Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Veil-Framework


Published on

This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).

Published in: Technology
  • Be the first to comment

The Veil-Framework

  1. 1. The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
  2. 2. Who Are We?  Will Schroeder (@harmj0y)  Former national research lab keyboard monkey  Chris Truncer (@ChrisTruncer)  Florida State Graduate – Go Noles!  Veris group pentesters by day, offensive security researchers by night  And we’re hiring!
  3. 3. Overview  The Initial Problem  Public Reaction and Ethical Considerations  The Veil-Framework  Evading AV: Veil-Evasion  Payload Delivery: Veil-Catapult  Situation Awareness: Veil- PowerView  Demos Throughout
  4. 4. The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
  5. 5. Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode in an AV-evading way
  6. 6. The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation  Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
  7. 7. Ethical Considerations  The disclosure debate is not new…  Pentesters are 5+ years behind the professional malware community  This is already a problem the bad guys have solved
  8. 8. HD Moore’s Take  “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”  sploit/blog/2009/02/23/the-best-defense-is- information
  9. 9. Public Reaction  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”  _metasploit_payload_generator_for_bypassing/
  10. 10. Twitter Reaction
  11. 11. Twitter Reaction
  12. 12. Evading AV Veil-Evasion
  13. 13. Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
  14. 14. Veil-Evasion Features  Can use Metasploit-generated or custom shellcode  MSF payloads/options dynamically loaded  In the process of porting msfvenom  Third party tools can be easily integrated  Hyperion, PEScrambler, BackDoor Factory, etc.  Command line switches to allow scriptability
  15. 15. Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
  16. 16. Module Development  Implement your own obfuscation methods!  Lots of reusable functionality  Shellcode generation is abstracted and can be invoked as needed  payload-development/
  17. 17. Shellcode Injection  Void pointer casting  no guarantee the memory region is executable  VirtualAlloc  allocate memory as RWX, copy code in and create a thread  HeapAlloc  create a heap object and manually allocate memory
  18. 18. Pyinstaller and DEP  Pyinstaller produced .exe’s are DEP enabled by default  this ruins some shellcode injection methods  Luckily Pyinstaller is open source  we can recompile to turn off DEP opt-in 
  19. 19. Pwnstaller  A generator for obfuscated Pyinstaller loaders  BSides Boston „14 – Pwnstaller 1.0  Dynamically generates and compiles a new Pyinstaller loader on the fly  1-0/
  20. 20. Payload Releases #VDay
  21. 21. VDay  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  32 currently published payloads  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
  22. 22. Native Stagers  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode  Meterpreter stagers can be written in higher-level languages 
  23. 23. Veil-Evasion Stagers  The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
  24. 24. Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
  25. 25. How Stagers Work  1) a tcp connection is opened to the handler  2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll  3) the socket number for this tcp connection is pushed into the edi register  4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)  reverse_http stagers skip steps 2 and 3
  26. 26. Veil-Evasion Demo
  27. 27. Payload Delivery Veil-Catapult
  28. 28. Veil-Catapult
  29. 29. Veil-Catapult  After payload generation, our focus shifted to delivery  Features nice integration with Veil-Evasion for on- the-fly payload generation  Cleanup scripts generated for payload killing and deletion  Command line flags for every option 
  30. 30. .EXE Delivery  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe  Payloads are delivered in one of two ways:  upload/execute using Impacket and pth-toolkit  host/execute UNC path to the attacker’s box  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  31. 31. Standalone Payloads  Powershell: shellcode injector, bye bye disk writes  http://www.exploit- features-not.html  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  32. 32. Barebones Python  Uploads a minimal python .zip installation and 7zip binary  Python environment unzipped, shellcode invoked using “-c …”  The only files that touch disk are trusted python libraries and a python interpreter  Gets right by some reputation filters and antivirus!  python-injection/
  33. 33. Veil-Catapult Demo
  34. 34. Situational Awareness Veil-PowerView
  35. 35. Situational Awareness; redux  Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration  Old schoolz:  net group /domain  net group “domain admins” /domain  net users /domain  net user “jsmith” /domain  net view //hostname  netsess.exe  custom tools utilizing WinAPI calls  blah blah blah
  36. 36. Veil-PowerView  A pure Powershell situational awareness tool   Arose partially because a client banned “net” commands on domain machines  annoying, but only a minor roadblock  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
  37. 37. Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See for complete list, and function descriptions for usage options
  38. 38. Meta-Functions  Invoke-Netview: full-featured netview.exe replacement, plus more:  hostlists, jitter/delay, check share access, etc.  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  finds machines the current user has admin access to  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
  39. 39. User Hunting  Goal: find which domain machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users!  Utilizes Get-NetSessions and Get-NetLoggedon  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
  40. 40. Veil-PowerView Demo
  41. 41. Get the Veil-Framework  Github:  Read more:  Now in Kali: apt-get install veil
  42. 42. Questions?   @harmj0y   @ChrisTruncer  #veil on freenode  forums at