The Veil-Framework

May. 17, 2014

More Related Content


The Veil-Framework

  1. The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
  2. Who Are We?  Will Schroeder (@harmj0y)  Former national research lab keyboard monkey  Chris Truncer (@ChrisTruncer)  Florida State Graduate – Go Noles!  Veris group pentesters by day, offensive security researchers by night  And we’re hiring!
  3. Overview  The Initial Problem  Public Reaction and Ethical Considerations  The Veil-Framework  Evading AV: Veil-Evasion  Payload Delivery: Veil-Catapult  Situation Awareness: Veil- PowerView  Demos Throughout
  4. The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
  5. Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode in an AV-evading way
  6. The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation  Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
  7. Ethical Considerations  The disclosure debate is not new…  Pentesters are 5+ years behind the professional malware community  This is already a problem the bad guys have solved
  8. HD Moore’s Take  “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”  sploit/blog/2009/02/23/the-best-defense-is- information
  9. Public Reaction  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”  _metasploit_payload_generator_for_bypassing/
  10. Twitter Reaction
  11. Twitter Reaction
  12. Evading AV Veil-Evasion
  13. Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
  14. Veil-Evasion Features  Can use Metasploit-generated or custom shellcode  MSF payloads/options dynamically loaded  In the process of porting msfvenom  Third party tools can be easily integrated  Hyperion, PEScrambler, BackDoor Factory, etc.  Command line switches to allow scriptability
  15. Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
  16. Module Development  Implement your own obfuscation methods!  Lots of reusable functionality  Shellcode generation is abstracted and can be invoked as needed  payload-development/
  17. Shellcode Injection  Void pointer casting  no guarantee the memory region is executable  VirtualAlloc  allocate memory as RWX, copy code in and create a thread  HeapAlloc  create a heap object and manually allocate memory
  18. Pyinstaller and DEP  Pyinstaller produced .exe’s are DEP enabled by default  this ruins some shellcode injection methods  Luckily Pyinstaller is open source  we can recompile to turn off DEP opt-in 
  19. Pwnstaller  A generator for obfuscated Pyinstaller loaders  BSides Boston „14 – Pwnstaller 1.0  Dynamically generates and compiles a new Pyinstaller loader on the fly  1-0/
  20. Payload Releases #VDay
  21. VDay  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  32 currently published payloads  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
  22. Native Stagers  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode  Meterpreter stagers can be written in higher-level languages 
  23. Veil-Evasion Stagers  The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
  24. Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
  25. How Stagers Work  1) a tcp connection is opened to the handler  2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll  3) the socket number for this tcp connection is pushed into the edi register  4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)  reverse_http stagers skip steps 2 and 3
  26. Veil-Evasion Demo
  27. Payload Delivery Veil-Catapult
  28. Veil-Catapult
  29. Veil-Catapult  After payload generation, our focus shifted to delivery  Features nice integration with Veil-Evasion for on- the-fly payload generation  Cleanup scripts generated for payload killing and deletion  Command line flags for every option 
  30. .EXE Delivery  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe  Payloads are delivered in one of two ways:  upload/execute using Impacket and pth-toolkit  host/execute UNC path to the attacker’s box  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  31. Standalone Payloads  Powershell: shellcode injector, bye bye disk writes  http://www.exploit- features-not.html  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  32. Barebones Python  Uploads a minimal python .zip installation and 7zip binary  Python environment unzipped, shellcode invoked using “-c …”  The only files that touch disk are trusted python libraries and a python interpreter  Gets right by some reputation filters and antivirus!  python-injection/
  33. Veil-Catapult Demo
  34. Situational Awareness Veil-PowerView
  35. Situational Awareness; redux  Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration  Old schoolz:  net group /domain  net group “domain admins” /domain  net users /domain  net user “jsmith” /domain  net view //hostname  netsess.exe  custom tools utilizing WinAPI calls  blah blah blah
  36. Veil-PowerView  A pure Powershell situational awareness tool   Arose partially because a client banned “net” commands on domain machines  annoying, but only a minor roadblock  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
  37. Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See for complete list, and function descriptions for usage options
  38. Meta-Functions  Invoke-Netview: full-featured netview.exe replacement, plus more:  hostlists, jitter/delay, check share access, etc.  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  finds machines the current user has admin access to  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
  39. User Hunting  Goal: find which domain machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users!  Utilizes Get-NetSessions and Get-NetLoggedon  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
  40. Veil-PowerView Demo
  41. Get the Veil-Framework  Github:  Read more:  Now in Kali: apt-get install veil
  42. Questions?   @harmj0y   @ChrisTruncer  #veil on freenode  forums at