AV Evasion Symantec and P4wnP1 USB
April 2019 (956 Words, 6 Minutes)
Simple AV Evasion Symantec and P4wnP1 USB
UPDATE: I’ve included results from some other AV solutions.
Follow on twitter: https://twitter.com/initroott
I’ve recently converted my sturdy Raspberry Pi Zero W to a bad USB using the P4wnP1 image and toolkit created my mame82. The ultimate goal was to run a remote command shell while evading the latest version of Symantec SEP with full protection enabled. Its easy to run a remote shell by creating your own payload, however the advance features available in Symantec makes it difficult to execute as the SONAR and IPS detection techniques are powerful. You can go far by encrypting the payload and delivery as Symantec will be unable to anaylse it. The brilliant article by Erik outlines how the SSL certificate can be a give-away as portions are not encrypted and looks illegitimate.
Some articles to read before on evading detection:
With my setup I have the following to complete the below tutorial:
-
Raspberry Pi Zero W and SD Card
-
Pi Zero W USB A addon (https://www.amazon.com/MakerFocus-Raspberry-Required-Provide-Connector/dp/B077W69CD1 and http://www.raspberrypiwiki.com/index.php/Raspberry_Pi_Zero_W_USB-A_Addon_Board)
-
Laptop used for attacking, IP in the tutorial for attacking machine is 192.168.1.106.
-
Windows 10 machine with full Symantec SEP enabled
Overall Setup
P4wnP1
I won’t cover the P4wnP1 USB setup as this has been covered on several articles. Have a look at the official git https://github.com/mame82/P4wnP1_aloa and WIKI https://p4wnp1.readthedocs.io/en/latest/.
Some notes of the setup, I’ve changed the following important settings:
-
Hotspot name
-
USB HID attack script, discussed below
Some pictures of the final device, ready for action.