Episode333

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 333 for Thursday May 30th, 2013

  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  • Planning for the 11th Annual Louisville Metro InfoSec Conference is now underway - the event will be Thursday October 3rd, 2013 in Shepherdsville KY just south of Louisville. We are looking for technical and business speakers from the infosec world - as well as sponsorships - which run from $500 - $5000 for a keynote sponsorship. Between 400-500 attendees will spend the day learning from world-class speakers, rubbing elbows with the regions security professionals, and having lots of fun! Visit the site at louisvilleinfosec.com.
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Gunnar Peterson

Gunnar Peterson does security consulting, training and research on Identity and Access Management, Cloud, Mobile and software security. He is a Microsoft MVP for Application security, an IANS Research Faculty member, and a Securosis Contributing Analyst. He maintains a popular information security blog at http://1raindrop.typepad.com.

Twitter: @oneraindrop

The word "trust" seems to be misused and misunderstood in security- can you share your thoughts on "trust" and the dangers of the concept as we use it in security?

There are a lot of security people making statements about "risk". What factors do the following play in the risk equation: "whether you are feeling happy, sad, anxious, angry or disgusted; how much money you had between the ages of 18 and 25; whether, if you are a man, a woman recently touched you on the shoulder; whether, if you are a woman, there are a lot of men in the room; how well the market has done lately; which country or culture you come from; how long ago you ate your last meal; whether you smoke; how much you weigh; whether you put your feet up on a table when you were thinking about the risk; whether at least 75 people have died in an airplane crash in the past three days; whether the sun is shining; how urgently you need to go to the bathroom;"

To ask the age old question, "How can we make more informed risk-based decisions"? Or does it really go deeper than just "risk"?

What data can be collected about information security in an organization to help predict what could happen and how it impacts your risk equation. I love the Turkey analogy, I think it means you do the same things every day, and then factors beyond your control change, so how do you measure that?

What are some parallels between investing and security?

Tech Segment: Chris Truncer on Veil

Chris Truncer is a Penetration Tester at Veris Group where he performs a variety of assessments for Federal and commercial customers. Currently Chris is supporting DHS and their development of a operational Penetration Testing team to support civilian government agencies. He currently helps to develop the overall program while also leading pen testing teams for other customers. His specialties include wireless network assessments and network level penetration testing. Recently, Chris became interested AV evasion methods, which led to the development of Veil.


On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that goes into each "battle" relies on the AV solution, its definitions, etc. Researching methods to bypass antivirus solutions has been an interest of mine on and off for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful. I set out with a couple goals:

Bypass common AV solutions that I/we routinely encounter in most network environments Utilize payloads that are compatible with the Metasploit framework, expand in future releases Attempt to make each payload file as random as possible

With these goals in mind, I continued researching methods of bypassing AV. Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop. From their research, I learned about really interesting ways to inject shellcode into memory through python. These methods were the foundation of the rest of my research.

Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems. Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine. One of the solutions I looked into was using Py2Exe. I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same. I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so I started with that solution. The final part was for me to develop a tool that automated the payload generation process, and I'm happy to release Veil.

Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in reverse meterpreter connections. Veil provides the user with the option of using either Pyinstaller or Py2Exe to convert their python payload into an executable. With Pyinstaller, Veil users have their payload file converted into an executable all within Kali, which does not require the use of a second VM/Machine. When using Py2Exe,Veil will generate three files to which are required to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. Either method will create an executable file that can be dropped anywhere, on any Windows system, as all required libraries are stored within the executable. Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.

I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in the wild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldn’t deter an actual adversary.

Setup:

  • For Kali:
    • Run the setup.sh file and follow the installation process
    • Once the setup.sh file has completed, delete the setup script.
  • - or -
    • Install Python 2.7
    • Install PyCrypto >= 2.3

Instructions for Use:

  • Run Veil from Kali and generate your payload
  • If using PyInstaller, your payload is converted into an exe and is ready for use!
  • If using Py2Exe
  • Move the payload.py along with its two accompanying files onto your Windows machine (that already has python and the other dependencies from above installed). All three files should be placed in the root of the directory Python was installed to (likely C:\Python27).
  • Run the batch script to convert the Python payload into an executable format.
  • Place the executable file on your target machine through any means necessary!

Future Direction:

  • Research new methods of encrypting or obfuscating the payload file
  • Research using other languages with direct access to the Windows API for delivering the payload


References:


Links:

Announcement

  • Join Paul and John for a free webcast on June 4th at 1:30PM ET on "The Three Most Common Tools Used to Breach Systems"
  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)

Stories

Paul's Stories

  1. Interview With A Blackhat (Part 1) | WhiteHat Security Blog
  2. Sunera Information Security Blog: Download Multiple Nessus Reports via the Nessus XML-RPC API
  3. Improving the security of your SSH private key files — Martin Kleppmann’s blog
  4. A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094) at time to bleed by Joe Damato
  5. Log file vulnerability in Apache server
  6. Google cuts grace period for vendors of vulnerable software
  7. Hacking Firmware And Detecting Backdoors -- Dark Reading

Larry’s Stories

Jack’s Stories

  1. Crime Cost Consumers More Than A Half-Billion Dollars Last Year at least if you believe this report.
  2. Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies The Chinese again. Or is this FUD? Here's A list of the U.S. weapons designs and technologies compromised by hackers
  3. Blueprints of Australia's top spy agency headquarters stolen by Chinese hackers Is it bad when the Chinese steal your spy agency's floorplans? Yeah, probably. More details in this ABC report (That's ABC as in Australian Broadcasting Company).
  4. Google engineer publicizes Windows zero-day bug, claims Microsoft is 'difficult to work with'
  5. PayPal Bug Bounty Controversy - I found the XSS first: They still didn't pay me

Allison's Stories

  1. DDoS Services Advertise Openly, Take PayPal This is the result of some research that my friend Brandon Levene and I have been conducting over the past several months. These ddos-for-hire sites are typically used to cheat at videogames or express someone's rage, and operate in a grey area where we don't see any enforcement action against these sites even though they are clearly malicious. As of a couple weeks ago, ~100% of booter sites I surveyed accept Paypal as payment, and ~70% are protected by Cloudflare.
  2. Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor? A second part in a [??] part series. We document the hilariously public life of a booter owner and some technical details of his site. His site is mostly used for cheating at video games by DDOSing the opponent and disconnecting their home connection. I tested the site and found it to be almost completely nonfunctional. The site covered here also accepts PayPal and is protected by Cloudflare.
  3. U.S. Government Seizes LibertyReserve.com For those not in the know, liberty reserve is the #1 payment processor in the criminal underground. Its structured for maximum obfuscation so you can't see where the money came from and where it's going. This takedown will cause ripples in the criminal underground before they move on to the next payment processor.

Patrick's Stories