Evading Antivirus With Better Meterpreter Payloads 2021
Evading antivirus is often an under appreciated art that can make or break a penetration test. Modern antivirus products can detect meterpreter payloads easily, and can leave a pentester falsely believing a system is not exploitable.
Evading Antivirus with Better Meterpreter Payloads
Download Zip: https://www.google.com/url?q=https%3A%2F%2Fjinyurl.com%2F2tS5hN&sa=D&sntz=1&usg=AOvVaw0jsdysf70784q72_szjEhW
Several years ago it was very common for x64 binaries to fly by Windows Defender, however AV products have greatly improved recently and begun to detect x64 meterpreter payloads we tested. Very few encoders support x64 shellcode which further reduces our ability to create stealthy payloads. In our testing we find that building x86 payloads with the shikata_ga_nai have stood the longest test of time and are still able to evade most AV engines.
Antivirus evasion is a broad field that some people devote their entire work to. It is a large part of exploit development, and it is certainly useful when trying to bypass common defense mechanisms. One of the ways to obfuscate payloads is by generating custom shellcode. This method can be utilized when developing an exploit from scratch or when using an existing exploit to better hide from antivirus software.
We can generate shellcode without any options, although the odds of this payload bypassing any modern antivirus software are probably pretty low. Below, we can see the size of the generated payload, 78 bytes, followed by some other settings, and finally the raw shellcode.
Another useful technique for bypassing antivirus is encoding the payload with multiple passes. This essentially takes the generated shellcode and runs it through the encoder again with as many passes as defined. Use the -i flag to specify the number of iterations to encode the payload with.
Keep in mind, we can combine multiple options when generating shellcode in order to better our chances at evading antivirus detection. If we look closely, the default listen port for our bind shell is set to 4444. We can change that, and any other option for that matter, by using the -o flag followed by the variable and the value to set. Let's change the listen port to 1234.
Now the .dll can be checked with antivirus software, checking with Virustotal.com:Not detected by any (0/60) antivirus software at virustotal.com.Now, to test the exploit, we first would setup a meterpreter multi/handler to wait for the connection:And now we can run the payload from the exploit with following command on the command line:
Afterwards checking with virustotal.com, only Baidu noticed that it is a Trojan. Note to myself: Have to check why Baidu finds this.To test this, a multi/handler could be setup as in x03 DLL Method (note, different payload) and by simply executing the file. Same nagging from Windows defender and/or antivirus software apply to this also.
The first technique that we are going to discuss is using file splitting tools to identify the exact signature that is being detected by the antivirus application and modify it. This is one of the oldest ways to bypass AV tools. This technique is efficient if we can locate the exact signature that is being detected. However, there is a limitation with this technique. If we mess the functionality of the application, it becomes useless even if we bypass antivirus. So, as long as the functionality is not modified while we are changing the signatures, we are good to go.
Now that we have the padding in our base file, we can create our meterpreter shellcode. I find it easiest to create the shellcode with msfvenom. You can go ahead and create your shellcode using nearly the same command I am using here, just be sure to