Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pentester++

2,460 views

Published on

This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.

The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.

Published in: Technology
  • Be the first to comment

Pentester++

  1. 1. Pentester++ From sysadmin to Veil developer
  2. 2. uid=0(@christruncer) ● Team Lead for Veris Group’s Adaptive Threat Division ● Veil-Framework Co-Developer ● Security Researcher ● Interested in research or pen testing? Talk to me after :)
  3. 3. What’s this talk about? ● Why scripting/development is essential ● Case study driven by examining scenarios and resulting scripts ● Largely Python based, but easily transferrable
  4. 4. Why Learn a Language? Make a computer do exactly what you want http://cdn4.thetechjournal.net/wp-content/uploads/2012/03/Control-PC-With-intendiX-SOCI-600x337.png
  5. 5. What to start with? Plenty of great options:
  6. 6. My Development Tips ● Start small ○ Veil wasn’t built in a day ;) ● Find tasks that you commonly perform or fix a problem you’ve encountered ● Pick a language you’re interested in ● Google and StackOverflow ● Dive in!
  7. 7. My Development Philosophy ● Create a POC that meets your goal ● Clean up your code and comment it ● Make it usable by everyone, not just you ● Make it publicly available ● Maintain it
  8. 8. My Development Philosophy
  9. 9. So where did I start?
  10. 10. CCDC ● Volunteered to help red-team a practice event ● @mubix helped provide pointers ○ Get scripts ready to fire ○ Suggested creating resource scripts ○ Prep for common exploits ● Started building scripts to assist in our red-team workflow
  11. 11. Cortana ● Created by Raphael Mudge (developer of Armitage and Cobalt Strike) ● Event driven language, quite similar to any scripts you may have written for use on IRC… :)
  12. 12. Helping the Red Team ● Problem: Blue teamers change passwords often ● Goal: A solution that automatically grabs hashes on a set interval ● Solution: Cortana Script
  13. 13. Start Small ● Figure out what the script needs to do... ● Get System Privs ● Dump hashes ● Repeat actions on an interval ● Draw from existing examples ○ https://github.com/rsmudge/cortana-scripts
  14. 14. https://github.com/rsmudge/cortana-scripts/blob/master/autoDiscover/autoAddEstablishedSessionHosts.cna https://github.com/rsmudge/cortana-scripts/blob/master/idlewatch/idlewatch.cna
  15. 15. https://github.com/rsmudge/cortana-scripts/blob/master/login_autopwn/login_autopwn.cna https://github.com/rsmudge/cortana-scripts/blob/master/raven/install.cna
  16. 16. Fruits of my Labor ● Got my feet wet in a new language ● Met the goals originally outlined ○ System Privs ○ Dump hashes ○ Do it every so often ● Made life a little harder for CCDC blue teamers :)
  17. 17. Let’s Write from Scratch ● Try to find a (minor) problem/task that needs help at your work ● Outline exactly what you need ● Pick your language of choice
  18. 18. Learn the basics (FNG phase) ● Hello world! ● Basic data types (strings, integers, etc.) ● Math, concatenation, loops, user-defined functions, etc.
  19. 19. Python and Hasher ● Problem: The fastest way to check hashes on our tests were to submit them online… #opsecfail ● Goal: Create a script that generates hashes and can perform comparisons between hashes and plaintext strings ● Solution: Hasher :)
  20. 20. Hasher Requirements ● Capability to do this without submitting hashes online ● Create hash from plaintext string ● Compare plaintext string and hash ● Support multiple hash types
  21. 21. https://docs.python.org/2/library/hashlib.html & http://stackoverflow.com/questions/5297448/how-to-get-md5-sum-of-a-string
  22. 22. Version 0.1 ● We figured out the basic functionality ● Now, start making it usable by others ○ Add a basic menu structure ○ Add functions that would be used (generate and compare) ● Prepare for users…. (Error check)
  23. 23. ugh… users… and usability.. ● Error checking - half your code :) ● Don’t want a user to be able to crash your program ○ Lack of usability can be the death of a project ● Command line arguments? ○ great for ease of use ○ also for scriptability/third party integration
