Search the Community

Condor is a tool created to help pentesters bypass protections like AVs/EDRs/XDRs in the Windows operating system. Condor was developed in Python and has several advantages to help pentesters. Benefits Easy to use Bypass multiple AVs/EDRs/XDRs Two XOR encryption process and an obfuscation The generated file is less than 7mb Using custom shellcode Fake signature on executable [hide][Hidden Content]]

Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE). Return Address Spoofing at Execution Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap). Sleep Without Sleep Delayed execution using WaitForSingleObjectEx. RC4 Encryption All encryption performed with SystemFunction032. [hide][Hidden Content]]

Details: no crt functions imported syscall unhooking using KnownDllUnhook api hashing using Rotr32 hashing algo payload encryption using rc4 - payload is saved in .rsrc process injection - targetting 'SettingSyncHost.exe' ppid spoofing & blockdlls policy using NtCreateUserProcess stealthy remote process injection - chunking using debugging & NtQueueApcThread for payload execution [hide][Hidden Content]]

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE). Return Address Spoofing at Execution Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap). Sleep Without Sleep Delayed execution using WaitForSingleObjectEx. RC4 Encryption All encryption is performed with SystemFunction032. Known Issues Not compatible with loaders that rely on the shellcode thread staying alive. [hide][Hidden Content]]

EV is a tool that allows you to craft TCP packets and leverage some well-known TCP/IP packet manipulation techniques to evade IDS devices. It supports HTTP protocol but unfortunately not HTTPS protocol. The handshake process of TLS is quite complicated and I haven’t figured out how to craft TLS packets elegantly. This tool is written in Python and QT5, using Scapy to make packets. So though this software is tested on the Windows platform only, it theoretically works on other platforms like Linux or MacOS. Fill IP, Port, and Payload fields and click the “Send” button to send the TCP packet to the target. You can also set TCP options and source port. Remember that TCP options are tcp options supported by scapy. You can view response packets in the “Received packets” window and click the packet to view it in the “View Received Packet” window. This is implemented by scapy’s sniff() function, it finds packets that match the target IP or is ICMP protocol(so that you can find TTL exceeded packets). However, sniff() sometimes records packets duplicately. So I strongly recommend users use WireShark if you’ve installed one to see received packets. Request Split You can use TCP Segmentation and IP Fragmentation to break the TCP packet into pieces and send them to the target. This may defeat IDS devices that don’t support TCP/IP reassembly. Increasing wait time or sending packets out of order may also circumvent IDS devices who has a very limited capability in TCP/IP reassembly. Sending Distractor Packets Distractor packets are packets that might be ignored by the target and be recognized by IDS devices. Small TTL distractor packets are packets’ TTL are subtracted to 0 between the IDS device and the target. The target will not receive this packet because the packet has been dropped before reaching the target. But IDS might think that the packet arrives at the target. Therefore, sending small TTL distractor packets containing junk data or RST flags may distract the process of reassembling TCP packets, leading to an evasion. Bad Checksum packets are packets with the wrong TCP checksum. Packets with the wrong checksum are ignored by the target, but IDS devices may not calculate the checksum and reassemble all packets directly, which leads to an evasion. Corrupt ack distractor packets are packets’ ACK field is corrupted. The target ignores such packets because of the wrong ACK field, but IDS might reassemble all packets directly, which leads to an evasion. [hide][Hidden Content]]

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. Why on earth didn't I create a PR to SysWhispers2? The reason for SysWhispers3 to be a standalone version are many, but the most important are: SysWhispers3 is the de-facto "fork" used by Inceptor, and implements some utils class which are not relevant to the original version of the tool. SysWhispers2 is moving towards supporting NASM compilation (for gcc/mingw), while this version is specifically designed and tested to support MSVC (because Inceptor will stay a Windows-only framework for the near future). SysWhispers3 contains partially implemented features (such as egg-hunting) which would not be sensible to include in the original version of the tool. [hide][Hidden Content]]

SysWhispers helps with AV/EDR evasion by generating header/ASM files implants can use to make direct system calls. All core syscalls are supported and example generated files available in the example-output/ folder. Difference Between SysWhispers 1 and 2 The usage is almost identical to SysWhispers1 but you don’t have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru‘s syscall tables and instead uses the “sorting by system call address” technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs. The specific implementation in SysWhispers2 is a variation of @modexpblog’s code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out. The original SysWhispers repository is still up but maybe deprecated in the future. Introduction Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect suspicious behavior. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading. SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type of definitions. [hide][Hidden Content]]

