Jump to content
Hak5 Forums
Sign in to follow this  
Net_Spy

AV issue avira

Recommended Posts

Greetings,

 

I've created an payload using shellter with injection using putty binary. File is not detected by av but payload does not send connection back to metasploit machine , if I disable the avira AV  payload executed successfully. Can any one help me to deal with this while av is enabled and bypass as well to get successful connection. looking forward to your kind response.

 

Regards

Net_Spy

Share this post


Link to post
Share on other sites

I have not tried my luck against Avira yet.  I usually go against Avast for detection.  Question I have is does Avira have a firewall?  Try to ping the attacker machine from the victim with Avira on and see if it talks to it.  Put up a simple web page on attacker and see if you can browse to it with Avira on.  If so, it maybe still seeing the payload in transit and stopping.

Last question, are you running a staged payload or stageless.  You know it is staged in Metasploit if it says something upon connection about sending stage 1, etc.  Maybe stage is getting intercepted.  So many things could be the issue and you may have to do some things by hand to see what is happening.  Like I try hand grabbing payloads as plain text, compressed and even encrypted across the wire to see what gets through and see if it gets detected as I decrypt and\or uncompress and run.  Since I do not use Avira, I cannot tell you where it might be dying.  Maybe the Avira logs will tell you something?  probably even running sysinternal process monitor to watch and see what fires off and stuff when the payload is launched.  Compare to to how it looks when it launches without AV versus how it looks when launched with it.

Last thing, I always test in a VM, not only for protection of machine but for rollbacks mainly to clear the AV.  Avast remembers bad payloads or payloads that were good but now deemed bad because they launched something that was considered bad.  Once a payload is seen by avast, locally it will remember so even when I obfuscate it, it is still detected sometimes.  Snapshot rollback to before the payload was detected fixes that.

Share this post


Link to post
Share on other sites

@PoSHMagiC0de  Thanks . I've tried both stage and stageless as well and yes avira does have a firewall ,  I've tried on an other machine on same network but with avira installed and it does established a connection with meterpreter session. Can you help me to sort it out and bypass it. I could not figure it out . Looking forward to your kind response.

 

Regards

Net_Spy

Share this post


Link to post
Share on other sites

Will be hard as it is trial and error.  You can try using the web_delivery agent and its Powershell stager to launch it.  Try veil with Powershell and even Veil's cs meterpreter with ARYA.  Might decrease detectability if you just grab the source it produces in csharp and compile it on a Windows machine using csc.exe.  You might want to look up Obfuscation and try all the tricks they recommend.

 

Also, try tunring off Avira's firewall only and see if your session connects.

Edited by PoSHMagiC0de

Share this post


Link to post
Share on other sites

I know when I have gone agains avira before it will drop anything going out 4444. What port are you going out on?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×