Part 6 - Encoders

Video Activity

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Video Transcription
00:04
>> All right. Let's talk a little bit
00:04
more about payloads then.
00:04
Let me go back [NOISE] out of this one,
00:04
and let's use a payload for Windows,
00:04
for a binding TCP shell.
00:04
I'll start typing use payload.
00:04
I know on what windows,
00:04
>> I'm doing tab complete on these.
00:04
>> I'll start with shell,
00:04
and we get bind TCP.
00:04
A bind in TCP shell means that
00:04
>> I can be bound to a port,
00:04
>> and I should be able to get a command shell on
00:04
that Windows system when this actually connects.
00:04
One of the things that you'll
00:04
find when you're doing this kind of
00:04
work is that you need to frequently generate shellcode.
00:04
Because your payload as is,
00:04
will get detected by antivirus,
00:04
and that's going to stop your pen test and its tracks.
00:04
We have a command called Generate.
00:04
Once you're within a payload or an exploit or a module,
00:04
you can use a dash H command to get help information.
00:04
I can use help by itself.
00:04
Of course, like I showed earlier,
00:04
and you'll notice that the generate command is
00:04
within the payload category.
00:04
I'll do generate dash H to see what my options are,
00:04
and I can see that I've got some encoding options here.
00:04
I can force the encoding,
00:04
I can tell it to avoid certain characters,
00:04
and we'll see what that looks like here in a minute.
00:04
I can tell it how many iterations to perform.
00:04
Because the more times I encode something,
00:04
the more likely it is to remain
00:04
undetected That's the theory anyway.
00:04
I can also specify the size of the [inaudible] slide,
00:04
there's lots of different options.
00:04
There are a lot of different output
00:04
formats. I've got quite a few different categories.
00:04
Perl, Java, PowerShell, Raw,
00:04
Ruby, visual basic script,
00:04
so lots of different possibilities there.
00:04
All right. The first thing we're going to do is just do
00:04
a generate command without
00:04
any options, without any arguments.
00:04
You'll see I've generated shellcode for
00:04
this shell bind TCP payload that I'm using.
00:04
Now you can see it gives me some parameters.
00:04
I can see how many bytes,
00:04
the payload is 328 bytes.
00:04
I've got my local port specified.
00:04
The remote host is not specified.
00:04
But obviously, you want to prepare
00:04
those settings during the process
00:04
of building your payload.
00:04
For instance, I could go back,
00:04
and do a set G for my remote host,
00:04
show my options.
00:04
I can see where my local host is now set.
00:04
Now if I were to generate command again,
00:04
I'll see that that is encoded in the payload.
00:04
There it is and knows what my local host is,
00:04
my local port is.
00:04
I've got some shellcode that I could try
00:04
to use as a payload
00:04
when I get connected to a victim system.
00:04
But there might be certain bytes in this payload
00:04
that are known to trigger the antivirus.
00:04
I'm just going to randomly pick something here.
00:04
The process of figuring out what
00:04
those bytes are is
00:04
a little bit beyond the scope of what we're doing.
00:04
But the basic idea is that you would try to
00:04
take your payload and analyze it and see
00:04
what portion of it is
00:04
actually triggering a signature on an IDS.
00:04
Maybe I know that this XFF hex code
00:04
here is part of the problem.
00:04
I might want to get rid of this.
00:04
I want to filter it out and replace it with
00:04
something else in order
00:04
to try to get my shellcode past the antivirus.
00:04
I can run the generate command with the dash B.
00:04
We saw that earlier,
00:04
I'll do the dash H again.
00:04
The dash B says,
00:04
"These are the characters to avoid."
00:04
Dash B, I'll just use the ones I see here.
00:04
I've got XFF,
00:04
which I want to get rid of.
00:04
I also want to get rid of, let's say X50.
00:04
Because those are both problematic.
00:04
Now you'll notice that
00:04
my payload size is different, it's 350 bytes.
00:04
Previously it was only 328 member
00:04
serves, and there it is.
00:04
You'll notice I have an X50 on
00:04
that at the end of the first line before.
00:04
Now that X50 is gone,
00:04
and I shouldn't be able to find X50 anywhere in here.
00:04
I also should not be able to find XFF.
00:04
Previously, it was somewhere there was.
00:04
Now, that I've filtered that out,
00:04
it replaces it with other shellcode,
00:04
which provides that same functionality.
00:04
That's why the size of
00:04
the payload grew a little bit because I needed
00:04
other codes to compensate for
00:04
the fact that I removed these two from the payload.
00:04
Other things to think about would be you
00:04
could certainly generate a much longer list.
00:04
I could remove,
00:04
let's say all of
00:04
these half codes or these parts of the shellcode.
00:04
If I do this, no,
00:04
actually my size does not change,
00:04
it's still stayed 350 bytes, which is unusual.
00:04
I thought it would probably have gone up.
00:04
But you get the basic idea.
00:04
You're, you're able to filter out a lot
00:04
of these byte codes that may be problematic.
00:04
Now if you go too far,
00:04
and I'll show this as an example,
00:04
you might say, well, I've got so
00:04
many of them I need to get rid of.
00:04
I'm just going to pick this entire line,
00:04
and that actually work.
00:04
If you do too many though,
00:04
you may get an error message
00:04
that says you cannot generate the payload.
