Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BASIC METERPRETER EVASION
By: Nipun Jaswal
• TechnicalDirector, Pyramid Cyber and Forensics
• Chair Member, National Cyber...
• 10+ Years into IT Security
• Author of Mastering Metasploit , First, Second,
CN Edition & “Metasploit Bootcamp”
• Techni...
WHAT WE WILL LEARN TODAY?
BYPASS SIGNATURE DETECTION
• Changing the Known Signatures
for Malware
• Making use of Shell cod...
TOP 3 ANTIVIRUS SOLUTIONS
TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection
BYPASSING
LET’S CREATE A BACKDOOR WITH
METASPLOIT…
FAILED SIGNATURE DETECTION…
LET’S TRY A .VBS SCRIPT…
FAILED SIGNATURE DETECTION…YET AGAIN
LET’S CHECK AV
DETECTION STATUS…
• 30/39 AVS DETECT THE
BACKDOOR AS
MALICIOUS
• HOW CAN WE
CIRCUMVENT THIS?
LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE
LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH
CUSTOMIZED EXECUTABLE (CONT.)
Let’s check AV Detection
status…
• 3/39 AVs detect the
backdoor as malicious
• By simply replacing the
executable by
shell...
LET’S SEE WHAT 360 HAVE TO SAY…
TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection
LET’S EXECUTE THE APPLICATION…
TYPES OF DETECTION
Common Detection Types:
• Signature Based Detection
• Dynamic Analysis / Behavioral Detection
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
AVAST IS A TOUGH NUT TO CRACK…
USING SSL TO BYPASS AVAST NETWORK
DETECTION
USING SSL TO BYPASS AVAST NETWORK
DETECTION
USING SSL TO BYPASS AVAST NETWORK
DETECTION
USING SSL TO BYPASS AVAST NETWORK
DETECTION
Let’s check AV Detection
status…
• 0/39 AVs detect the
backdoor as malicious
• By simply adding
support for SSL and
using ...
SUCCESS ON AVAST
SUCCESS ON AVAST
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
NORTON WILL TAKE YOUR NIGHTS AWAY
Why I Have rated Norton as one of
the Best AV Solutions out there?
• Aggressive Firewall...
WHAT DOES IT TAKE TO BYPASS NORTON?
• Fake SSL Certificate
• Application Whitelisting
Method
• Delays and Continuous
Proce...
THANKS
• For More Information on AV Evasion, refer to “Metasploit
Bootcamp” & “Mastering Metasploit”
• Twitter : @nipunjas...
Upcoming SlideShare
Loading in …5
×

Basics of Meterpreter Evasion

624 views

Published on

The presentation demonstrates basics of antivirus evasion on the payloads created using metasploit. The aim of this presentation is to aid penetration testers during a professional VAPT and is for educational purposes only.

Published in: Technology
  • Login to see the comments

Basics of Meterpreter Evasion

  1. 1. BASIC METERPRETER EVASION By: Nipun Jaswal • TechnicalDirector, Pyramid Cyber and Forensics • Chair Member, National Cyber Defense and Research Center • Author of Mastering Metasploit & Metasploit Bootcamp
  2. 2. • 10+ Years into IT Security • Author of Mastering Metasploit , First, Second, CN Edition & “Metasploit Bootcamp” • Technical Director , Pyramid Cyber and Forensics • Chair member, National Cyber Defense and Research Center • Known for Exploit Research, Cyber Surveillance, Cyber Warfare, Wireless Hacking & Exploitation and Hardware Hacking • Can code in 15+ programming languages, 20 Hall of fames including Offensive Security, AT&T, Facebook, Apple etc • Worked Globally with various law enforcement agencies #WHOAMI
  3. 3. WHAT WE WILL LEARN TODAY? BYPASS SIGNATURE DETECTION • Changing the Known Signatures for Malware • Making use of Shell code instead of conventional executables • Using Encoding wrappers for bypassing detections BYPASS DYNAMIC ANALYSIS • Using SSL to defeat Network behavior analysis • Using Popular yet self signed certificates to whitelist communication • Using Microsoft utilities to bypass application whitelisting
  4. 4. TOP 3 ANTIVIRUS SOLUTIONS
  5. 5. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  6. 6. BYPASSING
  7. 7. LET’S CREATE A BACKDOOR WITH METASPLOIT…
  8. 8. FAILED SIGNATURE DETECTION…
  9. 9. LET’S TRY A .VBS SCRIPT…
  10. 10. FAILED SIGNATURE DETECTION…YET AGAIN
  11. 11. LET’S CHECK AV DETECTION STATUS… • 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS • HOW CAN WE CIRCUMVENT THIS?
  12. 12. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
  13. 13. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  14. 14. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  15. 15. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  16. 16. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  17. 17. Let’s check AV Detection status… • 3/39 AVs detect the backdoor as malicious • By simply replacing the executable by shellcode we dropped 27 antivirus detections
  18. 18. LET’S SEE WHAT 360 HAVE TO SAY…
  19. 19. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  20. 20. LET’S EXECUTE THE APPLICATION…
  21. 21. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  22. 22. TOP 3 ANTIVIRUS SOLUTIONS
  23. 23. BYPASSING
  24. 24. AVAST IS A TOUGH NUT TO CRACK…
  25. 25. USING SSL TO BYPASS AVAST NETWORK DETECTION
  26. 26. USING SSL TO BYPASS AVAST NETWORK DETECTION
  27. 27. USING SSL TO BYPASS AVAST NETWORK DETECTION
  28. 28. USING SSL TO BYPASS AVAST NETWORK DETECTION
  29. 29. Let’s check AV Detection status… • 0/39 AVs detect the backdoor as malicious • By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
  30. 30. SUCCESS ON AVAST
  31. 31. SUCCESS ON AVAST
  32. 32. TOP 3 ANTIVIRUS SOLUTIONS
  33. 33. BYPASSING
  34. 34. NORTON WILL TAKE YOUR NIGHTS AWAY Why I Have rated Norton as one of the Best AV Solutions out there? • Aggressive Firewall • Aggressive Behavior Detection • File Info based Blocking / File Attributes • Application Memory and CPU Consumption
  35. 35. WHAT DOES IT TAKE TO BYPASS NORTON? • Fake SSL Certificate • Application Whitelisting Method • Delays and Continuous Process Consumption, but not too high. • Patience
  36. 36. THANKS • For More Information on AV Evasion, refer to “Metasploit Bootcamp” & “Mastering Metasploit” • Twitter : @nipunjaswal • FB : @nipunjaswal • Linknd : @nipunjaswal • http://Amazon.com/authors/nipunjaswal

×