Metasploit-framework: How to evade Norton 360
Dear All,
I use Metasploit framefork 4.16 on Kali Linux. I create msfvenom(windows/meterpreter/reverse_tcp) with raw shellcodes with encoders and directly embed them into very simple exe file where it just executes the code when it is double clicked. The reason behind of that is: my target system is win 8.1 with Norton 360 equipped and it catches everything created with msf no matter which framework you use, TheFatRat, Veil, SEP,Shellter etc.. But if I create my own exe file which in turn runs the encoded shellcode Norton 360 couldn't spot it at least for 1 hour w/o deep sonar analysis. So this is something that I found it tentatively. I assume that AV is evaded.
But my problem is that: When double click occurs on msf console I see first stage of payload is sent and connection is getting terminated on victim side where Norton 360 reports that Metasploit Meterpreter TCP session detected. So I presume that I have caught by IDS of Norton and it intercepts the established connection.
What can I do to evade the IDS ?
Sonya2010
All 3 comments
Meterpreters work literally like malware (aren't they?) so Norton would naturally catch it fast. It's the age of artificial intelligence and machine learning. By the time your IDS learns your rootkit's signature, it's probably gone for good.
Have you tried better exe's to put your meterpreter into? Nearly all iterations of the meterpreter would probably have already been put into the virus databases all over, unless it's a unique version that no one has seen before.
elogada
on 27 Nov 2018
By the time your IDS learns your rootkit's signature, it's probably gone for good.
Yes that is true, but we always have chance to create genuine and unique application, which has never been profiled by IPS before ,as you pointed out. So this is my starting point, because I have observed such behaviour with obfuscating the shellcode with very simple legitimate exe for 1 hour or so. So profiling by AV, IPS engines is not an issue here AFAIU, it can be evaded one way or the other.
The key point here is that IMHO, how much of meterpreter inherent code can be used for that purpose? For example, I don't need to rewrite client/server application from scratch instead use MSF inherent code and obfuscate it. Back to my case, how to create a encoded listener(multi/handler) which resembles to MSF listeners but not the same and is distinctive on some key points which will make it guised? Your guidance will be appreciated.
Sonya2010
on 27 Nov 2018
This really is a cat and mouse game where every time something is put in the MSF or another open source framework, the AV will create signature of look for specific behavior. However, first you need to look at what exactly is getting caught by the IPS? Reverse_tcp is sending the raw DLL over the wire so it is very easy to fingerprint. Perhaps reverse_https with a valid HTTPS certificate on the handler side will be more "not like malware" type of thing. You can also use the stageless meterpreter. In short, install Norton 360 or whatever the AV product is in your own environment and play around until you know exactly what is getting caught.
Last month the MSF team created the evasion modules specifically for this purpose. Take a look at the excellent blog post at https://blog.rapid7.com/2018/10/09/introducing-metasploits-first-evasion-module/ as well as https://github.com/rapid7/metasploit-framework/pull/10759
If you need further support, please ask on the Metasploit channel on Slack. Thanks
void-in
on 27 Nov 2018
Related issues
Acidical
路
3Comments
verapex
路
3Comments
adrianmihalko
路
3Comments
idetest41
路
3Comments
bcoles
路
3Comments
Most helpful comment
This really is a cat and mouse game where every time something is put in the MSF or another open source framework, the AV will create signature of look for specific behavior. However, first you need to look at what exactly is getting caught by the IPS? Reverse_tcp is sending the raw DLL over the wire so it is very easy to fingerprint. Perhaps reverse_https with a valid HTTPS certificate on the handler side will be more "not like malware" type of thing. You can also use the stageless meterpreter. In short, install Norton 360 or whatever the AV product is in your own environment and play around until you know exactly what is getting caught.
Last month the MSF team created the evasion modules specifically for this purpose. Take a look at the excellent blog post at https://blog.rapid7.com/2018/10/09/introducing-metasploits-first-evasion-module/ as well as https://github.com/rapid7/metasploit-framework/pull/10759
If you need further support, please ask on the Metasploit channel on Slack. Thanks