© Ozphoto, Fotolia.com

© Ozphoto, Fotolia.com

Hiding a malicious file from virus scanners

Pen Tests

Article from ADMIN 08/2012
By
The best way to stop an attack is to think like an attacker. We'll show you how to use the Metasploit framework to create a malicious payload that escapes antivirus detection..

A penetration tester simulates an attack on a customer's network by trying to find a way inside. Many such attacks begin with the use of a scanning tool, such as Nexpose, Nessus, or Nmap, to look for network vulnerabilities; however, several of the leading intrusion detection and protection systems are capable of alerting the network owner when a scan is in process. Rather than scanning for an open port, a devious alternative is to email a payload to the victim that will allow the attacker to establish a foothold on the victim's network. The Metasploit framework includes several binary payloads you can use to open an attack by email – if you can slip past the virus scanners.

Metasploit Antivirus Bypass

A skilled intruder who delivers a payload to your network in the form of an email message will want to make sure the payload can evade detection by antivirus software. Most antivirus software vendors use a signature base to identify malicious code. To avoid antivirus detection, an intruder must devise a payload that will not match the available antivirus signatures.

The Metasploit [1] penetration testing framework provides a collection of tools you can use to test a network by attacking it the way an intruder would attack it. Metasploit's msfpayload option lets you create a standalone binary to serve as a malicious payload, and the msfencode option encodes the binary to confuse the antivirus scanners. Msfpayload allows you to generate shell code, executables and more. To see a list of options, use msfpayload -h at the command line, and to see a list of available shell code that you can customize for your specific attack, use msfpayload -l. To see a list of options for msfencode, use msfencode -h at the command line. To view which encoders are available, run the

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=