Basics of Meterpreter Evasion
-
Upload
nipun-jaswal -
Category
Technology
-
view
417 -
download
1
Transcript of Basics of Meterpreter Evasion
![Page 1: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/1.jpg)
BASIC METERPRETER EVASIONBy: Nipun Jaswal• Technical Director, Pyramid Cyber and Forensics• Chair Member, National Cyber Defense and Research Center• Author of Mastering Metasploit & Metasploit Bootcamp
![Page 2: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/2.jpg)
• 10+ Years into IT Security
• Author of Mastering Metasploit , First, Second,CN Edition & “Metasploit Bootcamp”
• Technical Director , Pyramid Cyber andForensics
• Chair member, National Cyber Defense andResearch Center
• Known for Exploit Research, CyberSurveillance, Cyber Warfare, WirelessHacking & Exploitation and HardwareHacking
• Can code in 15+ programming languages, 20Hall of fames including Offensive Security,AT&T, Facebook, Apple etc
• Worked Globally with various lawenforcement agencies
#WHOAMI
![Page 3: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/3.jpg)
WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
• Changing the Known Signatures for Malware
• Making use of Shell code instead of conventional executables
• Using Encoding wrappers for bypassing detections
BYPASS DYNAMIC ANALYSIS
• Using SSL to defeat Network behavior analysis
• Using Popular yet self signed certificates to whitelist communication
• Using Microsoft utilities to bypass application whitelisting
![Page 4: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/4.jpg)
TOP 3 ANTIVIRUS SOLUTIONS
![Page 5: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/5.jpg)
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
![Page 6: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/6.jpg)
BYPASSING
![Page 7: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/7.jpg)
LET’S CREATE A BACKDOOR WITH METASPLOIT…
![Page 8: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/8.jpg)
FAILED SIGNATURE DETECTION…
![Page 9: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/9.jpg)
LET’S TRY A .VBS SCRIPT…
![Page 10: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/10.jpg)
FAILED SIGNATURE DETECTION…YET AGAIN
![Page 11: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/11.jpg)
LET’S CHECK AV DETECTION STATUS…
• 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS
• HOW CAN WE CIRCUMVENT THIS?
![Page 12: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/12.jpg)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
![Page 13: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/13.jpg)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
![Page 14: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/14.jpg)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
![Page 15: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/15.jpg)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
![Page 16: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/16.jpg)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
![Page 17: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/17.jpg)
Let’s check AV Detection status…
• 3/39 AVs detect the backdoor as malicious
• By simply replacing the executable by shellcode we dropped 27 antivirus detections
![Page 18: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/18.jpg)
LET’S SEE WHAT 360 HAVE TO SAY…
![Page 19: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/19.jpg)
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
![Page 20: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/20.jpg)
LET’S EXECUTE THE APPLICATION…
![Page 21: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/21.jpg)
TYPES OF DETECTION
Common Detection Types:• Signature Based Detection• Dynamic Analysis / Behavioral Detection
![Page 22: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/22.jpg)
TOP 3 ANTIVIRUS SOLUTIONS
![Page 23: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/23.jpg)
BYPASSING
![Page 24: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/24.jpg)
AVAST IS A TOUGH NUT TO CRACK…
![Page 25: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/25.jpg)
USING SSL TO BYPASS AVAST NETWORK DETECTION
![Page 26: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/26.jpg)
USING SSL TO BYPASS AVAST NETWORK DETECTION
![Page 27: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/27.jpg)
USING SSL TO BYPASS AVAST NETWORK DETECTION
![Page 28: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/28.jpg)
USING SSL TO BYPASS AVAST NETWORK DETECTION
![Page 29: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/29.jpg)
Let’s check AV Detection status…
• 0/39 AVs detect the backdoor as malicious
• By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
![Page 30: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/30.jpg)
SUCCESS ON AVAST
![Page 31: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/31.jpg)
SUCCESS ON AVAST
![Page 32: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/32.jpg)
TOP 3 ANTIVIRUS SOLUTIONS
![Page 33: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/33.jpg)
BYPASSING
![Page 34: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/34.jpg)
NORTON WILL TAKE YOUR NIGHTS AWAYWhy I Have rated Norton as one of the Best AV Solutions out there?
• Aggressive Firewall• Aggressive Behavior Detection• File Info based Blocking / File
Attributes• Application Memory and CPU
Consumption
![Page 35: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/35.jpg)
WHAT DOES IT TAKE TO BYPASS NORTON?• Fake SSL Certificate• Application Whitelisting
Method• Delays and Continuous
Process Consumption, but not too high.
• Patience
![Page 36: Basics of Meterpreter Evasion](https://reader031.fdocuments.us/reader031/viewer/2022021422/5a6587bc7f8b9af13a8b4d81/html5/thumbnails/36.jpg)
THANKS• For More Information on AV Evasion, refer to “Metasploit
Bootcamp” & “Mastering Metasploit”
• Twitter : @nipunjaswal• FB : @nipunjaswal• Linknd : @nipunjaswal• http://Amazon.com/authors/nipunjaswal