Security Device Evasion

Metasploit has provided some limited security device evasion features for some time, but in the past, the types of evasion options offered were ad-hoc and usually differed wildly from exploit to exploit. With Metasploit 3.0, evasion features are enhanced and standardized, allowing for easier and more consistent bypassing of security devices. Some powerful evasion techniques have been added to the core framework, meaning that the evasions are available even when the exploit is oblivious to them.

A list of supported evasion techniques is available by typing show evasion at the Metasploit prompt once an exploit is selected. The list shows the evasion name and description, and the current setting. Here is an example of the evasions supported by an HTTP client-side exploit:

msf exploit(aim_goaway) > show evasion

Module evasion options:

   Name           : HTML::base64
   Current Setting: none
   Description    : Enable HTML obfuscation via an embedded base64 html object
      (accepted: none, plain, single_pad, double_pad, random_space_injection)

   Name           : HTML::javascript::escape
   Current Setting: 0
   Description    : Enable HTML obfuscation via HTML escaping (number of iterations)

   Name           : HTML::unicode
   Current Setting: none
   Description    : Enable HTTP obfuscation via unicode (accepted: none, utf-16le,
      utf-16be, utf-16be-marker, utf-32le, utf-32be)

 [additional evasions omitted..]

   Name           : TCP::max_send_size
   Current Setting: 0
   Description    : Maxiumum tcp segment size. (0 = disable)

   Name           : TCP::send_delay
   Current Setting: 0
   Description    : Delays inserted before every send. (0 = disable)

The list of evasion options typically starts with the protocol, in order to help distinguish which network layer the evasion is being performed on. In the preceding example, both HTTP and TCP evasions are available. By combining evasion techniques on multiple layers, the odds of slipping undetected past a security device increases.

To change the value of an evasion option, use the set evasionparameter value command. For example, to enable HTTP GZIP compression for our exploit, we would type:

msf exploit(aim_goaway) > set HTTP::compression gzip
HTTP::compression => gzip