Antivirus Evasion with Metasploit Pro
Introduction
AV Evasion has always been a topic of interest among security researchers as well as malware writers. Though less talked about, AV Evasion for a Penetration Tester too has paramount importance. For instance if you were to conduct a penetration test, you would want to uncover all vulnerabilities and make sure that the system you tested is prepared for the worst. However, not being able to include AV Evasion in the scope of your penetration tests makes the entire process incomplete. Additionally, with the exponential increase in the expertise of malware writers it is very likely that a malware would be able to bypass AVs and infect a system. Hence, AV Evasion is a key component for any penetration test and helps outline a major attack vector. <!–more–>
Metasploit Pro’s Generate Payload module provides dynamic payload generation which facilitates AV evasion. In this article I am going to present the detection ratios of various payloads that I generated and a walkthrough of how you can use Metasploit Pro for AV Evasion.
Detection Ratios
Generating payloads with Metasploit Pro is extremely simple. Here are the statistics for the various meterpreter payloads for windows that I generated using Metasploit Pro’s Payload Generator.
Payload Name Detection Ratio Virustotal Link
Reverse TCP Meterpreter 16/54 Link
Reverse http Meterpreter 14/54 Link
Reverse https Meterpreter 14/54 Link
Bind TCP Meterpreter 9/54 Link
At the very first look one might be not very impressed with the detection ratio. However, the takeaway from these statistics is that there wasn’t a single antivirus that was able to detect “all” the payloads. Now let’s have a look at the classic payload virustotal detection ratio.
Payload Name Detection Ratio Virustotal Link
Reverse TCP Meterpreter 36/53 Link
Reverse http Meterpreter 35/53 Link
Reverse https Meterpreter 35/53 Link
Bind TCP Meterpreter 35/53 Link
On comparing the two you can see that the detection ratio has fallen tremendously.
Metasploit Pro creates dynamic payloads by basically making the stage of the payload dynamic. It generates a Windows executable that uses a dynamic stager written entirely in randomized C code. Hence, a different stager every time. This is what reduces it detectability.
Infact, the detection ratio further drops if we encode them.