5 Replies Latest reply on Feb 18, 2012 2:30 PM by pipas

    How to avoid AV?


      There's been some great writing by metasploit contributors on how to avoid AV. This post attempts to collect those in a single place:



      • http://schierlm.users.sourceforge.net/avevasion.html # clear cut writing on how and why AV is flagging vanilla metasploit binaries. This writeup gives instructions on the techniques of how to bypass AV, first with your own template, then documenting exactly how to build your own custom exes.




        • Re: How to avoid AV?

          That's good info jcran.

          • Re: How to avoid AV?

            I wanted to post another article that I feel is relevant to evading Antivirus with metasploit payloads.  This method offers alot of flexibility to the penetration testers to obfuscate the ASM instructions however they chose.  For more information see this blog article here:


            http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection- ghost-writing-asm/

            • Re: How to avoid AV?

              I there everyone, this is a very good post to add to favorites.


              I have to say that i've been testing with "metasm", the link zeknox posted, and it's a very good method, i've been very sucessfull.


              The post show's a trick, to chande asm.code, i was wondering if anyone else as tested this way?

              The metasm included with the framework, as some samples and i am using "peencode" to produce the .exe.


              Is there anyone else that's using the metasm, i need a hint, the exe's i'm generating are being blocked by micro$oft security essencials


              Thank's you all.

                • Re: How to avoid AV?

                  Pipas, keep obfuscating your ASM instructions as much as possible and you can get around Microsoft Security Essentials.  I successfully did this just the other week in a penetration test against one of my clients who was running it and ultimately allowed me to obtain Domain Admin privileges on their network.  Good Luck!

                    • Re: How to avoid AV?

                      Thanks, i've been trying, but could do it yet...


                      I've done has the article pointed, but, i don't have great knowledge of assembly, i tryied some "add and sub", but with no success


                      Can you give me a hint, what did you do? did you use the same method has pointed in the article (before a xor, mov arround some stuff) or did you did something else?