detect it.
To evade antivirus, we can create unique payloads to run on an antivirus
software–protected system that will not match any of the available signatures.
In addition, when we’re performing direct exploits on a system, Metasploit
payloads are designed to run in memoryand never to write data to the hard
disk. When we send a payload as part of an exploit, mostantivirus programs
will not detect that it has been run on the target.
Creating Stand-Alone Binaries with MSFpayload
Evading Antivirus DetectionEncoding with MSFencode
One of the best ways to avoid being stopped by antivirus software is to encode
our payload with msfencode. Msfencodeis a useful tool that alters the code in an
executable so that it looks different to antivirus software but will still run the
same way. Much as the binary attachment in email is encoded in Base64,
msfencodeencodes the original executable in a new binary. Then, when the
executable is run, msfencodedecodes the original code into memory and exe-cutes it.
Unfortunately, after the payload2.exefile is copied over to the
Windows system, AVG detects our encoded payload yet again
Multi-encoding
In the preceding example, the shikata_ga_naiencoding is polymorphic,
meaning that the payload will change eachtime the script is run. Of course,
the payload that an antivirus product will flag is a mystery: Every time you
generate a payload, the same antivirus program can flag it once and miss it
another time.
It is recommended that you test yourscript using an evaluation version
of a product to see if it bypasses the antivirus software prior to using it in a
penetration test. Here’s an example of using multiple encoding passes:
Custom Executable Templates
Typically, when msfencodeis run, the payload is embedded into the default
executable template at data/templates/template.exe. Although this template is
changed on occasion, antivirus vendors still look for it when building signa-tures. However, msfencodenow supports the use of any Windows executable
in place of the default executable template via the -xoption. In the follow-ing example, we encode our payload again using the Process Explorer from
Microsoft’s Sysinternals Suite asa custom-executable template.
Launching a Payload Stealthily
(This option may not work with all executables, so be sure to testyours before deployment.)
When choosing to embed a payload in an executable, you should con-sider using GUI-based applicationsif you’re not specifying the -kflag. If you
embed a payload into a console-based application, when the payload is run,
it will display a console window that won’t close until you’re finished using
the payload. If you choose a GUI-based application and do not specify the -k
flag, when the payload is executed, the target will not see a console window.
Paying attention to these little details can help you remain stealthy during an
engagement.
Packers
NOTE The PolyPack project (http://jon.oberheide.org/files/woot09-polypack.pdf)
shows the results of packing known malicious binaries with various packers and the
effectiveness of antivirus detection before and after the packing process.
MSF VENOM
In this chapter we cover only the msfpayloadand msfencodeutilities, but there is an
additional tool called msfvenomthat combines the functionalities of msfpayloadand
msfencodein a simpler-to-use interface. Msfvenomis not covered in detail in this book
(see Appendix B), but it should be very easy to use after you become familiar with
msfpayloadand msfencode.
A Final Note on Antivirus Software Evasion
The world of antivirus software moves very quickly, even by Internet stan-dards. As of this writing, the methods and processes documented in this
chapter work successfully; however, experience has shown that even a few
months can bring major changes in how antivirus evasion is accomplished.
Although the Metasploit team is constantly tweaking its payloads and attempts
to stay one step ahead of detection algorithms, don’t be surprised if by
the time you work through these examples, some work and some do not.
When you’re attempting antivirus evasion, consider using multiple packers
or encoders, as mentioned, or write your own. Antivirus evasion, like all pen-etration testing skills, needs to be practiced and requires dedicated research
to help you ensure success in your engagements.
沒有留言:
張貼留言