  24. 24. https://docs.python.org/2.7/library/argparse.html
  25. 25. Wrap it up! ● Added ability to take command line arguments ● Supports multiple hash types ● Added the ability to generate hashes, or compare hash with plaintext
  26. 26. Version Control? ● Use anything you are comfortable with ○ git ○ svn ○ cvs ○ etc… ● You will mess your code up ● You will delete your scripts/tools ● You will be thankful for checking your code in somewhere
  27. 27. complexity++ moving beyond basic scripts
  28. 28. EyeWitness Goal: Wanted a tool to screenshot URLs, show default creds, generate a report, not use PhantomJS, and wanted a challenge. Existing: PeepingTom (@lanmaster53) https://bitbucket.org/LaNMaSteR53/peepingtom/
  29. 29. Google!
  30. 30. StackOverflow! http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline-or- with-python
  31. 31. Ghost!
  32. 32. Create the POC
  33. 33. Improvements ● File input: ○ text ○ nmap ○ Nessus ● Basic port scanning ● Report generation ● “Signatures” for default credentials ● User Agent Switching/Comparison
  34. 34. Report Generation ● Simple - HTML table tags ● Store server header and screenshot ● Multi-page reports ● Link structure required multiple loops to create ○ Counters are my friend
  35. 35. Some EyeWitness Info/Stats ● Originally: 409 lines ● Currently: 1762 exactly ● Reasons? ○ port scanning ○ dir name specification ○ login signatures ○ etc. ● Real reason? ○ what’s your best guess
  36. 36. Find Your True Calling #avlol
  37. 37. The Veil-Framework ● Problem: antivirus can’t catch malware but does catch pentesters ● Goal: a way to get around antivirus as easily as professional malware ● Solution: a Python-based framework for generating shellcode injectors and Meterpreter stagers
  38. 38. As always, ask the Google
  39. 39. Have a POC ...next? ● Research obfuscation methods ○ Look at existing malware ○ Try encryption routines ● Generate random files off of template ○ Framework might help ● Automate as much as possible ○ I probably should do a framework..
  40. 40. Released Veil 1.0 ● Small, single file script ● Limited payloads ● It worked ○ better than it should have :)
  41. 41. Next steps ● Don’t use a single script ○ Maintaining can be a pain ○ Not easily extensible ○ A framework would be nice… ● Find a mentor ○ Ability to bounce questions is invaluable ○ Learning opportunities ○ Collaboration opportunities
  42. 42. Team Up ● Teamed up with @harmj0y (formerly @the_grayhound) & @themightyshiv ● We had separate tools, so we combined our work ● @harmj0y didn’t sleep, combined code bases into a framework ○ Took this as an opportunity to learn python-based framework capabilities
  43. 43. Veil 2.0
  44. 44. Veil 2.0 ● Fully modular framework ○ drag-and-drop payloads! ● “Language agnostic” ○ implement additional language families ○ check out @harmj0y’s presentation later! ● Easily extensible ○ common library methods/crypters ● Huge UI focus ○ tab completion, command line flags, etc.
  45. 45. How/What did I learn? ● Went back to learning from “existing” code (framework from @harmj0y) ● Learned to develop as a team (splitting tasks, accountability) ● Learned proper version control (git) ○ Don’t delete branches
  46. 46. The Veil-Framework ● We started coming up with additional tool ideas, resulting in the “Veil- Framework” ○ “A toolset aiming to bridge the gap between pentesting and red teaming capabilities” ● Veil was renamed to Veil-Evasion ○ Veil-Catapult: initial payload delivery system, released at Shmooon ‘14 ○ Veil-PowerView: network situational
  47. 47. The State of Veil-Evasion ● Still an actively maintained project ● V-Day ○ for victory over antivirus :) ○ since 9/15/2013, we’ve release at least one new payload on the 15th of every month ● Hoping for community involvement ○ hint.. hint… :)
  48. 48. Fin ● Find something you’re passionate/interested in ● Start small, and finish it ● Make it usable and stable! Lack of usability and stability is death to a project. ● Maintain it, and enjoy doing it
  49. 49. Questions? ● @ChrisTruncer ● https://github.com/christruncer ● chris@christophertruncer.com ● https://www.veil-framework.com/

×