Episode333

From Security Weekly Wiki
Jump to navigationJump to search


Episode Media

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 333 for Thursday May 30th, 2013

  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • Come to Security BSides Rhode Island Two-Day Conference on June 14th and 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire PaulDotCom crew!
  • Planning for the 11th Annual Louisville Metro InfoSec Conference is now underway - the event will be Thursday October 3rd, 2013 in Shepherdsville KY just south of Louisville. We are looking for technical and business speakers from the infosec world - as well as sponsorships - which run from $500 - $5000 for a keynote sponsorship. Between 400-500 attendees will spend the day learning from world-class speakers, rubbing elbows with the regions security professionals, and having lots of fun! Visit the site at louisvilleinfosec.com.
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here! (Web site experiencing problems, will update link when it comes back)

Interview: Gunnar Peterson

Tech Segment: Chris Truncer on Veil

Chris Truncer is a Penetration Tester at Veris Group where he performs a variety of assessments for Federal and commercial customers. Currently Chris is supporting DHS and their development of a operational Penetration Testing team to support civilian government agencies. He currently helps to develop the overall program while also leading pen testing teams for other customers. His specialties include wireless network assessments and network level penetration testing. Recently, Chris became interested AV evasion methods, which led to the development of Veil.


On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that goes into each "battle" relies on the AV solution, its definitions, etc. Researching methods to bypass antivirus solutions has been an interest of mine on and off for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful. I set out with a couple goals:

Bypass common AV solutions that I/we routinely encounter in most network environments Utilize payloads that are compatible with the Metasploit framework, expand in future releases Attempt to make each payload file as random as possible

With these goals in mind, I continued researching methods of bypassing AV. Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop. From their research, I learned about really interesting ways to inject shellcode into memory through python. These methods were the foundation of the rest of my research.

Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems. Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine. One of the solutions I looked into was using Py2Exe. I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same. I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so I started with that solution. The final part was for me to develop a tool that automated the payload generation process, and I'm happy to release Veil.

Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in reverse meterpreter connections. Veil provides the user with the option of using either Pyinstaller or Py2Exe to convert their python payload into an executable. With Pyinstaller, Veil users have their payload file converted into an executable all within Kali, which does not require the use of a second VM/Machine. When using Py2Exe,Veil will generate three files to which are required to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. Either method will create an executable file that can be dropped anywhere, on any Windows system, as all required libraries are stored within the executable. Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.

I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in the wild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldn’t deter an actual adversary.

Setup:

  • For Kali:
    • Run the setup.sh file and follow the installation process
    • Once the setup.sh file has completed, delete the setup script.
  • - or -
    • Install Python 2.7
    • Install PyCrypto >= 2.3

Instructions for Use:

  • Run Veil from Kali and generate your payload
  • If using PyInstaller, your payload is converted into an exe and is ready for use!
  • If using Py2Exe
  • Move the payload.py along with its two accompanying files onto your Windows machine (that already has python and the other dependencies from above installed). All three files should be placed in the root of the directory Python was installed to (likely C:\Python27).
  • Run the batch script to convert the Python payload into an executable format.
  • Place the executable file on your target machine through any means necessary!

Future Direction:

  • Research new methods of encrypting or obfuscating the payload file
  • Research using other languages with direct access to the Windows API for delivering the payload


References:


Links:

Announcement

  • Larry teaching SANS SEC617 all over and coming to a city near you in 2013. It isn't too Late to sign up for my class in San Diego this May! (actually, it is, so sign up for SANSFIRE next month and NS2013 in Vegas!)

Stories

Paul's Stories

Larry’s Stories

Jack’s Stories

Allison's Stories

Patrick's Stories