Part 6 - Encoders

Video Activity

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

In the cat and mouse game of hacking, there are certain countermeasures such as antivirus software that often must be overcome in order to successfully exploit a target. Dean presents Metasploit encoders in this video and how to utilize them to mask data signatures in a payload that can potentially trigger detection by AV software.

Video Transcription
00:04
All right, So let's talk a little bit more about payloads than,
00:08
uh, go back out of this one.
00:13
And
00:15
let's use a, uh,
00:18
a payload for windows for a binding TCP shell. So we'll start typing used
00:26
payload. And when I know what windows I'm doing, tab complete on these
00:30
and I'll start with show
00:34
we get buying TCP.
00:38
All right, So if I abiding TCP Shell means that I I'm gonna be bound to a port,
00:44
and I should be able to get a shell command shell on that window system
00:48
when this actually connects.
00:51
One of the things that you you'll find when you're doing this kind of work is that you need to frequently generate shell coat
00:58
because you're
01:00
payload as is. We'll get detected by anti virus. And that's going to stop your your pen testing its tracks.
01:07
So we have a command called generate.
01:11
Once you're within a payload or an exploit
01:15
or a module, you can use the Dash H Command to get help information.
01:22
I can use help by itself,
01:26
of course, like I showed earlier, and you'll notice that the generate command is within the payload category,
01:34
so I'll do generate
01:38
stash age to see what my options are,
01:41
and I can see that I've got some encoding options here
01:45
so I can force the encoding. I can tell it. E avoid certain character and we'll see what that looks like here in a minute.
01:51
I can tell how many generations to to perform because the more times I encode something, the more likely it is to remain undetected. That's the theory anyway.
02:00
I can also specify the size of the *** sled. There's lots of different options and then a lot of different output formats.
02:08
See, I got quite a few different categories.
02:13
Pearl Java, power show, raw ruby
02:17
visual, basic script. So there's lots of different
02:21
different possibilities there.
02:23
All right, so the first thing we're gonna do is just do a generate command without any options
02:29
without any arguments
02:30
and you'll see have generated shell code for this shell bind. TCP
02:37
Uh
02:38
ah, payload that I'm using.
02:40
Oh, you can see it gives me some parameters. I can see how many bites. The payload is a 328 bites.
02:46
I've got my local port specified. The remote
02:52
host is not specified,
02:53
but obviously you want it you would wantto prepare those settings
02:59
during the process of
03:00
building your payload.
03:04
So, for instance, I could go back and do a set G for my
03:08
remote host
03:21
Shortly options. I could see where my road host is now set. Now, if I were the generate command again,
03:30
I'll see that That is encoded in the payload.
03:34
So there it is. It knows what my local host is. My local port is.
03:38
And I've got some kind of Shoko that I could try to
03:43
uses a payload when I get connected to a victim system.
03:49
But there might be certain bites in this payload that are
03:53
known to trigger the anti virus,
03:55
and I'm just gonna randomly pick something here. So
04:00
the process of figuring out what those bites are is a little bit beyond the scope of what we're doing. But the basic idea is that
04:06
you would try Thio,
04:10
take your payload and analyze it and see what portion of it is actually triggering a signature on an idea. Maybe I know that this this X FF
04:20
hex code here is part of the problem
04:24
and I might want to get rid of this. I want to filter it out and replace it with something else
04:29
in order to
04:31
try to get my shell code passed the anti virus so I can run the generate command with the dash B.
04:39
We saw that earlier. I'll do the dash H again. The Dash B says. These are the characters to avoid.
04:50
Be
04:53
and I'll do a, uh,
04:56
I'll just use the ones I see here I've got except for which I want to get rid of. I also want to get rid of, Let's say,
05:02
x 50.
05:05
Those are both problematic.
05:09
Now you'll notice that my payload sizes different. It's 350 bites.
05:15
Previously, it was only 328.
05:19
Memory serves there it is,
05:23
and you'll notice I have X 50 on the at the end of the first line before
05:28
now that next 50 is gone and I shouldn't be able to find X 50 anywhere in here. I also should not be able to find xfff.
05:34
Previously
05:36
it waas somewhere there. Waas. So now that I filter that out,
05:43
it replaces it with other
05:45
shell code, which provides that same functionality.
05:48
So that's why the size of the payload grew a little bit because I needed other codes to compensate for the fact that I removed these two from the payload.
06:01
Other things to think about would be You could, you know, certainly generate a much longer list I could
06:06
I could remove.
06:09
Let's say all of these,
06:12
these off coats are these parts of the shell code.
06:24
And if I do this
06:26
no, uh, extra my shell, my size not changed. Still stayed 3350 bites, which is unusual. I thought it would probably have gone up,
06:34
but you get the basic idea you're
06:36
you're able to
06:39
filter out a lot of
06:41
of these by codes that maybe
06:45
problematic. Now, if you go too far,
06:47
I'll show this as an example,
06:51
you might say, Well, I've got some money that I need to get rid of. I'm just going to
06:56
pick this entire line
07:00
and that actually work. If you do too many, though, you may get an error message that says you cannot generate the payload.
07:06
And that basically means that you've you've tried to eliminate too many
