Metasploit, now with Pivot

Viewing 10 reply threads
  • Author
    Posts
    • #3937
      RoleReversal
      Participant

      Mubix (Rob Fuller/Room362) has just released a Meterpreter script allowing an active session to download and initiate the the recent Cygwin bundled Metasploit. Get to the script and binary downloads via his blog post.

      I haven’t had a chance to fully play with it yet, but it opens up some interesting possibilities and should definitely come in handy.

    • #25163
      apollo
      Participant

      Let us know!  I’d be interested in what, if anything, it left behind once you were done with it. 

    • #25164
      KrisTeason
      Participant

      This is looking like another promising feature in the framework. Can’t wait for CG to do a blog entry on Carnal0wnage about it -hints-  😉

    • #25165
      Anonymous
      Participant

      we’ll see,

      im not a huge fan on putting any binaries on boxes that i’m pretty sure will send an AV alert though

    • #25166
      RoleReversal
      Participant

      Chris, good point. I hadn’t look at using the script in live environments yet, just playing around with my home lab.

      AV coverage appears pretty weak so far, VirusTotal results for the 5MB mini binary currently show 27% flagging as malicious. Coverage is also fairly random, some of the big boys flag it (Kaspersky, MS, Trend) whilst other large AV players treat it as benign (Symantec, McAfee, AVG). Of course heuristic and active scanning may trip other flags as you delve deeper.

      Not sure how this will change in the future as more AV firms get to grips with the release, your milage may vary…..

    • #25167
      Ketchup
      Participant

      I run AVG on most of my machines.  I noticed that the mini framework executable itself does not set off the AntiVirus scanner.  However, once installed, some of payloads and exploits start attracting AVG.  This must be the heuristics engine at work. 

      Arguably, if you have control of the box, you can take a swipe at disabling the AntiVirus prior to uploading msf.  I wonder how Core’s agent gets around AV.  Does anyone know?  Did they make a deal? 😉

    • #25168
      Jhaddix
      Participant

      Couldnt we obfuscate the binary(ies)? using garbage insertion, variable renaming, code reordering, encapsulating/encrypting code or data, or branching functions? i’d be a lot of work, but virus writers do it…. just an idea…

    • #25169
      UNIX
      Participant

      Often it is already enough to change some “things” by simply using an hex-editor to bypass av-software. When the soure-code is available it is of course even easier to make it undetectable.

    • #25170
      Ketchup
      Participant

      i think that the problem occurs mostly when the mini msf exe is exploded on the other side.  at least for me, the AV picks up random rb files as potentially dangerous files.  it basically appears to know that something isn’t right, but doesn’t know exactly what.  this is likely the heuristics engine kicking in. 

      i think that if you exploit a linux box and upload a linux version of msf, you should be golden.  on a windows box with a/v, it really depends on the a/v.  i think that the way to go is an agent based approach like Core does.  i believe their agents sits entirely in RAM and just listens for and passes commands.

    • #25171
      hayabusa
      Participant

      I’d agree with Ketchup on this one.  Modifying the base exe’s is easy, as you can quickly do that to pass them by AV’s.  It’s a pretty common tactic, nowadays.    I’ve done that with netcat and other tools to insert them through a box I’ve compromised with msf.  However, if you want to pivot, you have many more files and such that are involved, and a lot of the AV’s are using a more heuristic approach (finally…)

      Pushing a single agent, that gets past the AV, and is capable of performing the same functions, would tend to be both cleaner and easier, and cleanup is simpler, by removing the single agent from disk / memory.

    • #25172
      Jhaddix
      Participant

      Actually I talked to Rob and the removal of certain exploits brings down the virus detection significantly. This in conjunction with flipping some bits on the exc almost makes it perfect.

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?