Net_Spy Posted February 13, 2018 Share Posted February 13, 2018 Greetings, I've created an payload using shellter with injection using putty binary. File is not detected by av but payload does not send connection back to metasploit machine , if I disable the avira AV payload executed successfully. Can any one help me to deal with this while av is enabled and bypass as well to get successful connection. looking forward to your kind response. Regards Net_Spy Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted February 13, 2018 Share Posted February 13, 2018 I have not tried my luck against Avira yet. I usually go against Avast for detection. Question I have is does Avira have a firewall? Try to ping the attacker machine from the victim with Avira on and see if it talks to it. Put up a simple web page on attacker and see if you can browse to it with Avira on. If so, it maybe still seeing the payload in transit and stopping. Last question, are you running a staged payload or stageless. You know it is staged in Metasploit if it says something upon connection about sending stage 1, etc. Maybe stage is getting intercepted. So many things could be the issue and you may have to do some things by hand to see what is happening. Like I try hand grabbing payloads as plain text, compressed and even encrypted across the wire to see what gets through and see if it gets detected as I decrypt and\or uncompress and run. Since I do not use Avira, I cannot tell you where it might be dying. Maybe the Avira logs will tell you something? probably even running sysinternal process monitor to watch and see what fires off and stuff when the payload is launched. Compare to to how it looks when it launches without AV versus how it looks when launched with it. Last thing, I always test in a VM, not only for protection of machine but for rollbacks mainly to clear the AV. Avast remembers bad payloads or payloads that were good but now deemed bad because they launched something that was considered bad. Once a payload is seen by avast, locally it will remember so even when I obfuscate it, it is still detected sometimes. Snapshot rollback to before the payload was detected fixes that. Quote Link to comment Share on other sites More sharing options...
Net_Spy Posted February 14, 2018 Author Share Posted February 14, 2018 @PoSHMagiC0de Thanks . I've tried both stage and stageless as well and yes avira does have a firewall , I've tried on an other machine on same network but with avira installed and it does established a connection with meterpreter session. Can you help me to sort it out and bypass it. I could not figure it out . Looking forward to your kind response. Regards Net_Spy Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted February 14, 2018 Share Posted February 14, 2018 (edited) Will be hard as it is trial and error. You can try using the web_delivery agent and its Powershell stager to launch it. Try veil with Powershell and even Veil's cs meterpreter with ARYA. Might decrease detectability if you just grab the source it produces in csharp and compile it on a Windows machine using csc.exe. You might want to look up Obfuscation and try all the tricks they recommend. Also, try tunring off Avira's firewall only and see if your session connects. Edited February 14, 2018 by PoSHMagiC0de Quote Link to comment Share on other sites More sharing options...
Rainman_34 Posted February 20, 2018 Share Posted February 20, 2018 I know when I have gone agains avira before it will drop anything going out 4444. What port are you going out on? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.