+ All Categories
Home > Technology > The Veil-Framework

The Veil-Framework

Date post: 08-May-2015
Category:
Upload: veilframework
View: 3,925 times
Download: 4 times
Share this document with a friend
Description:
This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).
42
The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
Transcript
Page 1: The Veil-Framework

The Veil-Framework@HarmJ0y

@ChrisTruncer@VeilFramework

Page 2: The Veil-Framework

Who Are We?Will Schroeder (@harmj0y)

Former national research lab keyboard monkey

Chris Truncer (@ChrisTruncer) Florida State Graduate – Go Noles!

Veris group pentesters by day, offensive security researchers by night And we’re hiring!

Page 3: The Veil-Framework

OverviewThe Initial Problem

Public Reaction and Ethical Considerations

The Veil-Framework

Evading AV: Veil-Evasion

Payload Delivery: Veil-Catapult

Situation Awareness: Veil-PowerView

Demos Throughout

Page 4: The Veil-Framework

The Initial ProblemAntivirus doesn’t catch malware but

(sometimes) catches pentesters

Page 5: The Veil-Framework

Our Initial SolutionA way to get around antivirus as easily as

professional malware

Don’t want to roll our own backdoor each time

Find a way to execute existing shellcode in an AV-evading way

Page 6: The Veil-Framework

The Veil-FrameworkA toolset aiming to bridge the gap between

pentesting and red teaming capabilities

We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation

Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward

Page 7: The Veil-Framework

Ethical ConsiderationsThe disclosure debate is not new…

Pentesters are 5+ years behind the professional malware community

This is already a problem the bad guys have solved

Page 8: The Veil-Framework

HD Moore’s Take“The strongest case for information

disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”

https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information

Page 9: The Veil-Framework

Public Reaction “surely this will just result in 21 new signatures for all

major AVs and then we're back to square one?”

“Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”

“The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”

http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/

Page 10: The Veil-Framework

Twitter Reaction

Page 11: The Veil-Framework

Twitter Reaction

Page 12: The Veil-Framework

Evading AVVeil-Evasion

Page 13: The Veil-Framework

Veil-Evasion’s ApproachAggregation of various shellcode injection

techniques across multiple languages These have been known and documented in other

tools

Focused on automation, usability, and developing a true framework

Some shellcodeless Meterpreter stagers and “auxiliary” modules as well

Page 14: The Veil-Framework

Veil-Evasion FeaturesCan use Metasploit-generated or custom

shellcode MSF payloads/options dynamically loaded In the process of porting msfvenom

Third party tools can be easily integrated Hyperion, PEScrambler, BackDoor Factory, etc.

Command line switches to allow scriptability

Page 15: The Veil-Framework

Native Compilation

Python: pyinstaller/py2exe

C#: mono for .NET

C: mingw32

Page 16: The Veil-Framework

Module Development Implement your own obfuscation methods!

Lots of reusable functionality

Shellcode generation is abstracted and can be invoked as needed

https://www.veil-framework.com/tutorial-veil-payload-development/

Page 17: The Veil-Framework

Shellcode InjectionVoid pointer casting

no guarantee the memory region is executable

VirtualAlloc allocate memory as RWX, copy code in and create

a thread

HeapAlloc create a heap object and manually allocate

memory

Page 18: The Veil-Framework

Pyinstaller and DEPPyinstaller produced .exe’s are DEP enabled by

default this ruins some shellcode injection methods

Luckily Pyinstaller is open source

we can recompile to turn off DEP opt-in

https://www.veil-evasion.com/dep-pyinstaller/

Page 19: The Veil-Framework

PwnstallerA generator for obfuscated Pyinstaller loaders

BSides Boston ‘14 – Pwnstaller 1.0

Dynamically generates and compiles a new Pyinstaller loader on the fly

http://www.harmj0y.net/blog/python/pwnstaller-1-0/

Page 20: The Veil-Framework

Payload Releases#VDay

Page 21: The Veil-Framework

VDaySince 9/15/2013, we’ve release at least one

new payload on the 15th of every month

32 currently published payloads

20+ additional payloads have been developed so far

we’re going to be releasing for a while :)

Page 22: The Veil-Framework

Native StagersStage 1 Meterpreter loaders don’t have to be

implemented in shellcode

Meterpreter stagers can be written in higher-level languages

https://github.com/rsmudge/metasploit-loader

Page 23: The Veil-Framework

Veil-Evasion StagersThe following are the stagers currently

available in the framework (as of 5/15/14):

Language Stager

Python meterpreter/rev_tcp

Python meterpreter/rev_http

Python meterpreter/rev_http_contained

Python meterpreter/rev_https

Python meterpreter/rev_https_contained

Page 24: The Veil-Framework

Veil-Evasion Stagers

Language Stager

C# meterpreter/rev_tcp

C# meterpreter/rev_http

C# meterpreter/rev_https

C meterpreter/rev_tcp

C meterpreter/rev_tcp_service

C meterpreter/rev_http

C meterpreter/rev_http_service

Page 25: The Veil-Framework

How Stagers Work1) a tcp connection is opened to the handler

2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll

3) the socket number for this tcp connection is pushed into the edi register

4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)

reverse_http stagers skip steps 2 and 3

Page 26: The Veil-Framework

Veil-Evasion Demo

Page 27: The Veil-Framework

Payload DeliveryVeil-Catapult

Page 28: The Veil-Framework

Veil-Catapult

Page 29: The Veil-Framework

Veil-CatapultAfter payload generation, our focus shifted to

delivery

Features nice integration with Veil-Evasion for on-the-fly payload generation

Cleanup scripts generated for payload killing and deletion

Command line flags for every option

https://www.veil-framework.com/catapult/

Page 30: The Veil-Framework

.EXE DeliveryUsers can invoke Veil-Evasion to generate a

payload, or specify an existing .exe

Payloads are delivered in one of two ways: upload/execute using Impacket and pth-toolkit host/execute \\UNC path to the attacker’s box

UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)

Page 31: The Veil-Framework

Standalone PayloadsPowershell: shellcode injector, bye bye disk

writes http://www.exploit-monday.com/2011/10/exploiting

-powershells-features-not.html

Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)

Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor

Page 32: The Veil-Framework

Barebones PythonUploads a minimal python .zip installation and

7zip binary

Python environment unzipped, shellcode invoked using “-c …”

The only files that touch disk are trusted python libraries and a python interpreter

Gets right by some reputation filters and antivirus!

https://www.veil-framework.com/barebones-python-injection/

Page 33: The Veil-Framework

Veil-Catapult Demo

Page 34: The Veil-Framework

Situational AwarenessVeil-PowerView

Page 35: The Veil-Framework

Situational Awareness; reduxGoal: Gain an understanding of an exploited

host/network to aid in deeper infiltration

Old schoolz: net group /domain net group “domain admins” /domain net users /domain net user “jsmith” /domain net view //hostname netsess.exe custom tools utilizing WinAPI calls blah blah blah

Page 36: The Veil-Framework

Veil-PowerViewA pure Powershell situational awareness tool

https://www.veil-framework.com/veil-powerview/

Arose partially because a client banned “net” commands on domain machines annoying, but only a minor roadblock

Otherwise initially inspired by Rob Fuller’s netview.exe tool Wanted something a bit more flexible that also

didn’t drop a binary to disk

Started to explore and expand functionality

Page 37: The Veil-Framework

Get-Net*Full-featured replacements for almost all “net

*” commands, utilizing Powershell AD hooks and various API calls

Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.

See README.md for complete list, and function descriptions for usage options

Page 38: The Veil-Framework

Meta-Functions Invoke-Netview: full-featured netview.exe

replacement, plus more: hostlists, jitter/delay, check share access, etc.

Invoke-ShareFinder: finds open shares on the network and checks if you have read access

Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module finds machines the current user has admin access

to

Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067

Page 39: The Veil-Framework

User HuntingGoal: find which domain machines specific users

are logged into

Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users! Utilizes Get-NetSessions and Get-NetLoggedon

Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets Significantly less traffic than Invoke-UserHunter

Page 40: The Veil-Framework

Veil-PowerView Demo

Page 41: The Veil-Framework

Get the Veil-Framework

Github: https://github.com/Veil-Framework/

Read more: https://www.veil-framework.com

Now in Kali: apt-get install veil


Recommended