Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | veilframework |
View: | 3,925 times |
Download: | 4 times |
The Veil-Framework@HarmJ0y
@ChrisTruncer@VeilFramework
Who Are We?Will Schroeder (@harmj0y)
Former national research lab keyboard monkey
Chris Truncer (@ChrisTruncer) Florida State Graduate – Go Noles!
Veris group pentesters by day, offensive security researchers by night And we’re hiring!
OverviewThe Initial Problem
Public Reaction and Ethical Considerations
The Veil-Framework
Evading AV: Veil-Evasion
Payload Delivery: Veil-Catapult
Situation Awareness: Veil-PowerView
Demos Throughout
The Initial ProblemAntivirus doesn’t catch malware but
(sometimes) catches pentesters
Our Initial SolutionA way to get around antivirus as easily as
professional malware
Don’t want to roll our own backdoor each time
Find a way to execute existing shellcode in an AV-evading way
The Veil-FrameworkA toolset aiming to bridge the gap between
pentesting and red teaming capabilities
We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation
Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
Ethical ConsiderationsThe disclosure debate is not new…
Pentesters are 5+ years behind the professional malware community
This is already a problem the bad guys have solved
HD Moore’s Take“The strongest case for information
disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”
https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
Public Reaction “surely this will just result in 21 new signatures for all
major AVs and then we're back to square one?”
“Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”
“The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”
http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
Twitter Reaction
Twitter Reaction
Evading AVVeil-Evasion
Veil-Evasion’s ApproachAggregation of various shellcode injection
techniques across multiple languages These have been known and documented in other
tools
Focused on automation, usability, and developing a true framework
Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
Veil-Evasion FeaturesCan use Metasploit-generated or custom
shellcode MSF payloads/options dynamically loaded In the process of porting msfvenom
Third party tools can be easily integrated Hyperion, PEScrambler, BackDoor Factory, etc.
Command line switches to allow scriptability
Native Compilation
Python: pyinstaller/py2exe
C#: mono for .NET
C: mingw32
Module Development Implement your own obfuscation methods!
Lots of reusable functionality
Shellcode generation is abstracted and can be invoked as needed
https://www.veil-framework.com/tutorial-veil-payload-development/
Shellcode InjectionVoid pointer casting
no guarantee the memory region is executable
VirtualAlloc allocate memory as RWX, copy code in and create
a thread
HeapAlloc create a heap object and manually allocate
memory
Pyinstaller and DEPPyinstaller produced .exe’s are DEP enabled by
default this ruins some shellcode injection methods
Luckily Pyinstaller is open source
we can recompile to turn off DEP opt-in
https://www.veil-evasion.com/dep-pyinstaller/
PwnstallerA generator for obfuscated Pyinstaller loaders
BSides Boston ‘14 – Pwnstaller 1.0
Dynamically generates and compiles a new Pyinstaller loader on the fly
http://www.harmj0y.net/blog/python/pwnstaller-1-0/
Payload Releases#VDay
VDaySince 9/15/2013, we’ve release at least one
new payload on the 15th of every month
32 currently published payloads
20+ additional payloads have been developed so far
we’re going to be releasing for a while :)
Native StagersStage 1 Meterpreter loaders don’t have to be
implemented in shellcode
Meterpreter stagers can be written in higher-level languages
https://github.com/rsmudge/metasploit-loader
Veil-Evasion StagersThe following are the stagers currently
available in the framework (as of 5/15/14):
Language Stager
Python meterpreter/rev_tcp
Python meterpreter/rev_http
Python meterpreter/rev_http_contained
Python meterpreter/rev_https
Python meterpreter/rev_https_contained
Veil-Evasion Stagers
Language Stager
C# meterpreter/rev_tcp
C# meterpreter/rev_http
C# meterpreter/rev_https
C meterpreter/rev_tcp
C meterpreter/rev_tcp_service
C meterpreter/rev_http
C meterpreter/rev_http_service
How Stagers Work1) a tcp connection is opened to the handler
2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll
3) the socket number for this tcp connection is pushed into the edi register
4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)
reverse_http stagers skip steps 2 and 3
Veil-Evasion Demo
Payload DeliveryVeil-Catapult
Veil-Catapult
Veil-CatapultAfter payload generation, our focus shifted to
delivery
Features nice integration with Veil-Evasion for on-the-fly payload generation
Cleanup scripts generated for payload killing and deletion
Command line flags for every option
https://www.veil-framework.com/catapult/
.EXE DeliveryUsers can invoke Veil-Evasion to generate a
payload, or specify an existing .exe
Payloads are delivered in one of two ways: upload/execute using Impacket and pth-toolkit host/execute \\UNC path to the attacker’s box
UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
Standalone PayloadsPowershell: shellcode injector, bye bye disk
writes http://www.exploit-monday.com/2011/10/exploiting
-powershells-features-not.html
Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)
Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
Barebones PythonUploads a minimal python .zip installation and
7zip binary
Python environment unzipped, shellcode invoked using “-c …”
The only files that touch disk are trusted python libraries and a python interpreter
Gets right by some reputation filters and antivirus!
https://www.veil-framework.com/barebones-python-injection/
Veil-Catapult Demo
Situational AwarenessVeil-PowerView
Situational Awareness; reduxGoal: Gain an understanding of an exploited
host/network to aid in deeper infiltration
Old schoolz: net group /domain net group “domain admins” /domain net users /domain net user “jsmith” /domain net view //hostname netsess.exe custom tools utilizing WinAPI calls blah blah blah
Veil-PowerViewA pure Powershell situational awareness tool
https://www.veil-framework.com/veil-powerview/
Arose partially because a client banned “net” commands on domain machines annoying, but only a minor roadblock
Otherwise initially inspired by Rob Fuller’s netview.exe tool Wanted something a bit more flexible that also
didn’t drop a binary to disk
Started to explore and expand functionality
Get-Net*Full-featured replacements for almost all “net
*” commands, utilizing Powershell AD hooks and various API calls
Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.
See README.md for complete list, and function descriptions for usage options
Meta-Functions Invoke-Netview: full-featured netview.exe
replacement, plus more: hostlists, jitter/delay, check share access, etc.
Invoke-ShareFinder: finds open shares on the network and checks if you have read access
Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module finds machines the current user has admin access
to
Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
User HuntingGoal: find which domain machines specific users
are logged into
Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users! Utilizes Get-NetSessions and Get-NetLoggedon
Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets Significantly less traffic than Invoke-UserHunter
Veil-PowerView Demo
Get the Veil-Framework
Github: https://github.com/Veil-Framework/
Read more: https://www.veil-framework.com
Now in Kali: apt-get install veil
Questions?
[email protected] @harmj0y
[email protected] @ChrisTruncer
#veil on freenode
forums at https://veil-framework.com/forums/