Difference between revisions of "Episode333"

From Security Weekly Wiki
Jump to navigationJump to search
Line 23: Line 23:
  
 
= Tech Segment: Chris Truncer on Veil=
 
= Tech Segment: Chris Truncer on Veil=
 +
 +
 +
On nearly every assessment, pen testers have to fight a battle against antivirus solutions.  The level of effort that goes into each "battle" relies on the AV solution, its definitions, etc.  Researching methods to bypass antivirus solutions has been an interest of mine on and off  for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful.  I set out with a couple goals:
 +
 +
Bypass common AV solutions that I/we routinely encounter in most network environments
 +
Utilize payloads that are compatible with the Metasploit framework, expand in future releases
 +
Attempt to make each payload file as random as possible
 +
 +
With these goals  in mind, I continued researching methods of bypassing AV.  Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop.  From their research, I learned about really interesting ways to inject shellcode into memory through python.  These methods were the foundation of  the rest of my research.
 +
 +
Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems.  Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine.  One of the solutions I looked into was using Py2Exe.  I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same.  I began testing Py2Exe with the  payload files I developed and was successful running the executables on various versions of Windows, so I stuck with that solution. The final part was for me to develop a tool that automated the payload generation process, and I'm happy to "unveil" the work I've done with my tool, Veil.
 +
 +
Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in meterpreter connections.  Veil will generate three files to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. The executable file can be dropped anywhere, on any Windows system, as all required libraries are stored within the exe file.  Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.
 +
 +
I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in the wild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldn’t deter an actual adversary.
 +
 +
 +
Setup:
 +
Install Python 2.7 on Windows
 +
Install Py2Exe on Windows
 +
Install PyCrypto on Windows
 +
 +
Instructions for Use:
 +
Run Veil from Kali and generate your payload, along with its two accompanying files.
 +
Move all three files onto your Windows machine with Python installed.  All three files should be placed in the root of the directory Python was installed to (likely C:\Python27).
 +
Run the batch script to convert the Python script into an executable format.
 +
Place the executable file on your target machine through any means necessary!
 +
 +
Future Direction:
 +
Research new methods of encrypting or obfuscating the payload file
 +
Research using other languages with direct access to the Windows API
 +
Research other methods for generating the final executable (PyInstaller vs. Py2Exe)
 +
 +
References:
 +
 +
Dave Kennedy - http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf
 +
Debasish Mandal - http://www.debasish.in/2012/04/execute-shellcode-using-python.html
 +
 +
Plugs:
 +
Twitter - @ChrisTruncer
 +
Website: http://www.christophertruncer.com
 +
Classes: https://www.blackhat.com/us-13/training/adaptive-red-team-tactics.html
 +
https://www.blackhat.com/us-13/training/adaptive-penetration-testing.html
  
  

Revision as of 20:47, 30 May 2013


Episode Media

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 333 for Thursday May 30th, 2013

  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • Planning for the 11th Annual Louisville Metro InfoSec Conference is now underway - the event will be Thursday October 3rd, 2013 in Shepherdsville KY just south of Louisville. We are looking for technical and business speakers from the infosec world - as well as sponsorships - which run from $500 - $5000 for a keynote sponsorship. Between 400-500 attendees will spend the day learning from world-class speakers, rubbing elbows with the regions security professionals, and having lots of fun! Visit the site at louisvilleinfosec.com.
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Gunnar Peterson

Tech Segment: Chris Truncer on Veil

On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that goes into each "battle" relies on the AV solution, its definitions, etc. Researching methods to bypass antivirus solutions has been an interest of mine on and off for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful. I set out with a couple goals:

Bypass common AV solutions that I/we routinely encounter in most network environments Utilize payloads that are compatible with the Metasploit framework, expand in future releases Attempt to make each payload file as random as possible

With these goals in mind, I continued researching methods of bypassing AV. Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop. From their research, I learned about really interesting ways to inject shellcode into memory through python. These methods were the foundation of the rest of my research.

Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems. Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine. One of the solutions I looked into was using Py2Exe. I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same. I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so I stuck with that solution. The final part was for me to develop a tool that automated the payload generation process, and I'm happy to "unveil" the work I've done with my tool, Veil.

Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in meterpreter connections. Veil will generate three files to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. The executable file can be dropped anywhere, on any Windows system, as all required libraries are stored within the exe file. Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.

I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in the wild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldn’t deter an actual adversary.


Setup: Install Python 2.7 on Windows Install Py2Exe on Windows Install PyCrypto on Windows

Instructions for Use: Run Veil from Kali and generate your payload, along with its two accompanying files. Move all three files onto your Windows machine with Python installed. All three files should be placed in the root of the directory Python was installed to (likely C:\Python27). Run the batch script to convert the Python script into an executable format. Place the executable file on your target machine through any means necessary!

Future Direction: Research new methods of encrypting or obfuscating the payload file Research using other languages with direct access to the Windows API Research other methods for generating the final executable (PyInstaller vs. Py2Exe)

References:

Dave Kennedy - http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf Debasish Mandal - http://www.debasish.in/2012/04/execute-shellcode-using-python.html

Plugs: Twitter - @ChrisTruncer Website: http://www.christophertruncer.com Classes: https://www.blackhat.com/us-13/training/adaptive-red-team-tactics.html https://www.blackhat.com/us-13/training/adaptive-penetration-testing.html


Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)

Stories

Paul's Stories

Larry’s Stories

Jack’s Stories

Allison's Stories

Patrick's Stories