to bypass it with this simple encoder, but we were not able to since

144
00:11:07,740 --> 00:11:12,540
it is still detecting it as a virus.

145
00:11:12,540 --> 00:11:13,800
So that's good for Avast,

146
00:11:13,830 --> 00:11:17,490
but it's still not that good of an antivirus program.

147
00:11:17,610 --> 00:11:24,180
Now I have on my PC both the Avast antivirus and the bitdefender antivirus

148
00:11:24,240 --> 00:11:26,320
because I wanted to test something.

149
00:11:26,460 --> 00:11:30,930
Basically, bitdefender is a lot better than Avast in my opinion.

150
00:11:30,930 --> 00:11:38,070
Now you can use any you want, but as an experienced hacker, you would probably not want to use any

151
00:11:38,130 --> 00:11:43,650
at all, since antiviruses only slow down your PC. And if you actually know what to click and what

152
00:11:43,650 --> 00:11:47,220
not to click, you really do not need it on your PC.

153
00:11:47,220 --> 00:11:51,120
For example, on my laptop I do not have antivirus at all.

154
00:11:55,310 --> 00:11:58,400
So let's see how long this will take.

155
00:11:58,400 --> 00:12:00,260
We can actually stop it right now.

156
00:12:00,260 --> 00:12:06,800
I believe there are like 4 antiviruses left which basically leaves us, if all 4 are detected,

157
00:12:07,220 --> 00:12:14,180
at 41 out of 70. Which is 4 antiviruses better than the previous scan, which is something,

158
00:12:14,180 --> 00:12:14,710
right?

159
00:12:14,720 --> 00:12:21,800
So we were able to actually bypass some of the antiviruses. As we can see right now, only 38 detected

160
00:12:21,890 --> 00:12:23,430
out of 67.

161
00:12:23,450 --> 00:12:28,410
Now the last time we had 70 antiviruses, but sometimes it puts more, sometimes it puts less.

162
00:12:28,460 --> 00:12:33,440
What matters is that we were able to bypass some of them.

163
00:12:33,440 --> 00:12:38,270
But let's see if we can make this number even smaller.

164
00:12:38,270 --> 00:12:45,530
So what we want to do, first of all, we want to use the same file that we actually created,

165
00:12:45,530 --> 00:12:53,240
so the reverse1.exe, and we want to use a tool that is called hex edit. It opens it as

166
00:12:53,240 --> 00:12:54,130
a hex code.

167
00:12:54,320 --> 00:13:00,920
And what you can do is change the values of it. So we can just open it, let me show you, hexeditor.

168
00:13:01,040 --> 00:13:07,820
So, hexeditor and then the name of the file, which in our case is reverse1.exe. And what you will

169
00:13:07,820 --> 00:13:12,020
see right here is basically our program in bytes.

170
00:13:12,230 --> 00:13:15,120
So, be very careful.

171
00:13:15,130 --> 00:13:19,380
I mean, you do not need to be careful since it takes like two seconds to create this payload.

172
00:13:19,510 --> 00:13:24,960
But if you change just one byte that you shouldn't change, your program will not work.

173
00:13:25,060 --> 00:13:31,060
Now, there are a few things that we know that we can change, which is basically this right here, which is this

174
00:13:31,060 --> 00:13:38,200
program cannot be run in dos mode. So we can change that value since we know it is a string, and it doesn't

175
00:13:38,260 --> 00:13:40,560
actually perform anything in the code.

176
00:13:40,630 --> 00:13:44,050
It is more likely a comment, or something like that.

177
00:13:44,080 --> 00:13:45,880
Now, why are we changing that?

178
00:13:45,880 --> 00:13:48,630
Well, as I said, how antiviruses work,

179
00:13:48,640 --> 00:13:54,100
basically, they have a huge database and there they have these signature values of all the viruses.

180
00:13:54,100 --> 00:14:00,550
Now if you just simply change, for example, just one byte, it will be different than the virus

181
00:14:00,550 --> 00:14:02,590
that they have in the database.

182
00:14:02,590 --> 00:14:09,160
So just changing and switching up simple bytes in our whole program can make you bypass some of the

183
00:14:09,160 --> 00:14:10,040
antiviruses.

184
00:14:10,450 --> 00:14:15,620
So what you want to do is first navigate right here. You navigate with arrows as you can see right here.

185
00:14:15,700 --> 00:14:21,130
And once you reach the bytes that actually correspond to this string, you can just type anything here.

186
00:14:21,160 --> 00:14:26,500
As we can see while I type here,

187
00:14:26,510 --> 00:14:29,250
if we change to the 8 or the D right now

188
00:14:29,350 --> 00:14:36,250
it is changing the values of this string. So if I just go AA AA AA AA, and then DD, and then some random numbers,

189
00:14:36,280 --> 00:14:41,350
you will see that the values right here change.

