Basics of Meterpreter Evasion
-
Upload
nipun-jaswal -
Category
Technology
-
view
419 -
download
1
Transcript of Basics of Meterpreter Evasion
BASIC METERPRETER EVASIONBy: Nipun Jaswal• Technical Director, Pyramid Cyber and Forensics• Chair Member, National Cyber Defense and Research Center• Author of Mastering Metasploit & Metasploit Bootcamp
• 10+ Years into IT Security
• Author of Mastering Metasploit , First, Second,CN Edition & “Metasploit Bootcamp”
• Technical Director , Pyramid Cyber andForensics
• Chair member, National Cyber Defense andResearch Center
• Known for Exploit Research, CyberSurveillance, Cyber Warfare, WirelessHacking & Exploitation and HardwareHacking
• Can code in 15+ programming languages, 20Hall of fames including Offensive Security,AT&T, Facebook, Apple etc
• Worked Globally with various lawenforcement agencies
#WHOAMI
WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
• Changing the Known Signatures for Malware
• Making use of Shell code instead of conventional executables
• Using Encoding wrappers for bypassing detections
BYPASS DYNAMIC ANALYSIS
• Using SSL to defeat Network behavior analysis
• Using Popular yet self signed certificates to whitelist communication
• Using Microsoft utilities to bypass application whitelisting
TOP 3 ANTIVIRUS SOLUTIONS
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
BYPASSING
LET’S CREATE A BACKDOOR WITH METASPLOIT…
FAILED SIGNATURE DETECTION…
LET’S TRY A .VBS SCRIPT…
FAILED SIGNATURE DETECTION…YET AGAIN
LET’S CHECK AV DETECTION STATUS…
• 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS
• HOW CAN WE CIRCUMVENT THIS?
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
Let’s check AV Detection status…
• 3/39 AVs detect the backdoor as malicious
• By simply replacing the executable by shellcode we dropped 27 antivirus detections
LET’S SEE WHAT 360 HAVE TO SAY…
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
LET’S EXECUTE THE APPLICATION…
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
AVAST IS A TOUGH NUT TO CRACK…
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
Let’s check AV Detection status…
• 0/39 AVs detect the backdoor as malicious
• By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
SUCCESS ON AVAST
SUCCESS ON AVAST
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
NORTON WILL TAKE YOUR NIGHTS AWAYWhy I Have rated Norton as one of the Best AV Solutions out there?
• Aggressive Firewall• Aggressive Behavior Detection• File Info based Blocking / File
Attributes• Application Memory and CPU
Consumption
WHAT DOES IT TAKE TO BYPASS NORTON?• Fake SSL Certificate• Application Whitelisting
Method• Delays and Continuous
Process Consumption, but not too high.
• Patience
THANKS• For More Information on AV Evasion, refer to “Metasploit
Bootcamp” & “Mastering Metasploit”
• Twitter : @nipunjaswal• FB : @nipunjaswal• Linknd : @nipunjaswal• http://Amazon.com/authors/nipunjaswal