The Veil-Framework
Report
VeilFrameworkFollow
May. 17, 2014•0 likes•12,123 views
5 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
The Veil-Framework
May. 17, 2014•0 likes•12,123 views
5 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).
VeilFrameworkFollow
Recommended
Veil-OrdnanceVeilFramework
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
Higher Level MalwareCTruncer
The Veil-Framework
- The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
- Who Are We? Will Schroeder (@harmj0y) Former national research lab keyboard monkey Chris Truncer (@ChrisTruncer) Florida State Graduate – Go Noles! Veris group pentesters by day, offensive security researchers by night And we’re hiring!
- Overview The Initial Problem Public Reaction and Ethical Considerations The Veil-Framework Evading AV: Veil-Evasion Payload Delivery: Veil-Catapult Situation Awareness: Veil- PowerView Demos Throughout
- The Initial Problem Antivirus doesn’t catch malware but (sometimes) catches pentesters
- Our Initial Solution A way to get around antivirus as easily as professional malware Don’t want to roll our own backdoor each time Find a way to execute existing shellcode in an AV-evading way
- The Veil-Framework A toolset aiming to bridge the gap between pentesting and red teaming capabilities We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
- Ethical Considerations The disclosure debate is not new… Pentesters are 5+ years behind the professional malware community This is already a problem the bad guys have solved
- HD Moore’s Take “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” https://community.rapid7.com/community/meta sploit/blog/2009/02/23/the-best-defense-is- information
- Public Reaction “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a _metasploit_payload_generator_for_bypassing/
- Twitter Reaction
- Twitter Reaction
- Evading AV Veil-Evasion
- Veil-Evasion’s Approach Aggregation of various shellcode injection techniques across multiple languages These have been known and documented in other tools Focused on automation, usability, and developing a true framework Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
- Veil-Evasion Features Can use Metasploit-generated or custom shellcode MSF payloads/options dynamically loaded In the process of porting msfvenom Third party tools can be easily integrated Hyperion, PEScrambler, BackDoor Factory, etc. Command line switches to allow scriptability
- Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
- Module Development Implement your own obfuscation methods! Lots of reusable functionality Shellcode generation is abstracted and can be invoked as needed https://www.veil-framework.com/tutorial-veil- payload-development/
- Shellcode Injection Void pointer casting no guarantee the memory region is executable VirtualAlloc allocate memory as RWX, copy code in and create a thread HeapAlloc create a heap object and manually allocate memory
- Pyinstaller and DEP Pyinstaller produced .exe’s are DEP enabled by default this ruins some shellcode injection methods Luckily Pyinstaller is open source we can recompile to turn off DEP opt-in https://www.veil-evasion.com/dep-pyinstaller/
- Pwnstaller A generator for obfuscated Pyinstaller loaders BSides Boston „14 – Pwnstaller 1.0 Dynamically generates and compiles a new Pyinstaller loader on the fly http://www.harmj0y.net/blog/python/pwnstaller- 1-0/
- Payload Releases #VDay
- VDay Since 9/15/2013, we’ve release at least one new payload on the 15th of every month 32 currently published payloads 20+ additional payloads have been developed so far we’re going to be releasing for a while :)
- Native Stagers Stage 1 Meterpreter loaders don’t have to be implemented in shellcode Meterpreter stagers can be written in higher-level languages https://github.com/rsmudge/metasploit-loader
- Veil-Evasion Stagers The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
- Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
- How Stagers Work 1) a tcp connection is opened to the handler 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll 3) the socket number for this tcp connection is pushed into the edi register 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc) reverse_http stagers skip steps 2 and 3
- Veil-Evasion Demo
- Payload Delivery Veil-Catapult
- Veil-Catapult
- Veil-Catapult After payload generation, our focus shifted to delivery Features nice integration with Veil-Evasion for on- the-fly payload generation Cleanup scripts generated for payload killing and deletion Command line flags for every option https://www.veil-framework.com/catapult/
- .EXE Delivery Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe Payloads are delivered in one of two ways: upload/execute using Impacket and pth-toolkit host/execute UNC path to the attacker’s box UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
- Standalone Payloads Powershell: shellcode injector, bye bye disk writes http://www.exploit- monday.com/2011/10/exploiting-powershells- features-not.html Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide) Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
- Barebones Python Uploads a minimal python .zip installation and 7zip binary Python environment unzipped, shellcode invoked using “-c …” The only files that touch disk are trusted python libraries and a python interpreter Gets right by some reputation filters and antivirus! https://www.veil-framework.com/barebones- python-injection/
- Veil-Catapult Demo
- Situational Awareness Veil-PowerView
- Situational Awareness; redux Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration Old schoolz: net group /domain net group “domain admins” /domain net users /domain net user “jsmith” /domain net view //hostname netsess.exe custom tools utilizing WinAPI calls blah blah blah
- Veil-PowerView A pure Powershell situational awareness tool https://www.veil-framework.com/veil-powerview/ Arose partially because a client banned “net” commands on domain machines annoying, but only a minor roadblock Otherwise initially inspired by Rob Fuller’s netview.exe tool Wanted something a bit more flexible that also didn’t drop a binary to disk Started to explore and expand functionality
- Get-Net* Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc. See README.md for complete list, and function descriptions for usage options
- Meta-Functions Invoke-Netview: full-featured netview.exe replacement, plus more: hostlists, jitter/delay, check share access, etc. Invoke-ShareFinder: finds open shares on the network and checks if you have read access Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module finds machines the current user has admin access to Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
- User Hunting Goal: find which domain machines specific users are logged into Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users! Utilizes Get-NetSessions and Get-NetLoggedon Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets Significantly less traffic than Invoke-UserHunter
- Veil-PowerView Demo
- Get the Veil-Framework Github: https://github.com/Veil-Framework/ Read more: https://www.veil-framework.com Now in Kali: apt-get install veil
- Questions? harmj0y@veil-framework.com @harmj0y chris@veil-framework.com @ChrisTruncer #veil on freenode forums at https://veil-framework.com/forums/