Social Engineering Toolkit: Bypassing Antivirus Using Powershell

Wednesday, August 22, 2012

Dan Dieterle


Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…

At the Security BSides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features.

One is a very interesting way to get a remote shell by completely bypassing Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.

  • Fire up SET and pick option number “1″ Social Engineering Attacks
  • Select option “10″ Powershell attack vector:

(click image to enlarge)

  • Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:

(click image to enlarge)

Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:

(click image to enlarge)

Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.

SET starts up Metasploit, runs the payload handler  and waits for an incoming connection:

(click image to enlarge)

All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory

When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:

(click image to enlarge)

and Paste it into a Windows 7 command prompt:

(click image to enlarge)

Once you hit enter, a full remote shell session is created to the Backtrack SET machine:

(click image to enlarge)

Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.

Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.

Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.

Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Antivirus Hacking Penetration Testing Metasploit PowerShell Pentesting Tutorial Backtrack 5 Social Engineering Toolkit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.