.

AV Bypass

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Mar 12, 2013 8:07 am

AV Bypass

CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Mar 12, 2013 8:50 am

Re: AV Bypass

Nice post. I'm getting back into C++ myself and appreciate the sample code.

For whatever reason, Symantec only has an attack signature for Meterpreter's reverse_tcp payload: http://www.symantec.com/security_respon ... ignatures/ It's the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.

Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it's good to know about the alternate payloads.

Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it's just too easy.
The day you stop learning is the day you start becoming obsolete.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 12, 2013 1:33 pm

Re: AV Bypass

That's funny, I was also on a recent engagement with a similar issue. The client was running SEP with various features enabled. I could get my payload on but the network detection piece would block me each time, and I thought I did try reverse_https as well as others with no luck. I already had credentials at this point so ended up modifying gsecdump and WCE and just used psexec to maneuver around and obtain more credentials :) Worked perfectly.

Nice write-up though, thanks. I'm going to take a closer look at this and do some playing around later.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Mar 12, 2013 3:21 pm

Re: AV Bypass

Yeah so....I actually used the reverse_tcp meterpreter payload and not https. Also I didn't stop the Smc.exe process. That is still running.

Stopping the Smc.exe process is <path>\smc -stop

As opposed to a <path>\smc -disable -ntp that targets the ntp. And ntp doesnt stay dead for very long. It comes back online in 5 minutes. I timed it :)

However even when it does it won't kill your meterpreter session :)

I tell you though I havn't looked at c++ in a while though......
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Tue Mar 12, 2013 4:25 pm

Re: AV Bypass

Interesting post. Thanks for sharing. New bookmark acquired!  :)
Security + | OSWP | eCPPT (Silver & Gold) | CSTA

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software