The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.
1. BASIC METERPRETER EVASION
By: Nipun Jaswal
⢠TechnicalDirector, Pyramid Cyber and Forensics
⢠Chair Member, National Cyber Defense and Research Center
⢠Author of Mastering Metasploit & Metasploit Bootcamp
2. ⢠10+ Years into IT Security
⢠Author of Mastering Metasploit , First, Second,
CN Edition & âMetasploit Bootcampâ
⢠Technical Director , Pyramid Cyber and
Forensics
⢠Chair member, National Cyber Defense and
Research Center
⢠Known for Exploit Research, Cyber
Surveillance, Cyber Warfare, Wireless
Hacking & Exploitation and Hardware
Hacking
⢠Can code in 15+ programming languages, 20
Hall of fames including Offensive Security,
AT&T, Facebook, Apple etc
⢠Worked Globally with various law
enforcement agencies
#WHOAMI
3. WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
⢠Changing the Known Signatures
for Malware
⢠Making use of Shell code instead
of conventional executables
⢠Using Encoding wrappers for
bypassing detections
BYPASS DYNAMIC ANALYSIS
⢠Using SSL to defeat Network
behavior analysis
⢠Using Popular yet self signed
certificates to whitelist
communication
⢠Using Microsoft utilities to bypass
application whitelisting
17. Letâs check AV Detection
statusâŚ
⢠3/39 AVs detect the
backdoor as malicious
⢠By simply replacing the
executable by
shellcode we dropped
27 antivirus detections
29. Letâs check AV Detection
statusâŚ
⢠0/39 AVs detect the
backdoor as malicious
⢠By simply adding
support for SSL and
using Googleâs SSL Cert
(Self Signed) we
dropped rest of the 3 as
well
34. NORTON WILL TAKE YOUR NIGHTS AWAY
Why I Have rated Norton as one of
the Best AV Solutions out there?
⢠Aggressive Firewall
⢠Aggressive Behavior Detection
⢠File Info based Blocking / File
Attributes
⢠Application Memory and CPU
Consumption
35. WHAT DOES IT TAKE TO BYPASS NORTON?
⢠Fake SSL Certificate
⢠Application Whitelisting
Method
⢠Delays and Continuous
Process Consumption, but
not too high.
⢠Patience
36. THANKS
⢠For More Information on AV Evasion, refer to âMetasploit
Bootcampâ & âMastering Metasploitâ
⢠Twitter : @nipunjaswal
⢠FB : @nipunjaswal
⢠Linknd : @nipunjaswal
⢠http://Amazon.com/authors/nipunjaswal