Sunday 19 April 2015

Quickly evading AV– simple and basic

Hi all,

So I have been reading “The Hacker Playbook” found here and was on the topic of evading AV. I was also looking at my OSCP course guide as I am starting the labs again soon and was on AV, so I thought why not test it out instead of just knowing the theory!

The Hacker Playbook goes through using powersploit and executing a command which can download scripts from there and run them in memory, one example is using a keylogger and having it execute in memory. Pretty sweet.

Pyinstall and all sorts of techniques were explained, most of you would be aware of the veil-framework. So I thought I would try and inject a payload into an executable via msfvenom and see if AV would pick it up, if so I would try and see if I could evade AV.

 

Testing AV evasion

My setup is simple a Kali box and a Windows VM with Free AV installed, nothing enterprise size.

So I decided to follow this tutorial from Insecurety (note the 2012 date). It is old, but with security being behind in certain areas and what not it was worth giving it a shot.

The idea of injecting into a payload is explained in the post quite clearly as “By backdooring a legitimate executable, we can effectively hide our “evil” code amongst a pile of “good” code, and backdoor it in an undetectable manner. This means antivirus software will have a hard time finding our backdoor – or at least that is what we hope.”

The key points being; hiding the malicious code amongst good code, the only problem is that the malicious code does not interrupt the execution of the program so it can easily be detected.It would be like trying to hide a ‘B’ in front of or behind  a line of ‘A’s. The 3 B’s being malicious code to launch a reverse shell for example.

 

  • Example: AAAAAAAAAA
  • Example of not interrupting the execution: BBBAAAAAA
  • Example 2: ‘ AAABAAAAAAABAAAAABAA’

 

The example of not interrupting the execution shows the B stand out like a sore thumb, so an AV would simple just scan a normal executable and if the malicious code is all together as one, it could be flagged as malicious.

Whereas in the example 2 the malicious code is broken up, making it harder for the AV to detect the malicious code as being a reverse shell.  This is a most basic example and it is how I visualize the process of simply injecting malicious code into a normal executable say putty.exe

So following the Insecurety  tutorial I created a reverse https meterpreter shell using putty.exe. I think copied it onto a shared folder to then move it onto my windows testing machine. I dropped the exe onto the windows machine and thought oh it worked, but after a few seconds it scanned the exe and found it to be malicious (my low ram may be the cause of the delay). I did not have to execute it, it was picked up before that.

 

Avast picked it up a a trojan. I did a quick goole for win32 swrort and found from Lavasoft it detects as: “Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).” Aka a backdoor.

Example of AV warning:

Selection_001

So I wanted to delve deeper and see if I could bypass basic AV. Since you need those l33t skillz. “The Hacker Playbook” in the startup phase has you install the veil-framework and also discusses it in the evade AV section. So without reading more I jumped on to install Veil and wanted to follow the steps in Veil for creating a payload to evade AV.

I am a BIG fan of Python and heard much about p2exe and pyinstaller, so I wanted to create a Python executable that launched a meterpreter reverse HTTPS payload (staged version). The same payload used in the Insecurety blog post, so I could bypass with the same reverse shell.

So I followed the steps thought Veil, which is very simple.

I created a python meterpreter reverse shell via HTTPS encrypting communications, and used pyherion (encrypts the data, I may do some more reading and post for how it works).

 

You can see the options and output below:

veil_1

 

So I did the same again having a new executable, nothing to do with putty.exe this time, but I wanted to use the same payload which my AV has the signature for and will detect. I dropped it on to my windows machine and nothing happened, *yes its on the machine*.

 

I setup a msf multi handler listener to catch it. I had to choose the payload to be

windows/meterpreter/reverse_https (the staged version). I believe if you do not set a payload it by default expects the non staged version of the windows meterpreter reverse https payload.

Setting the payload:

msf exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(handler) > exploit

I double clicked the executable to launch it, the Free Avast popped up with a ‘DEEP INSPECTION’ and thought crap its picked it up, but no! It allowed it to execute.

 

Catching the reverse shell from my python executable with my meterpreter shell Smile:

 

veil_2

 

 

So that was a fun adventure, and it did not take too long to complete. Feel free to add any comments on what you have done or more in-depth explanation on the how and why of the evasion.

Posted by at No comments:

Saturday 4 April 2015

Priv_checker Recon script && Free material

 


 

Hi All,

Been a while since posting. Gone through a lot in a YEAR, but I think that will be for another posting. I am more excited about some scripts I have been working on.

I am planning to take the OSCP challenge in June so I thought I would automate some things. So far automating the checking for privilege checking on windows and Unix boxes and automating recon.

 

Python Privilege Checker

The first I would like to present is my Python privilege checking script. This one I gained the idea off of a blog for an OSCP review. Which can be found at Securitysift. Also @securitysift.

He writes it in Python as well, and as I am a great fan of Python I decided to write it in the same language.

My focus is that the output is to be reviewed by me so I did not need to create a HTML template. As it is for when being on a box I wanted to use native windows/Linux command to create text files for my output.

The most basic flow of my script is:

  • Check if Linux or Windows OS
    • If Linux: run all Linux system commands
    • If Windows: run all Windows command

 

The code is on Pastebin for the month. I am figuring out an easier way to highlight my python code.

I have also created a start of a batch file in case the windows box does not a) have python installed or b) does not allow me to run executables (py installer). A shell script is almost in the making in case I find my self on a Unix box unable to run python scripts.

http://pastebin.com/zfDihegh

 

 


 

Recon script

I also gained the idea from the same blog from @securitysift.

My recon script at the moment does a simple nmap scan on all ports, parses the output from an XML file and runs other nmap scans based on the ports it finds. I wanted to use the GREP format so as to not copy cat @securitysift but found that it is difficult to parse GREP and XML was much easier. So why re-invent the wheel.

The code again can be found here:

http://pastebin.com/8pGG4fG6

 

My code is in draft, aka work in progress. It does not run other scripts off every port nor does it run every tool for the main ports. I thought I would work on it more when I am in the labs  and can see what more I need, or even if any problems are arising.

@securitysift did the great idea of having separate python scripts that the main executes, so that they can be used individually if needed, for example dns_recon.py is a script focused on dns. Mine at the current time does not do that. As the focus is oscp I feel that its not necessary, but for real work who knows, or for team exercises @securitysift module based scripts would be great.

 

 

 

Mentioning of Free material

#Infosec is great for sharing resources and most people you would consider l33t are really open to questions as long as you have done some research or considered options. Obviously there are exceptions to every rule and not all people are so open, but in generally I feel it is a great community.

A shout out I want to do is for Cybrary.IT. You may have seen their funding campaign or presence on twitter (@cybraryIT).  Go to their courses list at http://www.cybrary.it/courses/ and you will see a gigantic list of FREE material. You will notice that have Network Administration and Systems administration and a BIG focus on  security, which I really like.

So say for aspiring pentesters (yes I am still one) they have a great source of foundational material as well as post exploitation (once you get on a box). Many skilled pen testers / red teamers already have had experience in Admin experience so do not discount the other ‘not so infosecy courses’.

 

The one course I like is the Penetration Testing course, you could follow this and learn a LOT of stuff. It covers basics like footprinting yes, but the way it is white boarded in the video really helps you gain the concepts. Having a quick look at additional study material includes other free and not free materials (as shown below). Their recommendations are valid, I am currently working through TheHackerPlaybook and its great.

 

Just a little shout out to them, if you are wanting to upskill or learn a little more, hit Cybrary.IT up. Its free, its good quality, just be consistent keep at it and push through. So many materials I have that I jump from and too, I am finally learning to stick to one! This is a great path.

 

Testing the hooking in Beef Open-mouthed smile

 

 

COPY PASTE FROM THEIR WEBSITE BELOW:

Recommended Additional Study Material

Posted by at No comments:
Subscribe to: Posts (Atom)