Bypassing the antivirus with files

The exploitation phase of the kill chain is the most dangerous one for the penetration tester or attacker, as they are directly interacting with the target network or system, and there is a high risk of their activity being logged or their identity being discovered. Again, stealth must be employed to minimize the risk to the tester. Although no specific methodology or tool is undetectable, there are some configuration changes and specific tools that will make detection more difficult.

When considering remote exploits, most networks and systems employ various types of defensive controls to minimize the risk of attack. Network devices include routers, firewalls, intrusion detection and prevention systems, and malware detection software.

To facilitate exploitation, most frameworks incorporate features to make the attack somewhat stealthy. The Metasploit framework allows you to manually set Evasion factors on an exploit-by-exploit basis, determining which factors (such as encryption, port number, filenames, and others) may be difficult to and will change for each particular ID. The Metasploit framework also allows communication between the target and the attacking systems to be encrypted (the windows/meterpreter/reverse_tcp_rc4 payload), making it difficult for the exploit payload to be detected.

Metasploit Pro (Nexpose), available as a trial on the Kali distribution, includes the following to specifically bypass intrusion detection systems:

  • The scan speed can be adjusted in the settings for Discovery Scan, reducing the speed of interaction with the target by setting the speed to sneaky or paranoid.
  • This implements transport Evasion by sending smaller TCP packets and increasing the transmission time between the packets.
  • This reduces the number of simultaneous exploits launched against a target system.
  • There are application-specific Evasion options for exploits that involve DCERPC, HTTP, and SMB, which can be automatically set.

Most antivirus software relies on signature matching to locate viruses, ransomware, or any other malware. They examine each executable for strings of code known to be present in viruses (the signature) and create an alarm when a suspect string is detected. Many of Metasploit's attacks rely on files that may possess a signature that, over time, has been identified by antivirus vendors.

In response to this, the Metasploit framework allows standalone executables to be encoded to bypass detection. Unfortunately, extensive testing of these executables at public sites, such as virustotal.com, has decreased their effectiveness in bypassing the AV software. However, this has given rise to frameworks such as Veil and Shellter to bypass the AV software by cross verifying the executable by uploading them directly to VirusTotal before planting the backdoor into the target environment.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.234.212.253