SlideShare una empresa de Scribd logo

Basics of Meterpreter Evasion

Nipun Jaswal
Nipun Jaswal

The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.

Tecnología
1 de 36
Descargar para leer sin conexión
BASIC METERPRETER EVASION By: Nipun Jaswal • TechnicalDirector, Pyramid Cyber and Forensics • Chair Member, National Cyber Defense and Research Center • Author of Mastering Metasploit & Metasploit Bootcamp
• 10+ Years into IT Security • Author of Mastering Metasploit , First, Second, CN Edition & “Metasploit Bootcamp” • Technical Director , Pyramid Cyber and Forensics • Chair member, National Cyber Defense and Research Center • Known for Exploit Research, Cyber Surveillance, Cyber Warfare, Wireless Hacking & Exploitation and Hardware Hacking • Can code in 15+ programming languages, 20 Hall of fames including Offensive Security, AT&T, Facebook, Apple etc • Worked Globally with various law enforcement agencies #WHOAMI
WHAT WE WILL LEARN TODAY? BYPASS SIGNATURE DETECTION • Changing the Known Signatures for Malware • Making use of Shell code instead of conventional executables • Using Encoding wrappers for bypassing detections BYPASS DYNAMIC ANALYSIS • Using SSL to defeat Network behavior analysis • Using Popular yet self signed certificates to whitelist communication • Using Microsoft utilities to bypass application whitelisting
TOP 3 ANTIVIRUS SOLUTIONS
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
BYPASSING
LET’S CREATE A BACKDOOR WITH METASPLOIT…
FAILED SIGNATURE DETECTION…
LET’S TRY A .VBS SCRIPT…
FAILED SIGNATURE DETECTION…YET AGAIN
LET’S CHECK AV DETECTION STATUS… • 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS • HOW CAN WE CIRCUMVENT THIS?
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
Let’s check AV Detection status… • 3/39 AVs detect the backdoor as malicious • By simply replacing the executable by shellcode we dropped 27 antivirus detections
LET’S SEE WHAT 360 HAVE TO SAY…
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
LET’S EXECUTE THE APPLICATION…
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
AVAST IS A TOUGH NUT TO CRACK…
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
Let’s check AV Detection status… • 0/39 AVs detect the backdoor as malicious • By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
SUCCESS ON AVAST
SUCCESS ON AVAST
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
NORTON WILL TAKE YOUR NIGHTS AWAY Why I Have rated Norton as one of the Best AV Solutions out there? • Aggressive Firewall • Aggressive Behavior Detection • File Info based Blocking / File Attributes • Application Memory and CPU Consumption
WHAT DOES IT TAKE TO BYPASS NORTON? • Fake SSL Certificate • Application Whitelisting Method • Delays and Continuous Process Consumption, but not too high. • Patience
THANKS • For More Information on AV Evasion, refer to “Metasploit Bootcamp” & “Mastering Metasploit” • Twitter : @nipunjaswal • FB : @nipunjaswal • Linknd : @nipunjaswal • http://Amazon.com/authors/nipunjaswal

Recomendados

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profitNipun Jaswal
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Guy Podjarny
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 

Recomendados

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdBeyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. LtdNipun Jaswal
 
Ground Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebGround Zero Training- Metasploit For Web
Ground Zero Training- Metasploit For WebNipun Jaswal
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profitNipun Jaswal
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)Guy Podjarny
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...Imperva Incapsula
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...North Texas Chapter of the ISSA
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?DevOps.com
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureIIMBNSRCEL
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

Más contenido relacionado

La actualidad más candente

Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...North Texas Chapter of the ISSA
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green North Texas Chapter of the ISSA
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?DevOps.com
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureIIMBNSRCEL
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 

La actualidad más candente (20)

Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?There’s an OpenBullet Attack Config for Your Site – What Should You Do?
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secure
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 

Similar a Basics of Meterpreter Evasion

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2RazorEQX
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsMichele Chubirka
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingRavi Sankar
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksHow to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksAlienVault
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 

Similar a Basics of Meterpreter Evasion (20)

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Talos
TalosTalos
Talos
 
How i'm going to own your organization v2
How i'm going to own your organization v2How i'm going to own your organization v2
How i'm going to own your organization v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source Options
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Hacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical HackingHacktrikz - Introduction to Information Security & Ethical Hacking
Hacktrikz - Introduction to Information Security & Ethical Hacking
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksHow to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 

Último

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Último (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Basics of Meterpreter Evasion

  • 1. BASIC METERPRETER EVASION By: Nipun Jaswal • TechnicalDirector, Pyramid Cyber and Forensics • Chair Member, National Cyber Defense and Research Center • Author of Mastering Metasploit & Metasploit Bootcamp
  • 2. • 10+ Years into IT Security • Author of Mastering Metasploit , First, Second, CN Edition & “Metasploit Bootcamp” • Technical Director , Pyramid Cyber and Forensics • Chair member, National Cyber Defense and Research Center • Known for Exploit Research, Cyber Surveillance, Cyber Warfare, Wireless Hacking & Exploitation and Hardware Hacking • Can code in 15+ programming languages, 20 Hall of fames including Offensive Security, AT&T, Facebook, Apple etc • Worked Globally with various law enforcement agencies #WHOAMI
  • 3. WHAT WE WILL LEARN TODAY? BYPASS SIGNATURE DETECTION • Changing the Known Signatures for Malware • Making use of Shell code instead of conventional executables • Using Encoding wrappers for bypassing detections BYPASS DYNAMIC ANALYSIS • Using SSL to defeat Network behavior analysis • Using Popular yet self signed certificates to whitelist communication • Using Microsoft utilities to bypass application whitelisting
  • 4. TOP 3 ANTIVIRUS SOLUTIONS
  • 5. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 7. LET’S CREATE A BACKDOOR WITH METASPLOIT…
  • 9. LET’S TRY A .VBS SCRIPT…
  • 11. LET’S CHECK AV DETECTION STATUS… • 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS • HOW CAN WE CIRCUMVENT THIS?
  • 12. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
  • 13. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 14. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 15. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 16. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 17. Let’s check AV Detection status… • 3/39 AVs detect the backdoor as malicious • By simply replacing the executable by shellcode we dropped 27 antivirus detections
  • 18. LET’S SEE WHAT 360 HAVE TO SAY…
  • 19. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 20. LET’S EXECUTE THE APPLICATION…
  • 21. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 22. TOP 3 ANTIVIRUS SOLUTIONS
  • 24. AVAST IS A TOUGH NUT TO CRACK…
  • 25. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 26. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 27. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 28. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 29. Let’s check AV Detection status… • 0/39 AVs detect the backdoor as malicious • By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
  • 32. TOP 3 ANTIVIRUS SOLUTIONS
  • 34. NORTON WILL TAKE YOUR NIGHTS AWAY Why I Have rated Norton as one of the Best AV Solutions out there? • Aggressive Firewall • Aggressive Behavior Detection • File Info based Blocking / File Attributes • Application Memory and CPU Consumption
  • 35. WHAT DOES IT TAKE TO BYPASS NORTON? • Fake SSL Certificate • Application Whitelisting Method • Delays and Continuous Process Consumption, but not too high. • Patience
  • 36. THANKS • For More Information on AV Evasion, refer to “Metasploit Bootcamp” & “Mastering Metasploit” • Twitter : @nipunjaswal • FB : @nipunjaswal • Linknd : @nipunjaswal • http://Amazon.com/authors/nipunjaswal