SlideShare a Scribd company logo

Basics of Meterpreter Evasion

Nipun Jaswal, profile picture
Nipun Jaswal

The document discusses techniques for evading antivirus detection using meterpreter, highlighting methods to bypass signature detection and dynamic analysis. It covers the use of custom executables, shellcode, SSL certificates, and specific strategies tailored for popular antivirus solutions like Avast and Norton. The author, Nipun Jaswal, draws on extensive expertise in IT security and provides references for further learning.

Technology
1 of 36
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
BASIC METERPRETER EVASION By: Nipun Jaswal • TechnicalDirector, Pyramid Cyber and Forensics • Chair Member, National Cyber Defense and Research Center • Author of Mastering Metasploit & Metasploit Bootcamp
• 10+ Years into IT Security • Author of Mastering Metasploit , First, Second, CN Edition & “Metasploit Bootcamp” • Technical Director , Pyramid Cyber and Forensics • Chair member, National Cyber Defense and Research Center • Known for Exploit Research, Cyber Surveillance, Cyber Warfare, Wireless Hacking & Exploitation and Hardware Hacking • Can code in 15+ programming languages, 20 Hall of fames including Offensive Security, AT&T, Facebook, Apple etc • Worked Globally with various law enforcement agencies #WHOAMI
WHAT WE WILL LEARN TODAY? BYPASS SIGNATURE DETECTION • Changing the Known Signatures for Malware • Making use of Shell code instead of conventional executables • Using Encoding wrappers for bypassing detections BYPASS DYNAMIC ANALYSIS • Using SSL to defeat Network behavior analysis • Using Popular yet self signed certificates to whitelist communication • Using Microsoft utilities to bypass application whitelisting
TOP 3 ANTIVIRUS SOLUTIONS
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
BYPASSING
LET’S CREATE A BACKDOOR WITH METASPLOIT…
FAILED SIGNATURE DETECTION…
LET’S TRY A .VBS SCRIPT…
FAILED SIGNATURE DETECTION…YET AGAIN
LET’S CHECK AV DETECTION STATUS… • 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS • HOW CAN WE CIRCUMVENT THIS?
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
Let’s check AV Detection status… • 3/39 AVs detect the backdoor as malicious • By simply replacing the executable by shellcode we dropped 27 antivirus detections
LET’S SEE WHAT 360 HAVE TO SAY…
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
LET’S EXECUTE THE APPLICATION…
TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
AVAST IS A TOUGH NUT TO CRACK…
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
USING SSL TO BYPASS AVAST NETWORK DETECTION
Let’s check AV Detection status… • 0/39 AVs detect the backdoor as malicious • By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
SUCCESS ON AVAST
SUCCESS ON AVAST
TOP 3 ANTIVIRUS SOLUTIONS
BYPASSING
NORTON WILL TAKE YOUR NIGHTS AWAY Why I Have rated Norton as one of the Best AV Solutions out there? • Aggressive Firewall • Aggressive Behavior Detection • File Info based Blocking / File Attributes • Application Memory and CPU Consumption
WHAT DOES IT TAKE TO BYPASS NORTON? • Fake SSL Certificate • Application Whitelisting Method • Delays and Continuous Process Consumption, but not too high. • Patience
THANKS • For More Information on AV Evasion, refer to “Metasploit Bootcamp” & “Mastering Metasploit” • Twitter : @nipunjaswal • FB : @nipunjaswal • Linknd : @nipunjaswal • http://Amazon.com/authors/nipunjaswal

More Related Content

PPT
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
PDF
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
PDF
Hijacking Softwares for fun and profit
Nipun Jaswal
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PDF
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
PPTX
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Nipun Jaswal
 
Ground Zero Training- Metasploit For Web
Nipun Jaswal
 
Hijacking Softwares for fun and profit
Nipun Jaswal
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
Imperva Incapsula
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 

What's hot (20)

PDF
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
PDF
Security by Weston Hecker
EC-Council
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPTX
Cyber Security and Open Source
POSSCON
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
PPTX
Cybereason - behind the HackingTeam infection server
Amit Serper
 
PDF
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
PPTX
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
PPTX
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
PDF
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
PPTX
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
PDF
What you need to know about ExPetr ransomware
Kaspersky
 
PDF
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
PDF
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
PDF
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
DevOps.com
 
PPTX
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
PDF
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
PPTX
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
PDF
Threat detection with 0 cost
Security Bootcamp
 
Network Forensics and Practical Packet Analysis
Priyanka Aash
 
Security by Weston Hecker
EC-Council
 
Hacking Web Apps by Brent White
EC-Council
 
Cyber Security and Open Source
POSSCON
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Cybereason - behind the HackingTeam infection server
Amit Serper
 
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
What you need to know about ExPetr ransomware
Kaspersky
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
There’s an OpenBullet Attack Config for Your Site – What Should You Do?
DevOps.com
 
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
Threat detection with 0 cost
Security Bootcamp
 
Ad

Similar to Basics of Meterpreter Evasion (20)

PDF
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
PPTX
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
ODP
2600 av evasion_deuce
Db Cooper
 
PDF
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
PPTX
Evading Antivirus software for fun and profit
Mohammed Adam
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
PDF
Cansecwest - The Death of AV defence in depth
Thierry Zoller
 
