New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new evasion module type plus a couple of modules #10759

Merged
merged 25 commits into from Oct 7, 2018

Conversation

Projects
None yet
@wchen-r7
Copy link
Contributor

wchen-r7 commented Oct 6, 2018

A little DerbyCon surprise.

This pull request adds a new module type to Framework, called "evasion". The purpose of the evasion module type is to allow developers to build executables specifically to evade antivirus, and hopefully this creates a better pentesting experience for the users.

The PR also comes with two modules that serve as examples. The first one generates an EXE that utilities these techniques: shellcode encryption, code randomization, and a little anti-emulation. For more information about techniques, please check Framework Wiki. The second module uses a JS.Net script that's embedded in a HTA file, which gets compiled and executed on the target machine.

Here's a demonstration:

45052465-7e6ee500-b04c-11e8-90e0-e9c59363bb45

wchen-r7 added some commits Oct 6, 2018

rhost = mod.datastore['RHOST'] || '50.50.50.50'

# A list of preferred payloads in the best-first order
pref = [

This comment has been minimized.

@busterb

busterb Oct 7, 2018

Contributor

It's not clear if we need this for an evasion module, since we're not trying to pair it with an exploit.

This comment has been minimized.

@wchen-r7

wchen-r7 Oct 7, 2018

Contributor

Good catch there. Evasion works best with encrypted payloads and I forgot to actually use this method. Should work now. Thanks.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Oct 7, 2018

Nice work @wchen-r7 ! A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads, like with 'set evasion windows_defender' and it would use the module to modify the payload, similar to an encoder. Not really a blocker here, but something to think about for later.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 7, 2018

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Oct 7, 2018

@h00die quick, merge it before r7 realizes it's public.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Oct 7, 2018

I thought a/v evasion was one of the big reasons to buy msfpro, Am i confusing something?

We'd like to improve the experience for all Metasploit users, this includes commercial and framework users.

A comment we got while demoing evasion modules was that it would be nice to be able to enable it on regular payloads

That could be on the road map. Thanks for the feedback.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 7, 2018

Ninja merge incoming since @bcoles (kind of) approved it!!!

(Kidding, also apologies for the insensitive comment. While meant in jest, it was insensitive especially considering the climate in the states. Sorry to anyone who was offended, it wasn't cool or professional in any way shape or form.)

@0x27

This comment has been minimized.

Copy link

0x27 commented Oct 7, 2018

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Oct 7, 2018

I wanted to give this a bit of time for review, but don't worry, it's not going away. Feel free to provide any constructive feedback @h00die, and thanks for the interest.

You can see some more info on this talk at the Metasploit Town Hall 0x4 at Derbycon today: https://youtu.be/4JZlhIj002k?t=1202

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Oct 7, 2018

Suggestion/Query: could this be leveraged by exploit modules that drop an executable file to disc and then execute them? (thinking Command Stager ones) to avoid getting wrecked by AV during exploitation?

Yes, it could do that, just not now. As a matter of fact, this has been reminded a couple of times so sounds like it's definitely valuable to implement something like that. Thanks for the feedback.

@Green-m

This comment has been minimized.

Copy link
Contributor

Green-m commented Oct 7, 2018

I am glad to see this big surprise!
Since there are many antivirus tools, such as AVET, Veil, now we could integrate these into evasion modules, that's very convenient and could keep update for best performance of antivirus.

I love this PR, and I think I could do more contributions for new modules.
Thank you very much @wchen-r7!

@Green-m Green-m added the hotness label Oct 7, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Oct 7, 2018

+1 for implementing evasion as part of msfvenom / metapsloit-payloads so the remainder of the framework benefits.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Oct 7, 2018

I'm going to land this now, so people can start playing with it in master. Thanks for all of the comments!

Thanks @space-r7 and @wchen-r7 !

@busterb busterb merged commit c6dddaa into rapid7:master Oct 7, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Oct 7, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Oct 7, 2018

Release Notes

This adds a new "evasion" module type to Metasploit Framework, allowing developers to build executables specifically to evade antivirus, and two initial evasion modules using different techniques of evasion. The framework allows users to more easily integrate external tools and write their own evasion modules as well.

@ccondon-r7

This comment has been minimized.

Copy link
Contributor

ccondon-r7 commented Oct 7, 2018

@h00die - The new module type is the culmination of months of research on evasion techniques and results, and a whole bunch of teams across Rapid7 have been engaged and supportive throughout the process. This isn't a rogue move! As Wei noted, the goal here was to improve evasion for all Metasploit users, including Metasploit Pro customers. The engineering output (i.e., the new module type) looks different in Framework because there was so much emphasis on extensibility. As always, we want the Framework community to be able to build on top of and bring their own perspective to the work the Metasploit engineering team does...which I know you know already, so I'll stop talking and let folks get back to experimenting with the new module type!

@pussinboots1992

This comment has been minimized.

Copy link

pussinboots1992 commented Nov 19, 2018

@wchen-r7, did you customize the metsrv.dll ? I see you had warnings...The module currently doesn't evade an up to date Defender. Which components must be further customized to avoid being caught...The meterpreter_loader.rb, using a custom encoder/stub/loader ? Any tips ?

@void-in void-in referenced this pull request Nov 27, 2018

Closed

How to evade Norton 360 #11029

@Sonya2010

This comment has been minimized.

Copy link

Sonya2010 commented Nov 27, 2018

With which version of msf that evasion module is shiping I have 4.17.26-dev on kali but there is not any module like evasion ?? Can you point out exactly?

@pussinboots1992

This comment has been minimized.

Copy link

pussinboots1992 commented Nov 27, 2018

You need v5 (dev version)

@Sonya2010

This comment has been minimized.

Copy link

Sonya2010 commented Nov 27, 2018

You need v5 (dev version)

I googled for while but couldn't find it, How am I supposed to download and install it in kali linux 2018 rolling ?

@david-shearwater

This comment has been minimized.

Copy link

david-shearwater commented Dec 4, 2018

You need v5 (dev version)

I googled for while but couldn't find it, How am I supposed to download and install it in kali linux 2018 rolling ?

git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
bundle install 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment