PaulDotCom mailing list archives

hiding netcat

From: nils at hemmann.de (Nils)
Date: Wed, 19 May 2010 22:22:40 +0200

Could you please elaborate a bit on this. What do mean in detail?

I used the "split and search for AV signature" method for nc.exe on 
Windows and it did work.
But for other tools I didn?t succeed yet.

Nicholas B. wrote:

I have had issues using these methods with some programs that I've 
attempted to sheild from AV.  On occassion I've found that I've needed 
to extend .text section(s) inside of the binaries using lordpe for 
programs like gsecdump in order to get scramblers or encoders to work 
well.

On Wed, May 19, 2010 at 9:20 AM, xgermx <xgermx at gmail.com 
<mailto:xgermx at gmail.com>> wrote:

    I get most things through A/V the same way (be it nc or fgdump).
    I split the executable in half and scan each piece with the A/V. I
    discard the piece that passes and focus on the piece that gets
    flagged. I then split that piece in half and repeat the process. I do
    this multiple times until I'm left with a small amount of code
    responsible for triggering the A/V. I then use a hex editor on the
    original executable to make very small modifications to that specific
    block of code. Usually it only takes a few character changes for the
    A/V not to recognize it anymore. This, in combination with editing the
    PE (I second PE scrambler) rarely fails me.


    On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi
    <alialhebshi at gmail.com <mailto:alialhebshi at gmail.com>> wrote:
    > Has anyone succeeded in getting fgdump past AV systems?
    >
    > On Mon, May 17, 2010 at 4:04 PM, bytes abit <bytesabit at gmail.com
    <mailto:bytesabit at gmail.com>> wrote:
    >>
    >> Also, as a side note.. perhaps if you want to keep ncat on the
    system you
    >> could use the "Copy CON" techniques discussed in PDC...
    >> Can't remember the episode, think it was in the 160-170 range...
    >>
    >>
    >>
    >> On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny
    <jim.halfpenny at gmail.com <mailto:jim.halfpenny at gmail.com>>
    >> wrote:
    >>>
    >>> Hi,
    >>> Busybox provides netcat functionality plus lots more with a small
    >>> footprint. I have not come across any AV software which detects
    >>> busybox as a potentially unwanted program.
    >>>
    >>> Regards,
    >>> Jim
    >>>
    >>> On 16 May 2010 17:49, Chris Teodorski
    <chris.teodorski at gmail.com <mailto:chris.teodorski at gmail.com>> wrote:
    >>> > Thanks to all for the great advice.  I was using NetCat,
    because I'm
    >>> > putting it on a Teensy++ and I'm very limited in space.  The
    >>> > executable needs to be super small...
    >>> >
    >>> > I followed the article here:
    >>> >
    http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf
    >>> >
    >>> > It seems to have worked.
    >>> >
    >>> > Thanks to all for the help.
    >>> >
    >>> >
    >>> >
    >>> > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller
    <jd.mubix at gmail.com <mailto:jd.mubix at gmail.com>> wrote:
    >>> >> Just curious, by why are you using Netcat?
    >>> >>
    >>> >>
    >>> >> --
    >>> >> Rob Fuller | Mubix
    >>> >> Room362.com | Hak5.org | TheAcademyPro.com
    >>> >> Ignore this:
    >>> >>
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    >>> >>
    >>> >>
    >>> >>
    >>> >> On Sat, May 15, 2010 at 1:02 PM, Professor Thread
    >>> >> <professorthread at gmail.com
    <mailto:professorthread at gmail.com>> wrote:
    >>> >>>
    >>> >>> On 05/15/2010 03:08 PM, Chris Teodorski wrote:
    >>> >>>
    >>> >>> All,
    >>> >>>
    >>> >>> Does anyone know a good way to sneak netcat past modern AV?
    >>> >>>
    >>> >>> Chris
    >>> >>>
    >>> >>>
    >>> >>>
    >>> >>> Have you tried nmap's "ncat" version?
    >>> >>>
    >>> >>>
    >>> >>>
    >>> >>> _______________________________________________
    >>> >>> Pauldotcom mailing list
    >>> >>> Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >>> >>> Main Web Site: http://pauldotcom.com
    >>> >>
    >>> >>
    >>> >> _______________________________________________
    >>> >> Pauldotcom mailing list
    >>> >> Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >>> >> Main Web Site: http://pauldotcom.com
    >>> >>
    >>> > _______________________________________________
    >>> > Pauldotcom mailing list
    >>> > Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >>> > Main Web Site: http://pauldotcom.com
    >>> >
    >>> _______________________________________________
    >>> Pauldotcom mailing list
    >>> Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >>> Main Web Site: http://pauldotcom.com
    >>
    >>
    >> _______________________________________________
    >> Pauldotcom mailing list
    >> Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    >> Main Web Site: http://pauldotcom.com
    >
    >
    >
    > --
    > Ali Al-Hebshi
    >
    > _______________________________________________
    > Pauldotcom mailing list
    > Pauldotcom at mail.pauldotcom.com
    <mailto:Pauldotcom at mail.pauldotcom.com>
    > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    > Main Web Site: http://pauldotcom.com
    >
    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com>
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

hiding netcat, (continued)
- hiding netcat Professor Thread (May 15)
  - hiding netcat Michael Allen (May 15)
    - hiding netcat Paul Asadoorian (May 17)
  - hiding netcat Rob Fuller (May 15)
    - hiding netcat Chris Teodorski (May 16)
    - hiding netcat Jim Halfpenny (May 17)
    - hiding netcat bytes abit (May 17)
    - hiding netcat Ali Alhebshi (May 18)
    - hiding netcat xgermx (May 19)
    - hiding netcat Nicholas B. (May 19)
    - hiding netcat Nils (May 19)
  - hiding netcat Sebastien J (May 15)
  - hiding netcat Chris Clymer (May 16)
- hiding netcat Michael Allen (May 15)
- hiding netcat Prashant Mahajan (May 15)