Are you sick of AV products killing any payload made by
Metasploit when doing a pen test? Me
two. First let me say, if you have a
password or a hash, you should use smbexec: https://github.com/brav0hax/smbexec
Seriously, use smbexec to collect more hashes and work your way up to domain
admin without any AV problems. Done.
But what if you don’t have a password or a hash yet, but you
have something else, say a reliable exploit picked up on a scan but the reverse
shell isn’t popping and you think it is due to AV. Well thanks to the EXE::Custom option in
Metasploit now, you have more options.
Do a show advanced in the module you want to use, and if you see
EXE::Custom you are in business. More
info on it can be found here: http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/
In a nutshell, set EXE::Custom to the file you want to be the payload, setup
the multi/handler listener set to the correct payload and port in another
window, and run the exploit and watch it connect back.
One option is to use a custom shell, like the kind I have
here: https://github.com/secjohn/ruby-shells. But that is the worst case scenario, we want Meterpreter
and we want it now. That is where Obfy
comes in.
Obfy is a simple Ruby script that runs on Kali and BackTrack
Linux and will make the payload for you, decompile it, alter the assembly code
to change the signature to fool AV, and compile it for you. Then that executable can be used with
EXE::Custom and you are off to the races.
I got the idea from Royce’s blog post here: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/. But I hate doing things manually, so I
automated it.
The magic in Obfy is in the valuables that randomly pick
which assembly code to inject at specific places. The public version of the tool right now has
only very simple commands, far more simple than explained in the blog post
linked above. Code like, push edi, pop
edi. Adding a bunch of those all over
the place doesn’t seem like it should work, but it totally does. However, since I made this public I doubt it
will work for long as new signatures will be made over time for this. So I highly recommend reading Royce’s blog
post, watching Security Tube’s Linux Assembly Primer if you need to http://www.securitytube.net/groups?operation=view&groupId=5
and adding some of your own code there to make it unique to you (and submitting
the code back to github to help others).
But I could be wrong this may work forever as is, time will tell.
Now, some AV software like MS SE will still see this. Therefore there is one more step I
recommend. Run your payload through
ditto: https://github.com/mubix/ditto
and copy the resources from a normal file like calc or notepad. Using Obfy and then ditto will get you past
most things. If it doesn’t work either revert back to the custom shell I linked
above and kill AV, or you have something else messing with you and you may need
to sign the executable. Also remember to
always try the HTTPS version of the payload to get past IDS, but I digress.
Anyway, I’m excited to see how many people use this and if
anyone contributes assembly code to it to help make it better and keep it
working. So here is the link:
Enjoy and provide feedback as always.
No comments:
Post a Comment