07:12
of the
07:14
of the
07:15
the shell code
07:17
options that you you've got available to you.
07:20
And now the software can,
07:24
huh
07:25
the municipal eight encoder
07:28
when it's generating the payload, cannot basically put that together. So there's there's limits to how far you can go with removing objectionable
07:38
bites from your from your payload.
07:41
All right, so another thing we want to look at
07:44
is the encoders themselves.
07:46
So within this shell buying TCP, I can do a show and coders
07:53
and I can see all the ones I've got available to me.
07:56
Some of these air excellent, like power. Shelby 64
08:00
or shikata ga nai.
08:03
So a little description here, polymorphic exclusive or added to feedback encoder.
08:07
Uh, that sounds impressive,
08:11
and what it means is that there are ways to
08:15
make your
08:18
pay a little less likely to get detected. There's also other things like, for instance, we can say we want a non
08:24
Alfa numeric
08:26
encoder or one that doesn't use any upper character. So now on upper.
08:31
There's lots of different choices here for customizing your payload for the task in hand.
08:39
So, for instance, maybe I want to use the
08:43
the night off as an example.
08:48
Actually, I don't want to use the I'll use the shikata
08:52
encoder instead
08:58
so I can go ahead and run my generate command again.
09:03
No. This time I'm going to use the dash e foreign code
09:07
stand. I can type
09:13
Doesn't like that
09:16
all Using a copy and paste
09:18
tab complete usually works, but there may be certain instances within the framework where doesn't work, so just be aware of that.
09:26
All right, so now I use the this encoder,
09:31
and it tells me 355 bites with this shell buying TCP for
09:35
Or Windows. There's my encoder.
09:39
My local port. My remote host. These are all part of the
09:45
the payload now.
09:48
But I could also do compound statements. For instance, I've got I know I I don't want
09:52
the, um,
09:56
except for half, and I don't want x 50.
09:58
All right, so I could make sure I can get rid of those
10:03
so I can add multiple options to the command line. We go back up to arm
10:11
help screen,
10:15
we conceive for generate. We also have ways to I can specify my standard up. What if I want to save this information?
10:24
I can use templates. I can also pick the number of iterations. So let's experiment with that a little bit. I've got the encoder. I'm going to get rid of these two characters. Let me add one more list. I'll get a X
10:37
Charlie, not because I see that at the corner of the table there.
10:43
All right, let's in code again.
10:46
Oh,
10:46
I got air so I can't get rid of that money,
10:50
that many characters.
10:52
Let's just try these two.
10:58
It's being picky,
11:03
all right? So I can only give her the vaccine. Fact that shows you some of the limits off what the encoders
11:07
capable of doing
11:09
s. So what? We end up with 355 bites.
11:13
Now, what if I want to go code this a few times to get make it more complex? I could encode it three times
11:20
and you'll notice that it doesn't actually give me three outputs it. It does it three times and then I get the outfit.
11:26
It grew quite a bit. Now it's up to 409 bites, But still, I've excluded xfff and I'm still using this particular encoder.
11:37
And again, this this multiple passes that you're doing with the dash I makes your,
11:43
uh
11:45
you're you're encoding that much more difficult for the anti virus of the victim machine to detect,
11:52
and they're they're probably limits. Here is well as faras,
11:56
huh?
11:56
What kinds of how many iterations you want to go through or some of the other things that you want to thio set. So let's go back to our
12:07
hope screen.
12:09
We can see we've got the dash. Oh, option.
12:13
So because I know
12:16
some of my options are available here, I could do something like I'll do up, Eric, go back to my generate.
12:22
Let's say I want to change my when I'm doing my generator. Want to change my local poor to something else?
12:28
So I'll goto. I'll change it to 5555
12:37
Possibly it is. Oh, I forgot to put the equal sign, that's what.
12:43
Okay,
12:46
So
12:46
little details matter.
12:48
We can see now that,
12:50
uh, it went down for 2 409 bites Still showing my encoder.
12:56
My local poor is now 5555 because I have encoded a different version of this.
13:03
So for these, this gets goes to show you how flexible the syntax as I can
13:09
change my encoding method, I can change a number of times. I do the encoding. Aiken set some variables and encode a payload all in one step,
13:18
which which makes your life a lot easier when you're trying to evade
13:22
anti virus.
13:24
And lastly, let's look at our dash T option. This gives us
13:28
our outward form.
13:31
So bear C C. Sharp hacks, Java and so on. I can allow different,
13:37
um,
13:39
payload options
13:41
so we can experiment with this.
13:46
I got my last command there. Let's say I want to,
13:48
uh,
13:50
do this in bash format.
13:54
So that's what bash shell code looks like. You know, it's a little different. I've got some
13:58
dollar signs here.
14:01
The characters look old a little bit different. Perhaps.
14:05
Let's see, I can use I can try one with Power Shell
14:16
who didn't like partial.
14:18
Maybe I can try
14:20
C sharp.
14:26
All right, so there's a different
14:28
encoding method using C sharp.
14:31
So you get the basic idea. I've got lots of options
14:33
and other things here that might be useful depending on your environment that you're going after Andy, maybe a visual basic script
14:43
or, uh,
14:45
you're dealing with binary Z axes,
14:48
so just kind of showing some of the possibilities
14:52
for your
14:54
A V avoidance, and we'll get into more detail about that
14:58
in a later section
Up Next