of CSE, Chalapathi Engineering collage , Guntur, Andhra Pradesh, India.
The aim of this work is to provide
and a comparison of some methods for the creation of some malicious payloads or
shellcode. This payloads allow to creates
a remotely access between the victim’s Operating system and the attacker’s
operating system and, onces the connection is successfully done, we can access
security systems available on Operating
system and antivirus systems. invisible
simultaneously to several security systems
systems that we want to bypass are mainly present in Windows operating
Metasploit is a penetration tool
used for develop and executing exploit against a remote target Operating
systems. It is a sub-link of Metasploit network that is a Operating systems
security that provides information about security vulnerabilities in
Metasploit has the world’s
largest database of public, tested exploits. In a single line words, Metasploit
can be used to test the vulnerabilites of windows systems in order to protect
them and, on the other hand, it can also be used to break into remote systems.
Meterpreter is a key to
open locked key of the Metasploit Network that allows to Metasploit
functionality in it and further
target. Some of functions include
in it to cover your tracks, it can target also memory data , dump hashes, access operating
systems, and much more.
Meterpreter is the most important tool in Metasploit and
is good as a payload after a vulnerability is exploit. For example, when a loop
hole is found, it is possible to access the exploit and select Meterpreter as
the payload, so it is created a Meterpreter shell into the system and, likely,
attacker can execute some shell commands
TheFatRat is a tool to generate backdoor with msfvenom,
that is a part from metasploit as explained above. This tool compiles a virus with
popular payloads and then the compiled malware can be executed on Windows,
Android or Mac. This virus that is created with this tool exposes also the
ability to bypass most Any software protections.
Metasploit, offering a more easy
and intuitive command line interface for using Msfconsole or creating a
backdoor or a listener;
Searchsploit, for finding easily a
PwnWind, for creating some kinds
of fully undetectable (FUD) backdoor
To install this tool, it is necessary to download its
project from GitHub and to execute its python script. After that, it checks
some requirements and dependencies; in some cases, it installs directly the
tools that are not present at that moment on the machine, but if a Kali linux
is used, most of these requirements are automatically satisfied.
Creating a FUD backdoor
To create a backdoor FUD, there are two
choices. Anyway, results will be saved into a TheFatRat folder,
where it is also possible to change the default icon image to associate with
Option number 2 of The FatRat interface, is “Create a FUD
100% backdoor, involves backdoor creation providing the compilation of a C
program with a Meterpreter reverse_tcp payload. Furthermore, to make it more
untraceable, it is possible to enable the correspondent FUD option.
Option number 6 of TheFatRat
interface, that is “Create FUD backdoor 1000% FUD with PwnWind”, involves the
additional use of PwnWind that allows to create a shellcode FUD in different
for this case study, the chosen payloads are:
1. id 2: exe file with reverse.tcp payload;(most power full
2. id 21: exe file with reverse_tcp payload FUD;
3. id 62: exe file with C# + PowerShell FUD;
4. id 63: exe file with apache + powershell FUD;
5. id 64: exe file with C + powershell.
payload will be identified by their id number.
These payloads have been tested on all of the Windows
machines proposed (Windows 8.1/10, 32/64 bit), obtaining the same results.
the Last cases, the executable was blocked by Operating system SmartScreen,
which carries out some checks on downloaded files from Internet. These payloads
are passed to the testing virtual machines downloading them from One Drive, Dropdox,
Google drive and running them by double clicking through Operating system. if
payloads are execute through command line, Operating system SmartScreen does
not block their execution. In this way, its protection has been bypassed.
if these payloads are passed via shared folder
or USB drive, Operating system SmartScreen has no control, allowing vrius, also
by double clicking on it
In this case study different tools
and methodologies have been shown to create shellcode and Windows executables
trying to evade some security systems such as antivirus systems and
pre-installed Windows systems
Seeing an over
to it, I analysis of the results obtain, we note that TheFatRat gives the best
results, creating a fully undetectable payload (exe file with C# and
powershell) that is recognized only by Kaspersky antivirus.
So, in a social engineering, this payload would easily
bypass all the security systems installed on a victim machine. if a virus is
download from a link or a website and if it is execute through clicking on it
only Operating system SmartScreen can recognize it as a virus and bypassing
this defense.can be seen as a future development
Student ,Dept of CSE
Chalapathi Engineering college(Lam)-GUNTUR
Student ,Dept of CSE
Engineering college(Lam) – GUNTUR