00:04
That basically means that
00:04
you've tried to eliminate too many of
00:04
the shellcode options that you've got available to you.
00:04
Now the software can
00:04
the metasploit encoder when
00:04
it's generating the payload cannot
00:04
basically put that together.
00:04
There's limits to how far you can go with removing
00:04
objectionable bytes from your payload.
00:04
All right. Another thing we want to look
00:04
at is the encoders themselves.
00:04
Within this shell buying TCP,
00:04
I can do a show encoders.
00:04
>> I can see all the ones I've got available to me.
00:04
Some of these are excellent,
00:04
like PowerShell Base-64 or Shikata Ga Nah.
00:04
Again, we get a little description here,
00:04
polymorphic exclusive or additive feedback encoder.
00:04
That sounds impressive.
00:04
What it means is that there are ways to make
00:04
your payload less likely to get detected.
00:04
There's also other things, for instance,
00:04
we can say we want a non-Alphanumeric encoder
00:04
or one that doesn't use any upper character, non-upper.
00:04
There's lots of different choices here
00:04
for customizing your payload for the task at hand.
00:04
For instance, maybe I want to use
00:04
the Nilef as an example.
00:04
Actually, I'll use the Shikata encoder instead.
00:04
I can go ahead and run my generate command again.
00:04
This time I'm going to use the dashed e for encode.
00:04
>> I can type.
00:04
>> [NOISE] It doesn't like that.
00:04
I'll use my Copy and Paste.
00:04
Tab complete usually works,
00:04
but there might be certain instances
00:04
within the framework where it doesn't work,
00:04
so just be aware of that.
00:04
Now I use this encoder and it tells
00:04
me 355 bytes for this shell bind TCP for Windows.
00:04
There's my encoder, my local port, my remote host.
00:04
These are all part of the payload now.
00:04
But I can also do compound statements.
00:04
For instance, I know I don't want the XFF,
00:04
and I don't want X50,
00:04
so I can make sure I can get rid of those.
00:04
I can add multiple options to the command line.
00:04
If we go back up to our help screen,
00:04
we can see for generate.
00:04
I can specify my standard output,
00:04
if I want to save this information.
00:04
I can use templates.
00:04
I can also pick the number of iterations.
00:04
Let's experiment with that a little bit.
00:04
I've got the encoder.
00:04
I'm going to get rid of these two characters.
00:04
Let me add one word list.
00:04
I'll go to x, Charlie 9 because I see that,
00:04
the corner of the table there.
00:04
Let's encode again.
00:04
I got air. I can't get rid of that many characters.
00:04
Let's just try these two.
00:04
It's being picky.
00:04
I can only get rid of XFF that shows you some of
00:04
the limits of what the encoder is capable of doing.
00:04
What do we end up with?
00:04
Three hundred and fifty five bytes.
00:04
Now, what if I want to encode
00:04
this a few times to make it more complex?
00:04
I can encode it three times.
00:04
You'll notice that it
00:04
doesn't actually give me three outputs.
00:04
It does it three times and then I get the output.
00:04
It grew quite a bit. Now it's up to 409 bytes.
00:04
But still I've excluded XFF,
00:04
and I'm still using this particular encoder.
00:04
Again, this multiple
00:04
passes that you're doing with the dash I makes
00:04
your encoding that much
00:04
more difficult for the antivirus of
00:04
the victim machine to detect.
00:04
There are probably limits here as well,
00:04
as far as how many iterations you want
00:04
to go through or some of the other things that
00:04
you'd want to set.
00:04
Let's go back to our home screen.
00:04
We can see we've got the dash O option.
00:04
Because I know some of my options are available here,
00:04
I can do something like,
00:04
I'll do up arrow, go back to my generate.
00:04
Let's say when I'm doing my generate,
00:04
I want to change my local port to something else.
00:04
I'll change it to 5555.
00:04
I forgot to put the equal sign. That's why.
00:04
[NOISE] Little details matter.
00:04
We can see now that it went down to 409 bytes,
00:04
still showing my encoder,
00:04
my local port is now
00:04
5555 because I've encoded a different version of this.
00:04
This goes to show you how flexible
00:04
the syntax I can change my encoding method.
00:04
I can change a number of times.
00:04
I do the encoding, I can set some of my variables and
00:04
encode a payload all in one step,
00:04
which makes your life a lot easier when you're
00:04
trying to evade anti-virus.
00:04
Lastly, let's look at our dash T option.
00:04
This gives us our output format.
00:04
Dash C, C-sharp hacks Java, and so on.
00:04
[inaudible] a lot different payload options.
00:04
We can experiment with this.
00:04
I've got my last command there.
00:04
Let's say I want to do this in Bash format.
00:04
That's what Bash shell code
00:04
looks like. It's a little different.
00:04
I've got some dollar signs here.
00:04
The characters look a little bit different perhaps.
00:04
I can try one with the PowerShell.
00:04
[NOISE] Maybe I can try C-sharp.
00:04
There's a different encoding method using C-Sharp.
00:04
You get the basic idea. I've got lots of options.
00:04
You got the things here that might be useful
00:04
depending on your environment that you're going after.
00:04
Maybe a visual basic script or
00:04
you're dealing with binary [inaudible].
00:04
Just showing some of
00:04
the possibilities for your AV avoidance.
00:04
We'll get into more detail
00:04
>> about that in a later section.
Up Next