Your SlideShare is downloading. ×
The Veil-Framework
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The Veil-Framework

3,120
views

Published on

This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).

This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,120
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
117
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
  • 2. Who Are We?  Will Schroeder (@harmj0y)  Former national research lab keyboard monkey  Chris Truncer (@ChrisTruncer)  Florida State Graduate – Go Noles!  Veris group pentesters by day, offensive security researchers by night  And we’re hiring!
  • 3. Overview  The Initial Problem  Public Reaction and Ethical Considerations  The Veil-Framework  Evading AV: Veil-Evasion  Payload Delivery: Veil-Catapult  Situation Awareness: Veil- PowerView  Demos Throughout
  • 4. The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
  • 5. Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode in an AV-evading way
  • 6. The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation  Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
  • 7. Ethical Considerations  The disclosure debate is not new…  Pentesters are 5+ years behind the professional malware community  This is already a problem the bad guys have solved
  • 8. HD Moore’s Take  “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”  https://community.rapid7.com/community/meta sploit/blog/2009/02/23/the-best-defense-is- information
  • 9. Public Reaction  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”  http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a _metasploit_payload_generator_for_bypassing/
  • 10. Twitter Reaction
  • 11. Twitter Reaction
  • 12. Evading AV Veil-Evasion
  • 13. Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
  • 14. Veil-Evasion Features  Can use Metasploit-generated or custom shellcode  MSF payloads/options dynamically loaded  In the process of porting msfvenom  Third party tools can be easily integrated  Hyperion, PEScrambler, BackDoor Factory, etc.  Command line switches to allow scriptability
  • 15. Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
  • 16. Module Development  Implement your own obfuscation methods!  Lots of reusable functionality  Shellcode generation is abstracted and can be invoked as needed  https://www.veil-framework.com/tutorial-veil- payload-development/
  • 17. Shellcode Injection  Void pointer casting  no guarantee the memory region is executable  VirtualAlloc  allocate memory as RWX, copy code in and create a thread  HeapAlloc  create a heap object and manually allocate memory
  • 18. Pyinstaller and DEP  Pyinstaller produced .exe’s are DEP enabled by default  this ruins some shellcode injection methods  Luckily Pyinstaller is open source  we can recompile to turn off DEP opt-in  https://www.veil-evasion.com/dep-pyinstaller/
  • 19. Pwnstaller  A generator for obfuscated Pyinstaller loaders  BSides Boston „14 – Pwnstaller 1.0  Dynamically generates and compiles a new Pyinstaller loader on the fly  http://www.harmj0y.net/blog/python/pwnstaller- 1-0/
  • 20. Payload Releases #VDay
  • 21. VDay  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  32 currently published payloads  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
  • 22. Native Stagers  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode  Meterpreter stagers can be written in higher-level languages  https://github.com/rsmudge/metasploit-loader
  • 23. Veil-Evasion Stagers  The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
  • 24. Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
  • 25. How Stagers Work  1) a tcp connection is opened to the handler  2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll  3) the socket number for this tcp connection is pushed into the edi register  4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)  reverse_http stagers skip steps 2 and 3
  • 26. Veil-Evasion Demo
  • 27. Payload Delivery Veil-Catapult
  • 28. Veil-Catapult
  • 29. Veil-Catapult  After payload generation, our focus shifted to delivery  Features nice integration with Veil-Evasion for on- the-fly payload generation  Cleanup scripts generated for payload killing and deletion  Command line flags for every option  https://www.veil-framework.com/catapult/
  • 30. .EXE Delivery  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe  Payloads are delivered in one of two ways:  upload/execute using Impacket and pth-toolkit  host/execute UNC path to the attacker’s box  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  • 31. Standalone Payloads  Powershell: shellcode injector, bye bye disk writes  http://www.exploit- monday.com/2011/10/exploiting-powershells- features-not.html  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  • 32. Barebones Python  Uploads a minimal python .zip installation and 7zip binary  Python environment unzipped, shellcode invoked using “-c …”  The only files that touch disk are trusted python libraries and a python interpreter  Gets right by some reputation filters and antivirus!  https://www.veil-framework.com/barebones- python-injection/
  • 33. Veil-Catapult Demo
  • 34. Situational Awareness Veil-PowerView
  • 35. Situational Awareness; redux  Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration  Old schoolz:  net group /domain  net group “domain admins” /domain  net users /domain  net user “jsmith” /domain  net view //hostname  netsess.exe  custom tools utilizing WinAPI calls  blah blah blah
  • 36. Veil-PowerView  A pure Powershell situational awareness tool  https://www.veil-framework.com/veil-powerview/  Arose partially because a client banned “net” commands on domain machines  annoying, but only a minor roadblock  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
  • 37. Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See README.md for complete list, and function descriptions for usage options
  • 38. Meta-Functions  Invoke-Netview: full-featured netview.exe replacement, plus more:  hostlists, jitter/delay, check share access, etc.  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  finds machines the current user has admin access to  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
  • 39. User Hunting  Goal: find which domain machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users!  Utilizes Get-NetSessions and Get-NetLoggedon  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
  • 40. Veil-PowerView Demo
  • 41. Get the Veil-Framework  Github: https://github.com/Veil-Framework/  Read more: https://www.veil-framework.com  Now in Kali: apt-get install veil
  • 42. Questions?  harmj0y@veil-framework.com  @harmj0y  chris@veil-framework.com  @ChrisTruncer  #veil on freenode  forums at https://veil-framework.com/forums/