Generating fully undetectable meterpreter custom payloads using msfvenom and custom loader template. It bypasses the latest Windows Defender running on Windows 10 Pro 1903 ( Build 18363.693 ) with all updates available till 16th of March, 2020. Features There are 2 modules in this tool: Undetectable Reverse Shell Doesn't requires Admin Priviledges to run Bypassess all antiviruses including Windows Defender Just an undetectable meterpreter reverse_shell Migrates automatically to explorer.exe just after running Limitations : Triggers Windows Defender if 'getsystem' is executed using meterpreter, however the meterpreter session is not lost and the payload exe file is not detected Persistent Advanced Reverse Shell Requires Admin Priviledges to run Bypassess all antiviruses including Windows Defender Disables Windows Defender permanently using registry ( Can't be turned on without changing registry ) Adds all the disk and drives to Defender exclusion list Runs the meterpreter shell as SYSTEM and add it to startup Can execute your custom commands before launching payload ( see main.py ) All features and limitataion of the 1st module [hide][Hidden Content]]

AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. What & Why: when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software avet is an antivirus evasion tool targeting windows machines with executable files assembly shellcodes can be used make_avet can be used for configuring the source code with make_avet you can load ASCII encoded shellcodes from a text file or from a web server, further it is using an av evasion technique to avoid sandboxing and emulation for ASCII encoding the shellcode the tool format.sh and sh_format are included this readme applies to Kali 2 (64bit) and tdm-gcc Changelog v2.2 +++ CHANGES +++ – Generated executables are now named after their buildscripts instead of “output.exe”. – added “build_script_tester.py”, a script which executes all build scripts and fetch error messages. – Usage of executables is now echoed to screen – replace “avet_fabric.py” with “avet.py”. “avet.py” helps new users to configure and build scripts without changing the orignal build script. – new build scripts structure with tags(tags are only relevant for avet.py) – adjust setup to work with Kali 2020.1 – updated tdm-gcc to version 9.2.0 [HIDE][Hidden Content]]

Xencrypt - A PowerShell Script Anti-Virus Evasion Tool Tired of wasting lots of time obfuscating PowerShell scripts like invoke-mimikatz only to have them get detected anyway? Wouldn't it be awesome if you could take any script and automatically and with almost no effort generate a near-infinite amount of variants in order to defeat signature-based antivirus detection mechanisms? WELL, NOW YOU CAN! For the low low price of free! Xencrypt is a PowerShell crypter that uses AES encryption and Gzip/DEFLATE compression to with every invocation generate a completely unique yet functionally equivalent output script given any input script. It does this by compressing and encrypting the input script and storing this data as a payload in a new script which will unencrypt and decompress the payload before running it. In essence, it is to PowerShell what a PE crypter is. Features Xencrypt: Bypasses AMSI and all modern AVs in use on VirusTotal (as of writing) Compresses and encrypts powershell scripts Has a minimal and often even negative (thanks to the compression) overhead Randomizes variable names to further obfuscate the decrypter stub Randomizes encryption, compression and even the order that the statements appear in the code for maximum entropy! Super easy to modify to create your own crypter variant Supports recursive layering (crypter crypting the crypted output), tested up to 500 layers. Supports Import-Module as well as standard running as long as the input script also supported it GPLv3 -- Free and open-source! All features in a single file so you can take it with you anywhere! Is despite all of the above not a silver bullet for every configuration -- caveat emptor! [HIDE][Hidden Content]]

PHANTOM EVASION 3.0 Python AV evasion tool capable to generate FUD executable Phantom-Evasion is an antivirus evasion tool written in python (both compatible with python and python3) capable to generate (almost) fully undetectable executable even with the most common x86 msfvenom payload. The following OSs officialy support automatic setup: Kali Linux Parrot Security The following OSs likely support automatic setup but require manual installation of metasploit-framework: OSX (tested on Catalina) Ubuntu Linux Mint Elementary Deepin other Debian distro Centos Fedora Blackarch The following OSs require manual setup: Windows 10 Simply git clone or download and unzip Phantom-Evasion folder [HIDE][Hidden Content]]

Video: [Hidden Content] Tools: [Hidden Content]

Hi I just want to said that i was in another forum ( That one with to letter ) HF from 3 years and always do clean post always stay in my place and i try to open my account this week and notthing. So i write them to say i was never ban but this guy who i was talking by mail told me ban evasion ..no explain notthing . I use to buy a few tools there but ......I just want to sead i thing he now everything with hacking et programaing but he can figure out that i was never ban. For me he is just a CLOWN and we are in a better forum here . Thank's for level23 and for that clown on hf