PDF
Modern Evasion Techniques
Jason Lang
 
PDF
AV Evasion with the Veil Framework
VeilFramework
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
PPTX
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
PPT
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
Lumension
 
PDF
Bitdefender - Solution Paper - Active Threat Control
Jose Lopez
 
PDF
Copy of Gradient Minimalist Business Slides.pdf
asadforsure
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
PDF
Bypass_AV-EDR.pdf
Farouk2nd
 
PPTX
Unit 5 - Windows Credential Attacks.pptx
SaiGanesh840371
 
PDF
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
PDF
In search of unique behaviour
DefCamp
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 
Bypassing Antivirus for effective security
ArafatAshrafiTalha
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
2600 av evasion_deuce
Db Cooper
 
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
Evading Antivirus software for fun and profit
Mohammed Adam
 
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
Cansecwest - The Death of AV defence in depth
Thierry Zoller
 
Modern Evasion Techniques
Jason Lang
 
AV Evasion with the Veil Framework
VeilFramework
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
Lumension
 
Bitdefender - Solution Paper - Active Threat Control
Jose Lopez
 
Copy of Gradient Minimalist Business Slides.pdf
asadforsure
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Bypass_AV-EDR.pdf
Farouk2nd
 
Unit 5 - Windows Credential Attacks.pptx
SaiGanesh840371
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
In search of unique behaviour
DefCamp
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 
Ad

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
KodekX | Application Modernization Development
KodekX
 
Cloud computing and distributed systems.
kkkkkhan
 
Teaching material agriculture food technology
LiaRayya
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KodekX | Application Modernization Development
KodekX
 

Basics of Meterpreter Evasion

  • 1. BASIC METERPRETER EVASION By: Nipun Jaswal • TechnicalDirector, Pyramid Cyber and Forensics • Chair Member, National Cyber Defense and Research Center • Author of Mastering Metasploit & Metasploit Bootcamp
  • 2. • 10+ Years into IT Security • Author of Mastering Metasploit , First, Second, CN Edition & “Metasploit Bootcamp” • Technical Director , Pyramid Cyber and Forensics • Chair member, National Cyber Defense and Research Center • Known for Exploit Research, Cyber Surveillance, Cyber Warfare, Wireless Hacking & Exploitation and Hardware Hacking • Can code in 15+ programming languages, 20 Hall of fames including Offensive Security, AT&T, Facebook, Apple etc • Worked Globally with various law enforcement agencies #WHOAMI
  • 3. WHAT WE WILL LEARN TODAY? BYPASS SIGNATURE DETECTION • Changing the Known Signatures for Malware • Making use of Shell code instead of conventional executables • Using Encoding wrappers for bypassing detections BYPASS DYNAMIC ANALYSIS • Using SSL to defeat Network behavior analysis • Using Popular yet self signed certificates to whitelist communication • Using Microsoft utilities to bypass application whitelisting
  • 4. TOP 3 ANTIVIRUS SOLUTIONS
  • 5. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 7. LET’S CREATE A BACKDOOR WITH METASPLOIT…
  • 9. LET’S TRY A .VBS SCRIPT…
  • 11. LET’S CHECK AV DETECTION STATUS… • 30/39 AVS DETECT THE BACKDOOR AS MALICIOUS • HOW CAN WE CIRCUMVENT THIS?
  • 12. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE
  • 13. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 14. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 15. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 16. LET’S BYPASS SIGNATURE DETECTION WITH CUSTOMIZED EXECUTABLE (CONT.)
  • 17. Let’s check AV Detection status… • 3/39 AVs detect the backdoor as malicious • By simply replacing the executable by shellcode we dropped 27 antivirus detections
  • 18. LET’S SEE WHAT 360 HAVE TO SAY…
  • 19. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 20. LET’S EXECUTE THE APPLICATION…
  • 21. TYPES OF DETECTION Common Detection Types: • Signature Based Detection • Dynamic Analysis / Behavioral Detection
  • 22. TOP 3 ANTIVIRUS SOLUTIONS
  • 24. AVAST IS A TOUGH NUT TO CRACK…
  • 25. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 26. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 27. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 28. USING SSL TO BYPASS AVAST NETWORK DETECTION
  • 29. Let’s check AV Detection status… • 0/39 AVs detect the backdoor as malicious • By simply adding support for SSL and using Google’s SSL Cert (Self Signed) we dropped rest of the 3 as well
  • 32. TOP 3 ANTIVIRUS SOLUTIONS
  • 34. NORTON WILL TAKE YOUR NIGHTS AWAY Why I Have rated Norton as one of the Best AV Solutions out there? • Aggressive Firewall • Aggressive Behavior Detection • File Info based Blocking / File Attributes • Application Memory and CPU Consumption
  • 35. WHAT DOES IT TAKE TO BYPASS NORTON? • Fake SSL Certificate • Application Whitelisting Method • Delays and Continuous Process Consumption, but not too high. • Patience
  • 36. THANKS • For More Information on AV Evasion, refer to “Metasploit Bootcamp” & “Mastering Metasploit” • Twitter : @nipunjaswal • FB : @nipunjaswal • Linknd : @nipunjaswal • http://Amazon.com/authors/nipunjaswal