Metasploit mailing list archives
Re: psexec vs NOD32
From: Jonathan Cran <jcran () 0x0e org>
Date: Tue, 6 Sep 2011 11:25:00 -0500
On Tue, Sep 6, 2011 at 11:55 AM, Anton Sapozhnikov <anton.a.sa () gmail com> wrote:Hi! I'm trying to launch windows/meterpreter/bind_tcp with exploit/windows/smb/psexec But NOD32 is killing my payload just after “[*] Deleting \KoVCxCjx.exe...” Could you suggest me some method to trick NOD32?
You're in luck, background reading and techniques for bypassing AV have been thoroughly documented by several members of this list (mihi / scriptjunkie): * http://schierlm.users.sourceforge.net/avevasion.html # is probably the most clear cut on how and why AV is flagging vanilla metasploit binaries. This writeup gives clear-cut instructions on how to bypass AV, first with your own template, then documenting exactly how to build your own custom exe's with the metasploit shellcode (using the exe-small generation method) * http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/ # good background on how the exe is generated, and why it's heuristically flagged in many cases. jcran _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- psexec vs NOD32 Anton Sapozhnikov (Sep 06)
- Re: psexec vs NOD32 c0lists (Sep 06)
- Re: psexec vs NOD32 Jonathan Cran (Sep 06)
- Re: psexec vs NOD32 c0lists (Sep 06)