Metasploit remains one of the most popular tools used in Penetration Testing. It comes pre-installed in Kali Linux, but thanks to the Trustedsecs PenTesters Framework (PTF) project, you can install it on pretty much any Linux distro.
Yay, Trustedsec for the win!
As a Redteamer though, I can no longer rely on its ability to generate FUD (Fully Undetectable) payloads with the dawn of AMSI (Anti Malware Scan Interface), Windows Defender, Antiviruses, etc.
For FUD payloads I decided to check out another tool, Phantom Evasion - a tool developed to generate undetectable payloads with msfvsenom’s payload. This is because ‘Empire’, my personal favorite tool is getting caught left right and center. If you don’t know about these tools I suggest you take a quick look at them because you’ll come across them more often than you’d think if you plan on following the white rabbit.
What is MSFvenom you ask… It is a combination of Msfpayload and
Msfencode, putting both of these tools into a single Framework instance for
those that used msf from its inception. It replaced both msfpayload and
msfencode as of June 8th, 2015. Over and above a single tool platform, it
integrates standardized command-line options and increased speed.
Right now I’m guessing you have a basic understanding of RedTeaming and you’ve probably been crafting some erratic attacks that fit into one whole chained attack. As you know by now, your attack is no good without a working and undetected payload (you don’t say, Sherlock!).
Disclaimer: This post is just my take on the subject. I do not guarantee that it will solve your problems. Empire, renowned for PowerShell payloads offers a multitude of offensive advantages, including full .NET access, application whitelisting, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+.
Many of us still struggle to integrate the delivery of PowerShell based payloads in a secure manner, hence, Phantom-Evasion. Its competence biases on pure C stagers — in other words, executable files a.k.a binaries. Depending on your target operational environment, they maintain their different advantages.
Binaries are self-contained and more unstoppable while PowerShell is a scripting language and does not need compilation making it lighter and faster. Binaries need to be compiled making them slightly heavier on the payload size, however, its flexibility is unmatched. What happens though if your target’s environment just happened to disable PowerShell? Speed over malleability huh.
In the end, the most potential is to develop your own tools and payloads
preferably with a low-level language such as C or C++. Doing it with a native binary is a whole other conversation. These two just happen to be most predominant at the time of this post.
This article was written by Ruth Juma, a seasoned cybersecurity practitioner well versed in multiple verticals in a career spanning 7 years.
Her specialties include Offensive Security in Web Applications, OSINT, and Red Team Operations. Follow her on @shadow12_