Pen Testing Series: Using MSF Venom to Bypass A/V and IDS During Sanctioned Penetration Tests

Author: Chad Russell 

Pen Testing Series:  Using MSF Venom to Bypass A/V and IDS During Sanctioned Penetration Tests

 

MSF Venom is a combination of MSF Payload and MSF Encode, both of which have been deprecated as stand alone tools. The purpose of MSF Venom is to generate payloads. Generally payloads with elusive qualities. These payloads can be in turn be deployed utilizing the Metasploit Framework.

Looking at the MSF Venom help file you can see that you have various switches available to you:

commandline$ msfvenom –help

Figure-1

You have payload switches, encoding types, templates, payload size and the platforms on which you want the payload to be deployed.

MSF Venom supports multiple executable formats for payloads. Execute the following to see the executable formats supported by MSF Venom:

commandline$ msfvenom –help-formats

Figure-2

You can modify encoding and setup the encoding of the payload to bypass A/V and IDS signatures.  Polymorphic encoding is one of the modern techniques that is virtually rendering traditional A/V and IDS platforms useless.   Polymorphic encoding is an encoding type that constantly morphs upon each deployment of the payload.   As a result there is no common signature exhibited by the payload in question.

In the example below you will encode an x86-based meterpreter reverse shell payload in MSF Venom using the ‘shikata_ga_nai’ encoder. The term ‘Shikata ga nai’ is a japanese term that literally translates to ‘it cannot be helped‘.

Execute the following in MSF Venom:

commandline$ msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3

Figure-3

You will now have a polymorphically encoded x-86 meterpreter payload generated by MSF Venom which you can execute against your favorite A/V programs to test its effectiveness and you can further tweak it using other options available to you in MSF Venom which we will explore in future tutorials.

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *