Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Getting Meterpreter Backdoor around AVG AV

  1. #11
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Far as i know, no AV does that automatically. Most have an option of manually submitting a sample. Doing that automatically isn't legal i suppose (client privacy). If you really wanna obfuscate the signature try the manual way. In this example they used a hex editor to change the netcat signature

    ChangingNetcatsFileSig

    Once read about a guy who supposedly got NC through an AV by changing one line of TEXT in the program back in 2000.

  2. #12
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Hi Fellaz,
    heres the deal virus total no, no i had a totally undetectable payload for over 9 months and then posted the encoding scheme and guess what, 3 days later ESET and others got it. So i created another and picked the following:

    The exe used in the template matters first of AVG knows the package sig i guess of a lot of common used exes so its down to finding an exe thats not that common.
    I have used netcat just for the exe to encode and pick very random shikata_ga_nai in a certain way took many practice encoding and its totally undetectable.

    I test on vm machines with snapshots using the top 20 Avs Fully uptodate and they bypass all and are working .

    So try try try again until u find one and Dont give out the file for it to get its signature all over the gaff remember virus total sends the files to AV vendors.

    I have a payload up to now working 100% FUD for over 4 months after my first one was trashed.

    Kind Regards Dee

  3. #13
    Junior Member
    Join Date
    Aug 2010
    Posts
    64

    Default Re: Getting Meterpreter Backdoor around AVG AV

    novirusthanks == Good
    virustotal == Bad for everyone..

  4. #14
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Getting Meterpreter Backdoor around AVG AV

    One thing to bear in mind when trying to get payloads past a/v. When using msfpayload to generate, sometimes it is better to start with windows/shell/reverse_tcp or some other small simpler payload rather than something like meterpreter. The less data in the executable, the more difficult it will be for many A/Vs to identify any signature. Uncommon EXEs also help when backdooring. If you use the -k option to keep your template exe working, remember to use the EXITFUNC=thread option to make sure you do not lose your session when the template exe is closed.

  5. #15
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    3

    Default Re: Getting Meterpreter Backdoor around AVG AV

    The problem I have actually found now is that getting a meterpreter shell around AVG 2011 identity protection. The actual AVG resident shield does not pick up my meterpreter backdoored exe but as soon as I upload to my test XP box and try to use a command like hashdump, AVG 2011 Identity protection picks it up as malware. Anyone else experiencing this yet? Any ideas around this? I believe it will be hard to get around considering it is not going by signatures, just file behavior.

  6. #16
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Getting Meterpreter Backdoor around AVG AV

    hashdump requires escalated privileges. What user is your session running as? use getuid first to find out. If you do need to escalate privileges, try a different method.

    Code:
    meterpreter  > getsystem -h
    Usage: getsystem [options]
    
    Attempt to elevate your privilege to that of local system.
    
    OPTIONS:
    
        -h        Help Banner.
        -t <opt>  The technique to use. (Default to '0').
    		0 : All techniques available
    		1 : Service - Named Pipe Impersonation (In Memory/Admin)
    		2 : Service - Named Pipe Impersonation (Dropper/Admin)
    		3 : Service - Token Duplication (In Memory/Admin)
    		4 : Exploit - KiTrap0D (In Memory/User)
    
    
    meterpreter  > getsystem -t 4
    ...got system (via technique 4).
    meterpreter  > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter  >
    Once you are able to escalate privileges, kill all the AVG services and processes. Once the AVG services and processes have been killes you will be able to dump the hashes successfully. Vivek demostrates disabling AVG in the metasploit megaprimer video series. He spends some good time on the topic.

  7. #17
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    3

    Default Re: Getting Meterpreter Backdoor around AVG AV

    I was actually running the meterpreter shell as SYSTEM. I also tested on a windows 7 box with AVG 2011 free addition. My meterpreter shell on the windows 7 box was SYSTEM privileges also, and I didn't even get a chance to kill off the AVG before the identity protection popped up with malware detected. So what it all comes down to is I do not have no issues what so ever with getting the meterpreter backdoored exe file past AVG 2011 antivirus signatures. It is the actual AVG identity protection that I am unable to get around. Note that the AVG identity protection is picking up my backdoored meterpreter shell as Rozena.AH Category: Packed.

  8. #18
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Getting Meterpreter Backdoor around AVG AV

    If you try a shell as a payload, will the session stay open?

  9. #19
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    3

    Default Re: Getting Meterpreter Backdoor around AVG AV

    I believe that I have found a solution to avoid the AVG 2011 Identity protection. After I ran the backdoored.exe file on my test windows 7 box, the first thing I did was run the command "getsystem" in msfconsole. Then I ran "run service_permissions_escalate" which in return created my backdoored.exe as a service with SYSTEM privileges and opened a new session. So I closed out my current meterpreter session and opened my new session and all was good. Hashdump worked without any notifications from AVG! Thanks for your help and input iproute

Page 2 of 2 FirstFirst 12

Similar Threads

  1. error when installing meterpreter backdoor (metsvc)
    By mia_tech in forum Beginners Forum
    Replies: 1
    Last Post: 08-24-2010, 08:58 AM
  2. metsvc / meterpreter backdoor - password protecting?
    By MrWWW in forum Beginners Forum
    Replies: 0
    Last Post: 05-08-2010, 09:20 AM
  3. Opening backdoor after getting meterpreter session
    By kazalku in forum OLD Pentesting
    Replies: 44
    Last Post: 01-21-2010, 10:27 PM
  4. How To Backdoor an OPN AP
    By Eatme in forum OLD Pentesting
    Replies: 23
    Last Post: 08-18-2009, 04:41 AM
  5. Replies: 1
    Last Post: 04-19-2009, 03:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •