TuX^ Posted April 14, 2011 Share Posted April 14, 2011 Hi guys, It's me again. Just thought I'd let you know about my first half-successful pen-test on a windows 7 machine. I used Metasploit to pull this one off. For the scenario, pretend I used social-engineering to get the login credentials (I didn't, it's my machine. It's certainly possible though) From there I used the PSEXEC exploit to gain access to a reverse shell (Tested this a few times, sometimes it brings up a command prompt and other times it brings up a Meterpreter session..?) In the Meterpreter shell I successfully migrated to explorer.exe and started the keylogger. Typed in a fake username and password in Notepad on the victim machine. Went back to BackTrack and dumped the contents of the logging. It worked! Only problem is, I don't know how to get round the AV. Any ideas? Kind regards, TuX Quote Link to comment Share on other sites More sharing options...
digininja Posted April 14, 2011 Share Posted April 14, 2011 Loads of ways, Meterpreter has a killav script that will try to kill it dead, if you can get RDP access you can go to the task bar and stop or pause it through the interface, you can use task manager, either in Meterpreter or windows and kill the process id, open control panel and services and stop or pause the service. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 14, 2011 Author Share Posted April 14, 2011 Hi Digininja, I can only get the connection with the AV turned off, thats where I'm stuck. Regards, TuX Quote Link to comment Share on other sites More sharing options...
digip Posted April 14, 2011 Share Posted April 14, 2011 Then you need to find a way to exploit the box while the AV is on, escalate the UAV privileges and make yourself system, then taskkill the av program. There are different methods of encoding to obfuscate your payloads so the anti-virus doesn't know them by signatures, but if it sees a generic packing of the payload, it might just kill it on heuristics, which technically is a good thing if the AV you are using is blocking the attacks. I thought meterpreter was supposed to hid everything in RAM and gave you the ability to encode it as well to obfuscate it. I'm not too familiar with how to do all that, but maybe search some vids or even check out both the Offsec MSF Wiki and Rel1k's site for demos. http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training http://www.secmaniac.com/movies/ First vid on Dave's site is about A/V evasion using javascript obfuscation. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 14, 2011 Author Share Posted April 14, 2011 Thanks again Digip, I'll have a look at them later on. Regards, TuX Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 14, 2011 Share Posted April 14, 2011 As Digip pointed out, you can encode the payload to prevent it from being detected by the anti-virus. Once encoded and to ensure it's completely stealthy, upload it to virustotal.com, and see how many AVs can successfully detected it. If no AV has been able to detect it, then you have bypassed the AV filters. If not, encode it multiple times using different encoders, until its completely stealthy. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 15, 2011 Author Share Posted April 15, 2011 (edited) Hi Infiltrator, I was just using the Java Applet Attack method, and encoded it using a backdoored executable (The one that was recommended) and it was picked up. I was running Avast at the time. Where is the file to upload? I'll see what VirusTotal says about it. Kind regards, TuX Edited April 15, 2011 by TuX^ Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 15, 2011 Share Posted April 15, 2011 As Digip pointed out, you can encode the payload to prevent it from being detected by the anti-virus. Once encoded and to ensure it's completely stealthy, upload it to virustotal.com, and see how many AVs can successfully detected it. If no AV has been able to detect it, then you have bypassed the AV filters. If not, encode it multiple times using different encoders, until its completely stealthy. This is another engine, often preferred by exploit writers: http://vscan.novirusthanks.org/ The reason is the do not distribute sample checkbox...VirusTotal submits the samples for av vendors to better their signatures...for testing stuff, IMHO, there is no reason to provide av vendors with your own samples. Of course virustotal offers scanning based on hashes, which is very handy for large executables/isos/whatever. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 15, 2011 Author Share Posted April 15, 2011 I'd upload the file to both sites if I had any clue where to find it :P TuX Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 16, 2011 Share Posted April 16, 2011 This is another engine, often preferred by exploit writers: http://vscan.novirusthanks.org/ The reason is the do not distribute sample checkbox...VirusTotal submits the samples for av vendors to better their signatures...for testing stuff, IMHO, there is no reason to provide av vendors with your own samples. Of course virustotal offers scanning based on hashes, which is very handy for large executables/isos/whatever. Thank you for the information bro, I shall keep it mind for the future. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 16, 2011 Share Posted April 16, 2011 I'd upload the file to both sites if I had any clue where to find it :P TuX Have you encoded your payload yet? Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 16, 2011 Author Share Posted April 16, 2011 I encoded it when the SET asked me to, using a backdoored executable. Where is the encoded file stored before it attacks the victim? Far too tired to be thinking about it now. TuX Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 17, 2011 Share Posted April 17, 2011 I encoded it when the SET asked me to, using a backdoored executable. Where is the encoded file stored before it attacks the victim? Far too tired to be thinking about it now. TuX See if its under /pentest/payloads/ directory. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 18, 2011 Author Share Posted April 18, 2011 Hi Infiltrator, no it's not there. Here's something weird.. I tried the Exploit on the machine I was testing all along with no luck, because the AV was running. BUT I also tried it on my machine (The one BackTrack is hosted from) and it worked, it bypassed the AV.. Any reasons why? TuX Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 18, 2011 Share Posted April 18, 2011 SET usually puts it in the SET home directory for current versions (/pentest/exploits/SET/filename). Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 19, 2011 Author Share Posted April 19, 2011 Thanks Hexophrenic, I'll check that out when I get a chance. As for my payload SOMETIMES bypassing Avast, I still can't figure it out.. Both Windows 7 Pro.. Any ideas? TuX Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 19, 2011 Share Posted April 19, 2011 You could try to re-run the exe through msfencode through some other encoder. Nesting the encoding several times can help improve its ability to evade anti-malware. Shikata ga nai was the best for quite some time, maybe taking a backdoor executable and running it through 10-15 iterations of shikata may help. Obviously everything you do to encode will slow the execution of said program, but with smallish exes and fast hardware, it will likely not be noticeable. Backdoor typically does a pretty good job by itself, though. Some of the issues I have run into is with heuristics or behavioral based evaluation (ie sandboxing, etc.) in AV products do a really good job of catching bad stuff. However, most in-the-wild installs will not have this protection enabled because it can slow everything on the machine to a crawl. Have you uploaded your sample to any of the online virus scanning sites yet? Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 20, 2011 Author Share Posted April 20, 2011 Hi, I went to the SET directory, and then SRC (Where I think the .exe is located) Can anyone tell me the filename? I found 1 .exe and a few .binary's in the child folders of SRC. None of which were flagged up by VirusTotal. TuX Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 20, 2011 Share Posted April 20, 2011 src is where the exe "template" file is located. when is the last time you updated SET? what version are you using? in the SET directory, do an svn up (this is all assuming you are using BT4, which after reading back through the thread may not be a valid assumption). Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 20, 2011 Author Share Posted April 20, 2011 Last updated this morning. And yes, I'm using BT4-R2 :) Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 20, 2011 Share Posted April 20, 2011 Trying to duplicate: cd /pentest/exploits/SET ./set 4. Create payload and listener 2. Reverse meterpreter 16. Backdoor port 31337 From console: [-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds... [-] Backdoor completed successfully. Payload is now hidden within a legit executable. [*] UPX Encoding is set to ON, attempting to pack the executable with UPX encoding. [*] Packing the executable with UPX, one moment. [*] Your payload is now in the root directory of SET as msf.exe. [*] Packing the executable with UPX, one moment. [*] The payload can be found in the SET home directory. That seems pretty clear where you should find it. I did not start the listener since it is a test. After exiting SET I ls and see msf.exe listed in /pentest/exploits/SET. Do you see all of this as well or are you doing something different? Just trying to understand what you are seeing. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted April 20, 2011 Author Share Posted April 20, 2011 Yeah, just figured that out. I see that now. I was trying to work out how to encode it again using msfencode (don't know args or syntax for it) just done a quick google search but didn't reveal an awful lot. TuX Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted April 20, 2011 Share Posted April 20, 2011 Check here: http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass msfencode -h will show you the help contents for it Quote Link to comment Share on other sites More sharing options...
TAPE Posted April 25, 2011 Share Posted April 25, 2011 Don't like plugging my own stuff ;) but the below post may help you in trying out what kind of encodings can get by some AV's. As mentioned though, DON'T upload to VirusTotal for verification if you want to be able to use a working encoding method in the near future.. http://adaywithtape.blogspot.com/2010/05/creating-backdoored-exe-with-metasploit.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.