Saturday, February 18, 2012

How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker. Here's how you can make sure you can sneak in and out without "getting caught".

Scan speed

First of all, bear in mind that you'll want to slow down your initial network scan so you don't raise suspicion by creating heavy network traffic. In the Advanced Settings of hte Discovery Scan, set your network scanning speed to Sneaky or Paranoid. This feature is included in Metasploit Community Edition, Metasploit Express, and Metasploit Pro.


Evading IDS/IPS

Metasploit has many different settings to evade an IDS/IPS (intrusion detection system/intrusion prevention system).

Metasploit Framework enables you to set many of these manually, for example changing the transport type, encoding, fragmenting traffic. Finding the right setting to evade the IPS system can be a little tricky.

If you want to make your life easier, you can use Metasploit Pro's pre-defined levels of evasion: You can choose Transport Evasions, and Application Evasions, all of which have the options of None, Low, Medium, and High. In the back-end, the tuning is different for each type of exploit. For example, if you’re choosing low transport evasion, it will run the exploit a little slower and chunk it up into more segments. With higher options, we change exploit-specific settings, like the compression type, the name of the webserver, or use different Unicode encodings.

You can set these IDS/IPS evasion settings in the Advanced Options of the Exploitation screen:

  • Concurrent exploits: Reduces the number of exploits that are launched at your targets at the same time. Reduce this to ensure the attack doesn't raise any red flags.
  • Transport evasion: Sends smaller TCP packets and increases time delay between packets to avoid detection.
  • Application Evasion: Adjusts application-specific evasion options for exploits involving DCERPC, SMB and HTTP. The higher the setting, the more evasion techniques are applied.

IDS evasion.png

Social engineering

When choosing the payload for social engineering campaigns, you should choose Encrypted HTTPS to ensure that your payload phones back using an encrypted session. These are harder to detect by your IDS/IPS. Social engineering campaigns are only available in Metasploit Pro.


Avoiding anti-virus

Even if you get past the IDS/IPS systems on the network, the anti-virus engine on the machine you're trying to exploit may stop your attack if you're not careful. A lot of AV vendors are flagging Metasploit exploits and payloads as malware because they can be used in an attack. That is also a reason why you shouldn't have a malware scanner installed on the machine you run Metasploit on - otherwise it may block your installation or exploits. If you must install an AV solution installed, ensure that you have excluded the Metasploit directory from the scans.

Metasploit includes various ways to avoid anti-virus detection, which again differ between editions. Metasploit Framework and Metasploit Community share the same basic AV evasion. Metasploit Express adds a self-signed binary and templates to evade detection by anti-virus solutions. Metasploit Pro includes a Rapid7-signed binary to inject code that bypasses a white list and a persistent agent that is compiled differently every time, making it very hard to detect. To get an impression how successful Metasploit is in evading anti-virus, check out the results from our test lab in the blog post "Become invisible to anti-virus protection".

How are your defenses holding up to advanced evasion techniques?