PaulDotCom mailing list archives
hiding netcat
From: nils at hemmann.de (Nils)
Date: Wed, 19 May 2010 22:22:40 +0200
Could you please elaborate a bit on this. What do mean in detail? I used the "split and search for AV signature" method for nc.exe on Windows and it did work. But for other tools I didn?t succeed yet. Nicholas B. wrote:
I have had issues using these methods with some programs that I've attempted to sheild from AV. On occassion I've found that I've needed to extend .text section(s) inside of the binaries using lordpe for programs like gsecdump in order to get scramblers or encoders to work well. On Wed, May 19, 2010 at 9:20 AM, xgermx <xgermx at gmail.com <mailto:xgermx at gmail.com>> wrote: I get most things through A/V the same way (be it nc or fgdump). I split the executable in half and scan each piece with the A/V. I discard the piece that passes and focus on the piece that gets flagged. I then split that piece in half and repeat the process. I do this multiple times until I'm left with a small amount of code responsible for triggering the A/V. I then use a hex editor on the original executable to make very small modifications to that specific block of code. Usually it only takes a few character changes for the A/V not to recognize it anymore. This, in combination with editing the PE (I second PE scrambler) rarely fails me. On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi <alialhebshi at gmail.com <mailto:alialhebshi at gmail.com>> wrote: > Has anyone succeeded in getting fgdump past AV systems? > > On Mon, May 17, 2010 at 4:04 PM, bytes abit <bytesabit at gmail.com <mailto:bytesabit at gmail.com>> wrote: >> >> Also, as a side note.. perhaps if you want to keep ncat on the system you >> could use the "Copy CON" techniques discussed in PDC... >> Can't remember the episode, think it was in the 160-170 range... >> >> >> >> On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny <jim.halfpenny at gmail.com <mailto:jim.halfpenny at gmail.com>> >> wrote: >>> >>> Hi, >>> Busybox provides netcat functionality plus lots more with a small >>> footprint. I have not come across any AV software which detects >>> busybox as a potentially unwanted program. >>> >>> Regards, >>> Jim >>> >>> On 16 May 2010 17:49, Chris Teodorski <chris.teodorski at gmail.com <mailto:chris.teodorski at gmail.com>> wrote: >>> > Thanks to all for the great advice. I was using NetCat, because I'm >>> > putting it on a Teensy++ and I'm very limited in space. The >>> > executable needs to be super small... >>> > >>> > I followed the article here: >>> > http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf >>> > >>> > It seems to have worked. >>> > >>> > Thanks to all for the help. >>> > >>> > >>> > >>> > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller <jd.mubix at gmail.com <mailto:jd.mubix at gmail.com>> wrote: >>> >> Just curious, by why are you using Netcat? >>> >> >>> >> >>> >> -- >>> >> Rob Fuller | Mubix >>> >> Room362.com | Hak5.org | TheAcademyPro.com >>> >> Ignore this: >>> >> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >>> >> >>> >> >>> >> >>> >> On Sat, May 15, 2010 at 1:02 PM, Professor Thread >>> >> <professorthread at gmail.com <mailto:professorthread at gmail.com>> wrote: >>> >>> >>> >>> On 05/15/2010 03:08 PM, Chris Teodorski wrote: >>> >>> >>> >>> All, >>> >>> >>> >>> Does anyone know a good way to sneak netcat past modern AV? >>> >>> >>> >>> Chris >>> >>> >>> >>> >>> >>> >>> >>> Have you tried nmap's "ncat" version? >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> Pauldotcom mailing list >>> >>> Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>> Main Web Site: http://pauldotcom.com >>> >> >>> >> >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> >> >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> _______________________________________________ >>> Pauldotcom mailing list >>> Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > -- > Ali Al-Hebshi > > _______________________________________________ > Pauldotcom mailing list > Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com <mailto:Pauldotcom at mail.pauldotcom.com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- hiding netcat, (continued)
- hiding netcat Professor Thread (May 15)
- hiding netcat Michael Allen (May 15)
- hiding netcat Paul Asadoorian (May 17)
- hiding netcat Rob Fuller (May 15)
- hiding netcat Chris Teodorski (May 16)
- hiding netcat Jim Halfpenny (May 17)
- hiding netcat bytes abit (May 17)
- hiding netcat Ali Alhebshi (May 18)
- hiding netcat xgermx (May 19)
- hiding netcat Nicholas B. (May 19)
- hiding netcat Nils (May 19)
- hiding netcat Michael Allen (May 15)
- hiding netcat Professor Thread (May 15)