Metasploit: Msfencode useless !?

[rewetuete]

Hey,

is there another working encrypter than Shikata_Na_gai !?

I wondered that even all encrypter together with 20 passes of Shikata_Na_gai were detected by 57% of the Virus Total Scanners.

Is there another possibility to encrypt an EXE to bypass AV ?

[2901119]

I haven't messed with msfencode for about a month but last time I did, It wasn't fairing too well with av bypass. Yes there are other encoders, but when I tried it, I was using multiple encoders with multiple iterations and I was still getting picked up. Yes there are other methods of av-bypass, so don't get stuck on just metasploit... check out this blog by lupin -----> http://grey-corner.blogspot.com/2010...on-netcat.html

[comaX]

msf methods of encryption are pretty well-known by AV softwares now... So you should try encrypting your own unique way, and then keep it to yourself.
Also, don't upload your files to virus-total, since they report bad content to AV editors !

[Riverseeker]

hint:

well the problems isnt always in the code coming out from msfencode but could be from the rest of the program.
a good starting point is to write your own templates and experiment .p

saying template i mean all except the code coming out from msfencode...

really stupid example from around 15/01/2011 :

I was packing a C exe contaninig a win meterpreter staged reverse http payload with explorer exe and a vbs scrpt.
Created my own C code, created my vbs script with some extra commands in it, encoded the array 30 times with
shikata_na_gai (but i discovered it worked with just 1 also lol).
Tested against avira, avast and clam: not detected.
Then i decited to change icon of the file...
BOOM: getting caught by all 3 antivirus...i bypassed the problem just changing the program used to modify the icon.
(same happened using some "doomed" words in vbs script instead of casual...)

This was just an example: so in building a payload many things can go wrong, it depends on many factors but try to
remember that the problem could not be were you are expecting it...short-hand="open your mind" lol!

btw that link from 2901119 is really nice

Metasploit is made to boost some steps but in the end is you knowledge of the matter that make things working fine ç_ç.

moral: study more and find your own solutions experimenting alot

[2901119]

This was just an example: so in building a payload many things can go wrong, it depends on many factors but try to
remember that the problem could not be were you are expecting it...short-hand="open your mind" lol!


Metasploit is made to boost some steps but in the end is you knowledge of the matter that make things working fine ç_ç.

moral: study more and find your own solutions experimenting alot

well put Riverseeker

[Ignatius]

msf methods of encryption are pretty well-known by AV softwares now... So you should try encrypting your own unique way, and then keep it to yourself.
Also, don't upload your files to virus-total, since they report bad content to AV editors !

This is an amazing coincidence - I was playing around with encoding today and checked what was picked up by the AVG on my system. I was very disappointed to see that 4, 8, 12 or more iterations of shikata_ga_nai failed, even though I was under the impression that is was almost perfect in avoiding AV! I even used two encoders in tandem and also used the -b option to remove \x00 but AVG still whinged. I was about to post a question about it and stumbled upon this. I know that I shouldn't upload samples for checking as that will, almost certainly, result in AVs picking it up very shortly.

Question: can you give a little more guidance about encrypting in my own, unique way? I don't expect a step-by-step tutorial but a prod in the right direction would be great. I have some experience with linux but negligible programming experience ... though am willing to learn!

I'll check out the link in the post before yours about an alternative method of bypassing AV.

Edit:

Since posting my earlier message (it hasn't been authorised yet), I've been researching, and came across shellcodeexec (hxxp:// r00tsec.blogspot.com/2011/04/payload-bypass-av-with-encoding.html). I don't know how useful this might be and I'm doing more reading about it. I hope that someone will find it useful.

[Riverseeker]

Seriously starting with: ...since i'm really nobody and being sure that if i've done it everybody could do it:


Saying it in a brutal way i think that probably the crucial part is: you need to write your own code.
(or at least modify the code you want to use).
That is the only way i found to have reasonable possibility to bypass AV checks (now and in the future...).
To explain this i will mix the way i faced the problem and some personal consideration.

The first question i asked myself was: ok no panic, why AV owned my little payload?

(this could be considered stupid question but how can i fix something if i cant even
relize where the problem is? btw do you know where the problem is?
something called throubleshooting should be familiar eh eh).

So i started reading alot, trying to understand how AVs works.
(that is what you should do if you are motivated, if not change hobby ç_ç )

Surprisingly that should be all you need to know !

There are really tons of informations, some more intuitive some with "formal" data in it,
just take it easy m8.

Anyway second step i faced was: ok i have an enormous soup of infos in my head but i think that probably
AVs are finding a "doomed signature" when checking my little payload...
This is quite obvious since i am using something that is well known in the whole net.
I had to find a way to isolate the problem, essentially to understand wich part of the program was not passing checks.
So i decided to write my own code, let's say in C and added shigata_whateveritnameis x1encoded buff.
Easier could be with web attack like java applet: just modify it.
(if you have problems writing your code or modifying something...look above about hobby and motivation)

For this try result: FAILED...-->ok no panic-->go back--->remember throubleshooting?
FAILED again? -->gotok no panic etc etc...

Shorting this out i found that:

-first problem was a possible signature from:
main{"something wrong coming from in here"}

changed it.

-the second crap was coming from:
"\xxblablabla"

I tryed the whole process encoding more and more, with different encoders...i FAILED again..
oh crap should i write my own encoder too?
i cannot believe that an encoder with a such cool name is failing...
Fortunatenly i tryed some more combos and i found that with staged payloads was a SUCCESS.
So in this situation i dont need a new encoder, but maybe one day, i hope not too close, when i will be motivated enougth
i will study how encoders work and write mine. (aka "the vampire statement")
(btw if you dont know what's different with a staged payload see above words about hobby!)

Again this is example is kind of stupid and bit brutal but I hope it helped.
Message should be: if you use your head you could have more satisfaction, maybe boost the rest of you progress
and also be ready when serious stuff will knock at your door.

__END of LINE ç_ç

[iliyapolak]

Msfencode methods are well known to AV software developers
Try to insert junk bytes after jumps so you can defeat linear sweep deobfuscators also consider removing call instructions by changing them to push var, push var push, offset jmp addr ret
you can also try to spread instruction through the code with jumps and maybe using indirect jumps to confuse recursive dissasemblers like IDA.
You can try to xor your binary with random strings and try to use shift by random value to make your code to appear like a completely random and to prevent pattern deduction, but you must provide your own decryptor.

[Knoxville]

Bypassing AV with metasploit is a hot topic and there are a few different methods to attack this. I feel this article is one of the best methods for evading AV considering it gives the tester plenty of flexibility in obfuscating ASM instructions and allows for bypassing of Static Binary Analysis and Heuristic based AV engines.

http://www.pentestgeek.com/2012/01/2...t-writing-asm/

Enjoy!