Part 6 - Encoders

Video Activity

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Video Transcription
00:04
All right, So let's talk a little bit more about payloads than,
00:08
uh, go back out of this one.
00:13
And
00:15
let's use a, uh,
00:18
a payload for windows for a binding TCP shell. So we'll start typing used
00:26
payload. And when I know what windows I'm doing, tab complete on these
00:30
and I'll start with show
00:34
we get buying TCP.
00:38
All right, So if I abiding TCP Shell means that I I'm gonna be bound to a port,
00:44
and I should be able to get a shell command shell on that window system
00:48
when this actually connects.
00:51
One of the things that you you'll find when you're doing this kind of work is that you need to frequently generate shell coat
00:58
because you're
01:00
payload as is. We'll get detected by anti virus. And that's going to stop your your pen testing its tracks.
01:07
So we have a command called generate.
01:11
Once you're within a payload or an exploit
01:15
or a module, you can use the Dash H Command to get help information.
01:22
I can use help by itself,
01:26
of course, like I showed earlier, and you'll notice that the generate command is within the payload category,
01:34
so I'll do generate
01:38
stash age to see what my options are,
01:41
and I can see that I've got some encoding options here
01:45
so I can force the encoding. I can tell it. E avoid certain character and we'll see what that looks like here in a minute.
01:51
I can tell how many generations to to perform because the more times I encode something, the more likely it is to remain undetected. That's the theory anyway.
02:00
I can also specify the size of the *** sled. There's lots of different options and then a lot of different output formats.
02:08
See, I got quite a few different categories.
02:13
Pearl Java, power show, raw ruby
02:17
visual, basic script. So there's lots of different
02:21
different possibilities there.
02:23
All right, so the first thing we're gonna do is just do a generate command without any options
02:29
without any arguments
02:30
and you'll see have generated shell code for this shell bind. TCP
02:37
Uh
02:38
ah, payload that I'm using.
02:40
Oh, you can see it gives me some parameters. I can see how many bites. The payload is a 328 bites.
02:46
I've got my local port specified. The remote
02:52
host is not specified,
02:53
but obviously you want it you would wantto prepare those settings
02:59
during the process of
03:00
building your payload.
03:04
So, for instance, I could go back and do a set G for my
03:08
remote host
03:21
Shortly options. I could see where my road host is now set. Now, if I were the generate command again,
03:30
I'll see that That is encoded in the payload.
03:34
So there it is. It knows what my local host is. My local port is.
03:38
And I've got some kind of Shoko that I could try to
03:43
uses a payload when I get connected to a victim system.
03:49
But there might be certain bites in this payload that are
03:53
known to trigger the anti virus,
03:55
and I'm just gonna randomly pick something here. So
04:00
the process of figuring out what those bites are is a little bit beyond the scope of what we're doing. But the basic idea is that
04:06
you would try Thio,
04:10
take your payload and analyze it and see what portion of it is actually triggering a signature on an idea. Maybe I know that this this X FF
04:20
hex code here is part of the problem
04:24
and I might want to get rid of this. I want to filter it out and replace it with something else
04:29
in order to
04:31
try to get my shell code passed the anti virus so I can run the generate command with the dash B.
04:39
We saw that earlier. I'll do the dash H again. The Dash B says. These are the characters to avoid.
04:50
Be
04:53
and I'll do a, uh,
04:56
I'll just use the ones I see here I've got except for which I want to get rid of. I also want to get rid of, Let's say,
05:02
x 50.
05:05
Those are both problematic.
05:09
Now you'll notice that my payload sizes different. It's 350 bites.
05:15
Previously, it was only 328.
05:19
Memory serves there it is,
05:23
and you'll notice I have X 50 on the at the end of the first line before
05:28
now that next 50 is gone and I shouldn't be able to find X 50 anywhere in here. I also should not be able to find xfff.
05:34
Previously
05:36
it waas somewhere there. Waas. So now that I filter that out,
05:43
it replaces it with other
05:45
shell code, which provides that same functionality.
05:48
So that's why the size of the payload grew a little bit because I needed other codes to compensate for the fact that I removed these two from the payload.
06:01
Other things to think about would be You could, you know, certainly generate a much longer list I could
06:06
I could remove.
06:09
Let's say all of these,
06:12
these off coats are these parts of the shell code.
06:24
And if I do this
06:26
no, uh, extra my shell, my size not changed. Still stayed 3350 bites, which is unusual. I thought it would probably have gone up,
06:34
but you get the basic idea you're
06:36
you're able to
06:39
filter out a lot of
06:41
of these by codes that maybe
06:45
problematic. Now, if you go too far,
06:47
I'll show this as an example,
06:51
you might say, Well, I've got some money that I need to get rid of. I'm just going to
06:56
pick this entire line
07:00
and that actually work. If you do too many, though, you may get an error message that says you cannot generate the payload.
07:06
And that basically means that you've you've tried to eliminate too many
07:12
of the
07:14
of the
07:15
the shell code
07:17
options that you you've got available to you.
07:20
And now the software can,
07:24
huh
07:25
the municipal eight encoder
07:28
when it's generating the payload, cannot basically put that together. So there's there's limits to how far you can go with removing objectionable
07:38
bites from your from your payload.
