PaulDotCom mailing list archives
McAfee AV bypass for Metasploit payloads
From: duncan.alderson at webantix.net (Duncan Alderson)
Date: Tue, 5 Jan 2010 10:08:30 +0000
I also probably off base but I think Polypack does this quite well. I have not had time to play with it yet but "Farther John" gave us the link in a SANS Webcast. http://polypack.eecs.umich.edu/ HTH Duncan 2009/12/30 Rick Hayes <rick.hayes at gmail.com>
I may be off base here, but I've found that 3-4 passes of shikata ga nai works well. Unfortunately, when I do the 10 passes it seems to be found more often than not. If it's still being detected I usually try to run it through PEScrambler (http://www.rnicrosoft.net/tools/PEScrambler_v0_1.zip) and that tends to work well. On Tue, Dec 29, 2009 at 11:21 AM, David Porcello < DPorcello at vermontmutual.com> wrote:Hi all, I'm doing an in-house pen-test and I'm having a heck of a time building an msfpayload executable that evades McAfee AV detection. I've tried all the techniques in Metasploit Unleashed (section 08 / Antivirus Bypass), including the windows/shell/reverse_tcp method that's only detected by 3 out of 32 major AV engines (unfortunately McAfee being one of them). I even tried a simple windows/exec payload to net stop the AV services, but that's caught as well. McAfee's detecting all of these as "Downloader-BQQ". Anyone have any other tricks? Thanks in advance! dave. NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Thanks, Rick Hayes CISSP, GSEC, GIPS, GCFA, GSLC, CCNP, CCSP InfoSec Daily Podcast: http://www.isdpodcast.com iTunes Keywords: InfoSec Daily _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Duncan Alderson | Zeb3dee webantix.net | clamtech.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100105/a48bf913/attachment.htm
Current thread:
- McAfee AV bypass for Metasploit payloads Duncan Alderson (Jan 05)
- McAfee AV bypass for Metasploit payloads John Strand (Jan 05)