The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
1. BASIC METERPRETER EVASION
By: Nipun Jaswal
• TechnicalDirector, Pyramid Cyber and Forensics
• Chair Member, National Cyber Defense and Research Center
• Author of Mastering Metasploit & Metasploit Bootcamp
2. • 10+ Years into IT Security
• Author of Mastering Metasploit , First, Second,
CN Edition & “Metasploit Bootcamp”
• Technical Director , Pyramid Cyber and
Forensics
• Chair member, National Cyber Defense and
Research Center
• Known for Exploit Research, Cyber
Surveillance, Cyber Warfare, Wireless
Hacking & Exploitation and Hardware
Hacking
• Can code in 15+ programming languages, 20
Hall of fames including Offensive Security,
AT&T, Facebook, Apple etc
• Worked Globally with various law
enforcement agencies
#WHOAMI
3. WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
• Changing the Known Signatures
for Malware
• Making use of Shell code instead
of conventional executables
• Using Encoding wrappers for
bypassing detections
BYPASS DYNAMIC ANALYSIS
• Using SSL to defeat Network
behavior analysis
• Using Popular yet self signed
certificates to whitelist
communication
• Using Microsoft utilities to bypass
application whitelisting
17. Let’s check AV Detection
status…
• 3/39 AVs detect the
backdoor as malicious
• By simply replacing the
executable by
shellcode we dropped
27 antivirus detections
29. Let’s check AV Detection
status…
• 0/39 AVs detect the
backdoor as malicious
• By simply adding
support for SSL and
using Google’s SSL Cert
(Self Signed) we
dropped rest of the 3 as
well
34. NORTON WILL TAKE YOUR NIGHTS AWAY
Why I Have rated Norton as one of
the Best AV Solutions out there?
• Aggressive Firewall
• Aggressive Behavior Detection
• File Info based Blocking / File
Attributes
• Application Memory and CPU
Consumption
35. WHAT DOES IT TAKE TO BYPASS NORTON?
• Fake SSL Certificate
• Application Whitelisting
Method
• Delays and Continuous
Process Consumption, but
not too high.
• Patience
36. THANKS
• For More Information on AV Evasion, refer to “Metasploit
Bootcamp” & “Mastering Metasploit”
• Twitter : @nipunjaswal
• FB : @nipunjaswal
• Linknd : @nipunjaswal
• http://Amazon.com/authors/nipunjaswal