Penetration tester Andy Cooper now touches upon another hurdle with antiviruses where signing a malicious payload with a valid cert may help bypass the defense.I have a third idea that I’ve come up with, which is cert signing. Whenever it comes down to certs, we know that SSL certs for websites are iffy at best as to how they work, but it’s not the cert’s fault on that. Certs are great for what they’re doing. The real problem at that point is actually the chain of trust that goes with the certs; it’s been well established. Code signing certs kind of have the same problem. But in this kind of situation, code signing certs are appropriate for what I’m talking about doing, because it’s something I can assign to any payload that I have, so it doesn’t just have to be Meterpreter, it doesn’t have to be this other piece of code that I’m trying to run – it can be any of these different executables that I’m talking about. I’m only talking about touching disc, I’m not actually talking about buffer overflows or anything like that because that’s not something that will work without slowing things down too much.
But for this I’m talking about, essentially, PsExec. So I’m setting the payload over there, it’s written in disc, AV checks it, deletes it, basically, most of the time. But with this, what it ends up letting you do is sign your code, send it over through PsExec. At this point it can actually check the certificate that’s actually loaded up on there. So antivirus checks out the cert, checks out the dates that are on this cert. If it’s correct and it’s inside the system, then it goes ahead and lets the code run, as long as the dates are also accurate. And then, when the dates are wrong, or afterwards, AV will go through and check and delete that anyways, so your files go away when your penetration test is done. And it also, like I said, lets you do multiple types of payloads.Now, as I’ve been telling a bunch of different people about this, they thought I was idiotic, which is basically common response number 1: “You’re an idiot”, to which – yeah, pretty much. Another one that I get is, this is very common: “You’re a penetration tester, your job is to break into my systems and then tell me about it later.” And I really wish that it was my job to walk in, break your systems, drop the mic and walk out, because that would be awesome. It really would be a great day.
But really, what my job is – is to come in, check out your organization, yes, find your exploits that may be there, find your vulnerabilities that are on your systems, get in there and find and demonstrate an impact just of what’s actually going on, to how I can make this look good for your organization, to where fixing these security problems is a good solution for you; and, at the same time not waste my time, or your time, really, trying to find more impact and more vulnerabilities on your systems by trying to bypass antivirus, which is something that, effectively, we know is bypassable. I mean, as it’s already stated, somebody is going to find a way to get around it, because I can always write something new, Meterpreter just happens to be the best tool to use, because I only have a week to do it in. But if I want to write custom software to come and screw your agency over, I can do it, it’s not the end of the world for me.
That’s basically what all that is. And this cert solution came to my mind because what I ended up finding was the only way to bypass it at that point was to actually sign the code that I was sending over there with just any signature, because that was really what was going on. It was checking the executable and saying: “Well, I’ve never seen this executable before, so I don’t think I want to let it have executable memory; that’s not a good thing, apparently.” So it didn’t allow that; clipped it the second that it happened.
There were two ways that I got around it. One was signing the code, and the other one was actually kind of goofy. I set the memory as “rewrite”, wrote to the memory, told the memory to go away and then set it back as “read-execute” in the same spot, and that actually caused it to work as well, which it shouldn’t have.
The third response is the one that I actually never get, and that is: “How can I help?” One of the things I’d like to do is I’d like to talk to as many antivirus vendors about this kind of stuff that I can and get one, if not all of those different things set up to help make their product better. It’s not the worst thing that we can have. We could just have no AV solution at all, and then everyone would be screwed. But as we continue to help and actually work with organizations to make things better for them, their product gets better, our customers get better, everyone’s threshold goes up, and that’s a good thing, I think.
Stop using VirusTotal is another great idea, because you are effectively doing a bug bounty program with VirusTotal, but you are not getting paid for your work at that point. So you’re straight out just giving them free payloads that they can go and check and know what’s going on, especially with the number of them that get thrown that just have Meterpreter in them. So, go in, I go into a new pentest, my freaking bypass is not working anymore, or I have to waste another 6 hours of my customer’s time, or my free time, which I’m probably going to spend on it anyways, but that’s not the point, to actually get this stuff working.
The other thing that is really important here is if you look at the way you’re dealing with organizations like that, where there are two huge departments that have the biggest amount of push whenever it comes to antivirus or anything like that; and they are marketing and sales. They get the most anything from all of those organizations. And so, if you really want something to go through, for what I’ve noticed, to change, you actually need to go and bug the sales guys and say: “Hey, this is something I heard being talked about. Do you guys have anything like that in your pipeline? Are you actually doing something like that?” 90% of the time you’re going to get someone saying: “Yeah, that’s in the next version, of course, so just buy this one now, and then we’ll roll that over in the next one, whenever it happens.”
That is something that is iffy, but still that 10% that you can get through, as more and more people do it, the more they will start to actually pay attention to it. So, if anybody does have any antivirus contacts, I would love to have them shared and to hear as much about it as possible, because I’d love to talk to these people. I haven’t been successful anyways – it’s just: “Hey, I need a meeting” – it doesn’t really work like that. You can contact me at Twitter @integgroll, you can also get me at firstname.lastname@example.org.
Read previous: Stop Fighting Anti-Virus 3: Impetus through Embarrassment