07:41
All right, so another thing we want to look at
07:44
is the encoders themselves.
07:46
So within this shell buying TCP, I can do a show and coders
07:53
and I can see all the ones I've got available to me.
07:56
Some of these air excellent, like power. Shelby 64
08:00
or shikata ga nai.
08:03
So a little description here, polymorphic exclusive or added to feedback encoder.
08:07
Uh, that sounds impressive,
08:11
and what it means is that there are ways to
08:15
make your
08:18
pay a little less likely to get detected. There's also other things like, for instance, we can say we want a non
08:24
Alfa numeric
08:26
encoder or one that doesn't use any upper character. So now on upper.
08:31
There's lots of different choices here for customizing your payload for the task in hand.
08:39
So, for instance, maybe I want to use the
08:43
the night off as an example.
08:48
Actually, I don't want to use the I'll use the shikata
08:52
encoder instead
08:58
so I can go ahead and run my generate command again.
09:03
No. This time I'm going to use the dash e foreign code
09:07
stand. I can type
09:13
Doesn't like that
09:16
all Using a copy and paste
09:18
tab complete usually works, but there may be certain instances within the framework where doesn't work, so just be aware of that.
09:26
All right, so now I use the this encoder,
09:31
and it tells me 355 bites with this shell buying TCP for
09:35
Or Windows. There's my encoder.
09:39
My local port. My remote host. These are all part of the
09:45
the payload now.
09:48
But I could also do compound statements. For instance, I've got I know I I don't want
09:52
the, um,
09:56
except for half, and I don't want x 50.
09:58
All right, so I could make sure I can get rid of those
10:03
so I can add multiple options to the command line. We go back up to arm
10:11
help screen,
10:15
we conceive for generate. We also have ways to I can specify my standard up. What if I want to save this information?
10:24
I can use templates. I can also pick the number of iterations. So let's experiment with that a little bit. I've got the encoder. I'm going to get rid of these two characters. Let me add one more list. I'll get a X
10:37
Charlie, not because I see that at the corner of the table there.
10:43
All right, let's in code again.
10:46
Oh,
10:46
I got air so I can't get rid of that money,
10:50
that many characters.
10:52
Let's just try these two.
10:58
It's being picky,
11:03
all right? So I can only give her the vaccine. Fact that shows you some of the limits off what the encoders
11:07
capable of doing
11:09
s. So what? We end up with 355 bites.
11:13
Now, what if I want to go code this a few times to get make it more complex? I could encode it three times
11:20
and you'll notice that it doesn't actually give me three outputs it. It does it three times and then I get the outfit.
11:26
It grew quite a bit. Now it's up to 409 bites, But still, I've excluded xfff and I'm still using this particular encoder.
11:37
And again, this this multiple passes that you're doing with the dash I makes your,
11:43
uh
11:45
you're you're encoding that much more difficult for the anti virus of the victim machine to detect,
11:52
and they're they're probably limits. Here is well as faras,
11:56
huh?
11:56
What kinds of how many iterations you want to go through or some of the other things that you want to thio set. So let's go back to our
12:07
hope screen.
12:09
We can see we've got the dash. Oh, option.
12:13
So because I know
12:16
some of my options are available here, I could do something like I'll do up, Eric, go back to my generate.
12:22
Let's say I want to change my when I'm doing my generator. Want to change my local poor to something else?
12:28
So I'll goto. I'll change it to 5555
12:37
Possibly it is. Oh, I forgot to put the equal sign, that's what.
12:43
Okay,
12:46
So
12:46
little details matter.
12:48
We can see now that,
12:50
uh, it went down for 2 409 bites Still showing my encoder.
12:56
My local poor is now 5555 because I have encoded a different version of this.
13:03
So for these, this gets goes to show you how flexible the syntax as I can
13:09
change my encoding method, I can change a number of times. I do the encoding. Aiken set some variables and encode a payload all in one step,
13:18
which which makes your life a lot easier when you're trying to evade
13:22
anti virus.
13:24
And lastly, let's look at our dash T option. This gives us
13:28
our outward form.
13:31
So bear C C. Sharp hacks, Java and so on. I can allow different,
13:37
um,
13:39
payload options
13:41
so we can experiment with this.
13:46
I got my last command there. Let's say I want to,
13:48
uh,
13:50
do this in bash format.
13:54
So that's what bash shell code looks like. You know, it's a little different. I've got some
13:58
dollar signs here.
14:01
The characters look old a little bit different. Perhaps.
14:05
Let's see, I can use I can try one with Power Shell
14:16
who didn't like partial.
14:18
Maybe I can try
14:20
C sharp.
14:26
All right, so there's a different
14:28
encoding method using C sharp.
14:31
So you get the basic idea. I've got lots of options
14:33
and other things here that might be useful depending on your environment that you're going after Andy, maybe a visual basic script
14:43
or, uh,
14:45
you're dealing with binary Z axes,
14:48
so just kind of showing some of the possibilities
14:52
for your
14:54
A V avoidance, and we'll get into more detail about that
14:58
in a later section
Up Next
Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By