Metasploit mailing list archives
Re: against EMET?
From: Joshua Smith <lazydj98 () gmail com>
Date: Wed, 1 Feb 2012 18:38:13 -0500
In the case you specified you would get caught because you are using psexec, just like many AVs might detect use of the sysinternals version. MSF's psexec is fundamentally different from most other MSF exploit mods, with psexec u are exploiting your knowledge of creds or hashes. A regular exploit payload would not usually be an exe as the payload is being injected into a running process. -Josh On Feb 1, 2012, at 18:24, Chip <jeffschips () gmail com> wrote:
It is my understanding that although Metapsloit can create custom payloads as such: msf > use exploit/windows/smb/psexec msf exploit(psexec) > set EXE::Custom /tmp/mypayload.exe EXE::Custom => /tmp/mypayload.exe these would generally be detected by AV (correct me if I'm wrong). Is there someplace on the net where we can learn how to generate "real" custom payloads that can then be folded into Metapsloit? Thanks. On 2/1/2012 11:31 AM, HD Moore wrote:On 2/1/2012 8:06 AM, Stephen Haywood wrote:Is the stager typically caught by the AV because it gets written to disk but the payload doesn't get caught because it is in memory? If that is the case, then learning how to write custom stagers is a good skill to have for bypassing AV right?The stager is used for both EXE generation and normal payloads (in-memory). AV detection is usually due to the EXE generator's output template hitting known signatures or the mechanics of the stager being detected encoded on disk (but the former is much more common). Getting some experience writing custom payloads of any type (whether its a stager, stage, or single in metasploit terms) will help with HIPS, IDS, and AV evasion. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- against EMET? Jun Koi (Jan 30)
- Re: against EMET? HD Moore (Jan 31)
- Re: against EMET? Stephen Haywood (Feb 01)
- Re: against EMET? HD Moore (Feb 01)
- Re: against EMET? Chip (Feb 01)
- Re: against EMET? Joshua Smith (Feb 01)
- Re: against EMET? Joshua Smith (Feb 01)
- Re: against EMET? Stephen Haywood (Feb 01)
- Re: against EMET? HD Moore (Jan 31)
- <Possible follow-ups>
- Fwd: against EMET? Joshua Smith (Feb 02)