Blog

Antivirus Evasion with Metasploit Pro


Introduction

AV Evasion has always been a topic of interest among security researchers as well as malware writers. Though less talked about, AV Evasion for a Penetration Tester too has paramount importance. For instance if you were to conduct a penetration test, you would want to uncover all vulnerabilities and make sure that the system you tested is prepared for the worst. However, not being able to include AV Evasion in the scope of your penetration tests makes the entire process incomplete. Additionally, with the exponential increase in the expertise of malware writers it is very likely that a malware would be able to bypass AVs and infect a system. Hence, AV Evasion is a key component for any penetration test and helps outline a major attack vector. <!–more–>

Metasploit Pro’s Generate Payload module provides dynamic payload generation which facilitates AV evasion. In this article I am going to present the detection ratios of various payloads that I generated and a walkthrough of how you can use Metasploit Pro for AV Evasion.

Detection Ratios

Generating payloads with Metasploit Pro is extremely simple. Here are the statistics for the various meterpreter payloads for windows that I generated using Metasploit Pro’s Payload Generator.

 

Payload Name                   Detection Ratio           Virustotal Link                                    
Reverse TCP Meterpreter                  16/54                                Link
Reverse http Meterpreter                 14/54                                 Link
Reverse https Meterpreter               14/54                                  Link
Bind TCP Meterpreter                      9/54                                    Link

At the very first look one might be not very impressed with the detection ratio. However, the takeaway from these statistics is that there wasn’t a single antivirus that was able to detect “all” the payloads. Now let’s have a look at the classic payload virustotal detection ratio.

Payload Name                   Detection Ratio           Virustotal Link                                    
Reverse TCP Meterpreter                 36/53                             Link
Reverse http Meterpreter                 35/53                                Link
Reverse https Meterpreter               35/53                                Link
Bind TCP Meterpreter                      35/53                                Link

On comparing the two you can see that the detection ratio has fallen tremendously.

Metasploit Pro creates dynamic payloads by basically making the stage of the payload dynamic. It generates a Windows executable that uses a dynamic stager written entirely in randomized C code. Hence, a different stager every time. This is what reduces it detectability.

Infact, the detection ratio further drops if we encode them.

Walkthrough

  1. Login into the Metasploit Pro GUI and click on Payload generator.Antivirus Evasion with Metasploit Professional1.docx
  2. Select the “Dynamic Payload(AV evasion)
    Antivirus Evasion with Metasploit Professional2.docx
    Next select the stage and the stage. Then enter LHOST* and click on “Generate”.
  3. You can now download the payload from by click on the “Download” button in the box.Antivirus Evasion with Metasploit Professional3.docx