The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.

1. BASIC METERPRETER EVASION
By: Nipun Jaswal
• TechnicalDirector, Pyramid Cyber and Forensics
• Chair Member, National Cyber Defense and Research Center
• Author of Mastering Metasploit & Metasploit Bootcamp

2. • 10+ Years into IT Security
• Author of Mastering Metasploit , First, Second,
CN Edition & “Metasploit Bootcamp”
• Technical Director , Pyramid Cyber and
Forensics
• Chair member, National Cyber Defense and
Research Center
• Known for Exploit Research, Cyber
Surveillance, Cyber Warfare, Wireless
Hacking & Exploitation and Hardware
Hacking
• Can code in 15+ programming languages, 20
Hall of fames including Offensive Security,
AT&T, Facebook, Apple etc
• Worked Globally with various law
enforcement agencies
#WHOAMI

3. WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
• Changing the Known Signatures
for Malware
• Making use of Shell code instead
of conventional executables
• Using Encoding wrappers for
bypassing detections
BYPASS DYNAMIC ANALYSIS
• Using SSL to defeat Network
behavior analysis
• Using Popular yet self signed
certificates to whitelist
communication
• Using Microsoft utilities to bypass
application whitelisting

4. TOP 3 ANTIVIRUS SOLUTIONS

5. TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection

6. BYPASSING

7. LET’S CREATE A BACKDOOR WITH
METASPLOIT…

8. FAILED SIGNATURE DETECTION…

9. LET’S TRY A .VBS SCRIPT…

10. FAILED SIGNATURE DETECTION…YET AGAIN

11. LET’S CHECK AV
DETECTION STATUS…
• 30/39 AVS DETECT THE
BACKDOOR AS
MALICIOUS
• HOW CAN WE
CIRCUMVENT THIS?

12. LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE

13. LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)

14. LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)

15. LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)

16. LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)

17. Let’s check AV Detection
status…
• 3/39 AVs detect the
backdoor as malicious
• By simply replacing the
executable by
shellcode we dropped
27 antivirus detections

18. LET’S SEE WHAT 360 HAVE TO SAY…

19. TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection

20. LET’S EXECUTE THE APPLICATION…

21. TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection

22. TOP 3 ANTIVIRUS SOLUTIONS

23. BYPASSING

24. AVAST IS A TOUGH NUT TO CRACK…

25. USING SSL TO BYPASS AVAST NETWORK
DETECTION

26. USING SSL TO BYPASS AVAST NETWORK
DETECTION

27. USING SSL TO BYPASS AVAST NETWORK
DETECTION

28. USING SSL TO BYPASS AVAST NETWORK
DETECTION

29. Let’s check AV Detection
status…
• 0/39 AVs detect the
backdoor as malicious
• By simply adding
support for SSL and
using Google’s SSL Cert
(Self Signed) we
dropped rest of the 3 as
well

30. SUCCESS ON AVAST

31. SUCCESS ON AVAST

32. TOP 3 ANTIVIRUS SOLUTIONS

33. BYPASSING

34. NORTON WILL TAKE YOUR NIGHTS AWAY
Why I Have rated Norton as one of
the Best AV Solutions out there?
• Aggressive Firewall
• Aggressive Behavior Detection
• File Info based Blocking / File
Attributes
• Application Memory and CPU
Consumption

35. WHAT DOES IT TAKE TO BYPASS NORTON?
• Fake SSL Certificate
• Application Whitelisting
Method
• Delays and Continuous
Process Consumption, but
not too high.
• Patience

36. THANKS
• For More Information on AV Evasion, refer to “Metasploit
Bootcamp” & “Mastering Metasploit”
• Twitter : @nipunjaswal
• FB : @nipunjaswal
• Linknd : @nipunjaswal
• http://Amazon.com/authors/nipunjaswal