PolyPack works well. Jon (the lead developer) is a very cool guy.
Also, I have been playing around with iExpress to create custom scripts and executables. http://technet.microsoft.com/en-us/library/dd346760.aspx Mubix has a great video on it hiding Metrepreter: www.vimeo.com/3440084 Let us know how it goes. john On Tue, Jan 5, 2010 at 3:08 AM, Duncan Alderson < [email protected]> wrote: > I also probably off base but I think Polypack does this quite well. I have > not had time to play with it yet but "Farther John" gave us the link in a > SANS Webcast. > > http://polypack.eecs.umich.edu/ > > HTH > > Duncan > > 2009/12/30 Rick Hayes <[email protected]> > > I may be off base here, but I've found that 3-4 passes of shikata ga nai >> works well. Unfortunately, when I do the 10 passes it seems to be found >> more often than not. If it's still being detected I usually try to run it >> through PEScrambler (http://www.rnicrosoft.net/tools/PEScrambler_v0_1.zip) >> and that tends to work well. >> >> On Tue, Dec 29, 2009 at 11:21 AM, David Porcello < >> [email protected]> wrote: >> >>> Hi all, >>> >>> I'm doing an in-house pen-test and I'm having a heck of a time building >>> an msfpayload executable that evades McAfee AV detection. I've tried all the >>> techniques in Metasploit Unleashed (section 08 / Antivirus Bypass), >>> including the windows/shell/reverse_tcp method that's only detected by 3 out >>> of 32 major AV engines (unfortunately McAfee being one of them). I even >>> tried a simple windows/exec payload to net stop the AV services, but that's >>> caught as well. McAfee's detecting all of these as "Downloader-BQQ". >>> >>> Anyone have any other tricks? >>> >>> Thanks in advance! >>> dave. >>> >>> NOTICE: The information contained in this e-mail and any attachments is >>> intended solely for the recipient(s) named above, and may be confidential >>> and legally privileged. If you received this e-mail in error, please notify >>> the sender immediately by return e-mail and delete the original message and >>> any copy of it from your computer system. If you are not the intended >>> recipient, you are hereby notified that any review, disclosure, >>> retransmission, dissemination, distribution, copying, or other use of this >>> e-mail, or any of its contents, is strictly prohibited. >>> >>> Although this e-mail and any attachments are believed to be free of any >>> virus or other defects, it is the responsibility of the recipient to ensure >>> that it is virus-free and no responsibility is accepted by the sender for >>> any loss or damage arising if such a virus or defect exists. >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> >> -- >> Thanks, >> >> Rick Hayes >> CISSP, GSEC, GIPS, GCFA, GSLC, CCNP, CCSP >> >> InfoSec Daily Podcast: http://www.isdpodcast.com >> iTunes Keywords: InfoSec Daily >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > > Duncan Alderson | Zeb3dee > webantix.net | clamtech.co.uk > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
