Forum Thread: New Metasploit AV Evasion Thing I Found, True or Not?

So here is the link. https://github.com/nccgroup/metasploitavevasion
Cant find anything about it on the net so i was wondering do any of you know about it, is it good and etc?

Also on the side note if i have access to my targets computer, either physical or i can get them to run a file what would be the best way to get meterpreter session running? Have looked at almost all tutorials from the last couple of years but that just created a confusion in my head.

So is this correct. Exploit is used to deliver the payload, while the payload it self can be embedded into the exploit it can be embedded into the .exe, .pdf or any other file or masked to look like a file.

Sorry for noob questions, just all of this is really fascinating and been trying to learn as much as i can. Now i know to never open links, and accept java on weird sites. Thanks in advance!

10 Responses

Regarding your questions:

#1: Prepare a malicious file by generating a payload/embedding it into a file. You can use msfvenom for that. Then, using exploit/multi/handler, start listening for incoming connections, and bring the file to target computer and run it, or get the victim to do it. When it runs, and you set up everything correctly, you should get a meterpreter session. If you want more precise information, feel free to ask!

#2: Entirely correct.

Thanks for the quick answer!

Hmmm i used Veil-Evasion and ended up with payload.py file (as i remembed i selected the 32, the one used in the article here ) while i was expecting an .exe version. That means that after generating that payload i should embed it into the exe?

Now, i dont mind if it is noticed by the AV. My target trusts me completely and i will pack it in a torrent file, give him the link and tell him it is a silent cracker for the game he has been trying to install.

Also i start the session after all of that, migrate it, and then use many commands to elevate privilages and get more info about the system. Running keylogger seems pretty important. Would like to know if i can Execute a file on his computer that i upload through the session, would like to give him a picture that says, hacked and apply it on his desktop. Reason is, he's my best friend and he said no way anyone can get past his Avast AV and i said for real hackers it would be fairly easy, still he wont listen. Talk about teching him a lesson huh :)

Edit: Just wanted to put this out here. SET is an awesome tool. Got another friends facebook password in less then a day after learning about it. Just sent him a link, and made my site name facebookphoto59343 and used a free domain site and routed it to my IP running on my Kali. As soon as he typed in and i got it, terminated it and he told me the link can not load, so i sent him the real link, random link from a random picture of a girl on facebook. Told him tomorrow, was fascinated and now we both know to never open any suspicious sites or java pop up thingies. Thanks to this site!

I think your format and question is really good! Clarification is always something I found I needed, you will figure it out in the end!

So, a payload is just a piece of code that when loaded into memory (RAM/Volitile Memory) allows you to execute a task. This task may be connecting back to you to wait for further instruction, or deleting the whole system partition (its up to you). Now, of course, each system will need different code depending on the OS and purpose of your engagement. An example would be a meterpreter/reverse_tcp payload that would be embedded in a backdoored windows .exe. You would have to either trick the user into running them or run them yourself.

When exploiting a system, you take advantage of a bug in something in either the system (or the people) to execute your own payload. You can find exploits on exploit-db.com, rapid7.com/db and some other exploit pages. Metasploit also has it's own exploit database.

If you have any more questions, feel free to ask!

PS! I've never seen that script before, I'm using it now and it looks really good! Nice share!

I was afraid of using it, kinda paranoid because only 2 days ago i learned about all of this so i am kinda agitaded but it will pass once i learn enough to protect myself from attacks.

Thanks for clarifying all of that. Now in my case i dont need an exploit, i know the target, so i can use Social Engineering or sending the file directly. However i need some help embedding them to a pdf file or anyother file. Been learning a bit since last post, figured out i used Veil Evasion wrong, it uses PyInstaller which turns the .py into .exe payload so it can be started on the victim computer. But that looks suspicious. Now i am figuring out how to embed it with a working pdf file. So he can open it, look around and while he does that i allready have meterpreter session running.

So the only problem is making it undetectable by AV and embedding it into a nice looking file so they wont suspect a thing.

Just to clarify, i am doing this to my best friend, not trying to get into something illegal, he understands this and approves.

So i installed it, and when i run it, this is what i get
"nable to find the required gcc program, install i586-mingw32msvc-gcc and try again"

It shows the first screen, i mean the name and all and then i get that. How to fix it?

Just view the source code. Even if you use the "Insane Stealth" option it's still detected by 10 to 19 antivirus platforms:

-echo " 1. Normal - about 400K payoad - fast compile - 13/46 A.V. products detected as malicious"
+echo " 1. Normal - about 400K payoad - fast compile - 22/55 A.V. products detected as malicious"
echo ""
-echo " 2. Stealth - about 1-2 MB payload - fast compile - 12/46 A.V. products detected as malicious"
+echo " 2. Stealth - about 1-2 MB payload - fast compile - 21/55 A.V. products detected as malicious"
echo ""
-echo " 3. Super Stealth - about 10-20MB payload - fast compile - 11/46 A.V. detected as malicious"
+echo " 3. Super Stealth - about 10-20MB payload - fast compile - 20/55 A.V. detected as malicious"
echo ""
-echo " 4. Insane Stealth - about 50MB payload - slower compile - 10/46 A.V. detected as malicious"
+echo " 4. Insane Stealth - about 50MB payload - slower compile - 19/55 A.V. detected as malicious"

Uros :
Check out The program called Shellter. Great when it comes to AV Evasion.

  1. Try msfvenom or veil-evasion
  2. Correct, completley.

Thanks for the answers guys. It means a lot!

Now i found Shellter to be the best option, i use an existing .exe, embed in it and i deliver it to the victim rather through a download or run it my self when i am on his PC. I tried Veil and Msfvenom but almost half of AV register them while Shellter doesnt get registered. I tried this on my Windows machine, and i have a couple of Free AV's installed and not single one detected it. Now i wonder what .exe from Windows is the best one to use, hmm.

Anyway, what IP should i use for LHOST? My external or local? Because i run Shellter in Windows and Exploit handler on Kali which is on a VM, and i set the network to Bridge option. I already forwarded port 8080 for a Credential Harvester attack i did so i know the port is not the problem.

Also one more question, difference between meterpretertpc and http and a https as i remember?
Can someone elaborate or give a link to an explanation.
Currently studying for my exams so no time for google..

For LHOST, use your external IP. When your victim sends data, you want it to arrive at your IP, and if you used an internal one, it would just send data to a computer on it's own LAN.

Meterpreter TCP starts a connection on a port you input, i.e. 4444. I didn't use the HTTP one, but I assume it starts a connection on port 80, to make your traffic look like normal internet browsing. HTTPS additionally encrypts the data, so even if someone looks at what is being sent, they won't be able to read it.

And good luck with you exams!

Glad you found Shellter to be useful. Always happy to help :)

Share Your Thoughts

  • Hot
  • Active