BASIC METERPRETER EVASIONBy: Nipun Jaswal• Technical Director, Pyramid Cyber and Forensics• Chair Member, National Cyber Defense and Research Center• Author of Mastering Metasploit & Metasploit Bootcamp

• 10+ Years into IT Security

• Author of Mastering Metasploit , First, Second,CN Edition & “Metasploit Bootcamp”

• Technical Director , Pyramid Cyber andForensics

• Chair member, National Cyber Defense andResearch Center

• Known for Exploit Research, CyberSurveillance, Cyber Warfare, WirelessHacking & Exploitation and HardwareHacking

• Can code in 15+ programming languages, 20Hall of fames including Offensive Security,AT&T, Facebook, Apple etc

• Worked Globally with various lawenforcement agencies

#WHOAMI

WHAT WE WILL LEARN TODAY?

BYPASS SIGNATURE DETECTION

• Changing the Known Signatures for Malware

• Making use of Shell code instead of conventional executables

• Using Encoding wrappers for bypassing detections

BYPASS DYNAMIC ANALYSIS

• Using SSL to defeat Network behavior analysis

• Using Popular yet self signed certificates to whitelist communication

• Using Microsoft utilities to bypass application whitelisting

TOP 3 ANTIVIRUS SOLUTIONS

TYPES OF DETECTION

Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection

BYPASSING

LET’S CREATE A BACKDOOR WITH METASPLOIT…

FAILED SIGNATURE DETECTION…

LET’S TRY A .VBS SCRIPT…

FAILED SIGNATURE DETECTION…YET AGAIN

LET’S CHECK AV DETECTION STATUS…

• 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS

• HOW CAN WE CIRCUMVENT THIS?

LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE

LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)

LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)

LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)

LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)

Let’s check AV Detection status…

• 3/39 AVs detect the backdoor as malicious

• By simply replacing the executable by shellcode we dropped 27 antivirus detections

LET’S SEE WHAT 360 HAVE TO SAY…

TYPES OF DETECTION

Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection

LET’S EXECUTE THE APPLICATION…

TYPES OF DETECTION

Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection

TOP 3 ANTIVIRUS SOLUTIONS

BYPASSING

AVAST IS A TOUGH NUT TO CRACK…

USING SSL TO BYPASS AVAST NETWORK DETECTION

USING SSL TO BYPASS AVAST NETWORK DETECTION

USING SSL TO BYPASS AVAST NETWORK DETECTION

USING SSL TO BYPASS AVAST NETWORK DETECTION

Let’s check AV Detection status…

• 0/39 AVs detect the backdoor as malicious

• By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well

SUCCESS ON AVAST

SUCCESS ON AVAST

TOP 3 ANTIVIRUS SOLUTIONS

BYPASSING

NORTON WILL TAKE YOUR NIGHTS AWAYWhy I Have rated Norton as one of the Best AV Solutions out there?

• Aggressive Firewall• Aggressive Behavior Detection• File Info based Blocking / File

Attributes• Application Memory and CPU

Consumption

WHAT DOES IT TAKE TO BYPASS NORTON?• Fake SSL Certificate• Application Whitelisting

Method• Delays and Continuous

Process Consumption, but not too high.

• Patience

THANKS• For More Information on AV Evasion, refer to “Metasploit

Bootcamp” & “Mastering Metasploit”

• Twitter : @nipunjaswal• FB : @nipunjaswal• Linknd : @nipunjaswal• http://Amazon.com/authors/nipunjaswal