190
00:14:41,390 --> 00:14:48,740
I accidentally typed W which you cannot use in bytes. Basically, you can only use a, b, c,

191
00:14:48,740 --> 00:14:52,190
d, e, f and numbers 1-9 with 0.

192
00:14:52,610 --> 00:14:57,140
So let us just use some of the random ones. So

193
00:15:00,020 --> 00:15:01,070
just type right here.

194
00:15:01,070 --> 00:15:08,210
Make sure not to pass the last letter since if you pass it, basically, you will enter a different part

195
00:15:08,270 --> 00:15:11,880
the code which can actually make a program not run.

196
00:15:11,930 --> 00:15:17,810
Now, this is not the only thing that we can change in this program, but from now on it will be good.

197
00:15:17,810 --> 00:15:23,110
Now once we code our own programs I will show you what else you can change in order to bypass more anti

198
00:15:23,110 --> 00:15:23,820
viruses.

199
00:15:23,900 --> 00:15:29,870
But for now, let's see if I save this, so file name reverse1.exe, and if I close this.

200
00:15:29,870 --> 00:15:35,150
So control + O to save, enter to select file name, and control + X to exit.

201
00:15:35,300 --> 00:15:39,830
And now let's see once again if I open it, you will see this string is no longer there.

202
00:15:39,830 --> 00:15:45,230
Now, let's try to upload it once again and see if we get even better results than the last time.

203
00:15:45,320 --> 00:15:52,820
So, where we want to go, so go right here once again, choose the file, and we go to reverse1.exe. Open

204
00:15:52,940 --> 00:15:58,550
it. We will reuse reverse1.exe since that is the file that we actually changed

205
00:15:58,550 --> 00:16:01,260
in the hex editor. So open it.

206
00:16:01,300 --> 00:16:06,020
It will ask us these standard questions. Do we want to upload it?

207
00:16:06,020 --> 00:16:07,490
We say, yes.

208
00:16:07,490 --> 00:16:11,000
And right now it will analyze the virus once again.

209
00:16:11,000 --> 00:16:16,180
So last time I believe we got like 40 or 38,

210
00:16:16,400 --> 00:16:31,180
so let's see if we can get less than 38 right now.

211
00:16:31,220 --> 00:16:35,680
Now what I did right here where I changed that string is also a well-known thing to do,

212
00:16:35,960 --> 00:16:38,390
so most of the hackers actually do that as well.

213
00:16:38,390 --> 00:16:42,660
So it is not that big of a thing in order to

214
00:16:45,510 --> 00:16:51,000
bypass some of the antiviruses. But, it should be good enough to bypass at least some of them,

215
00:16:51,000 --> 00:16:59,890
or a few of them. But looking at this, we might actually not bypass any since it is already at 36.

216
00:16:59,980 --> 00:17:08,370
We actually got more that detected it than in the previous scan.

217
00:17:08,370 --> 00:17:10,710
So that's a little bit weird, but it happens.

218
00:17:10,710 --> 00:17:13,330
So, some antiviruses work weird,

219
00:17:13,350 --> 00:17:15,080
but some antiviruses don't work weird.

220
00:17:15,100 --> 00:17:22,590
Let's see just how many antiviruses it will scan. If it scans like 70 we might be able to actually bypass

221
00:17:22,590 --> 00:17:29,580
like one of them, since last time it only scanned like 68, or 67, or something like that.

222
00:17:29,690 --> 00:17:39,080
But right now it only scanned 69 antiviruses,  39/69 detected it. Which is still

223
00:17:39,080 --> 00:17:44,340
a bad number, but we actually were able to lower it from the first scan.

224
00:17:44,360 --> 00:17:48,980
So those are just some of the simple things to do in order to bypass it.

225
00:17:53,470 --> 00:17:56,770
Let us just wait for the scan to finish.

226
00:17:56,770 --> 00:18:01,150
So 40/70, that is not that bad.

227
00:18:01,150 --> 00:18:06,540
I mean it is still bad. But if you remember the first one, it was 45/70.

228
00:18:06,700 --> 00:18:13,420
So we were able to bypass 5 antiviruses, and that is good enough if the target is using one of those

229
00:18:13,420 --> 00:18:13,920
five.

230
00:18:14,080 --> 00:18:18,780
So that will be about it for this tutorial on bypassing antiviruses.

231
00:18:18,790 --> 00:18:25,530
Now the more advanced antivirus bypass we will do in the coding section. For now on, it is good to only

232
00:18:25,540 --> 00:18:27,290
know these simple things.

233
00:18:27,430 --> 00:18:31,160
It will get you only so far but it is still better than nothing.

234
00:18:31,180 --> 00:18:36,790
And in the next video we will actually run this on our Windows 10 machine. We will run the payload that

235
00:18:36,790 --> 00:18:37,900
we created.

236
00:18:37,900 --> 00:18:42,250
So that will be it for this video and I hope I see you in the next one. Bye!