1 of 1

Bypass AV Software by Obfuscating Your Payloads

It's exciting to get that reverse shell or execute a payload, but sometimes these things don't work as expected when there are certain defenses in play. One way to get around that issue is by obfuscating the payload, and encoding it using different techniques will usually bring varying degrees of success. Graffiti can make that happen.

Graffiti is a tool that can generate obfuscated payloads using a variety of different encoding techniques. It offers an array of one-liners and shells in languages such as Python, Perl, PHP, Batch, PowerShell, and Bash. Payloads can be encoded using base64, hex, and AES256, among others. It also features two modes of operation: command-line mode and interactive mode.

Other useful features of Graffiti include the ability to create your own payload files, terminal history, option to run native OS commands, and tab-completion in interactive mode. Graffiti should work out of the box on Linux, Mac, and Windows, and it can be installed to the system as an executable on both Linux and Mac. We will be using Kali Linux to explore the tool below.

Setup & Installation

To get started, let's clone into the using the git command:

Next, change into the new directory:

And list the contents to verify everything is there:

We can run the tool with the python command — let's see the help menu by tacking on the -h switch:

Here, we get its usage information and optional arguments that are available.

An easier way to use Graffiti is to install it onto the system. That way, we don't need to be in the directory to run it — it can be executed from anywhere. Simply launch the install script to begin:

It tells us we need to run the source command on our bash profile to complete the installation — the source command basically loads any functions in the current shell:

Now we should be able to run the tool from anywhere by typing graffiti in the terminal:

Option 1: Use Graffiti in Command-Line Mode

The first way to run Graffiti is in normal command-line mode. All we have to do is pass the arguments after the command, just like you would with any other tool or script. For example, we can list all available with the -l switch:

We can see there are options for , Python shells, and many others, separated between Windows and Linux.

We can use the -Vc option to view the available encoders and the corresponding languages they're available for:

The -p switch is the bread and butter of Graffiti — use it to specify a payload, followed by -c to specify the encoding technique, and finally -lH and -lP to set the listening address and port, respectively. Here is a Python reverse shell in raw format, meaning no encoding:

That will spit out the command for the appropriate with all the information filled in. All we need to do at this point is copy and paste.

Let's try another example. Here is that same Python reverse shell encoded in base64:

And again, this time using the AES256 cipher:

Instead of going back and running these commands again, Graffiti keeps a cache of payloads for easy access — use the -vC option to see them:

We can also wipe the history with the -W switch:

Option 2: Use Graffiti in Interactive Mode

The other way to run Graffiti is in its interactive mode, which comes with a built-in terminal environment. Simply run the tool without any arguments to drop in:

If you receive the error above, all you have to do is create a new history file in the appropriate directory — use the touch command like so:

Now when we run it, we successfully enter the interactive mode, which will come with its own prompt:

To see the help menu, type help or ? at the prompt:

We can check if we have the latest version of the tool by running the check command:

It's also useful to know what we have available to us, so we don't need to exit interactive mode or switch to a new tab to run the usual commands. Use the external command to view a list of these:

For instance, we can run a command like uname -a directly from Graffiti's interactive prompt:

The list command will show all the available payloads, much like the -l switch from before:

We can also get information about the payloads with the info command. Unfortunately, it doesn't allow us to single out a payload, instead, listing all of them at once:

To search for a specific payload, use the search command. For example, to search for Python payloads:

We can create a payload with the use command, followed by the desired payload and the type of encoding to use:

It will prompt us for the listening IP address and port, and it will display the command for the reverse shell when it's done.

Similar to Graffiti's command-line mode, we can view a history of cached payloads by using the cached command:

We can also display the command history with the history option:

Finally, to exit interactive mode, simply type exit at the prompt:

Wrapping Up

In this tutorial, we learned how to use a tool called Graffiti to generate obfuscated payloads for use in penetration testing and hacking. First, we set up the tool and installed it onto our system for easy use. Next, we explored the command-line mode and some of the options it has available, including listing payloads, viewing history, and creating payloads encoded in a variety of techniques. We then took a look at the interactive mode and how it can easily be used to generate payloads, all from an interactive prompt.

Getting past defenses with obfuscated payloads has never been easier with Graffiti.