NOTE: Please, be kind, and don’t submit any payloads to ANY online virus scanner!
On nearly every assessment, pen testers have to fight a battle
against antivirus solutions. The level of effort that goes into each
“battle” relies on the AV solution, its definitions, etc. Researching
methods to bypass antivirus solutions has been an interest of mine on
and off for the past 6 months. About two months ago I started to take a
more serious look in how I could take my recent research and turn it
into something that more usable and useful. I set out with a couple
goals:
- Bypass common AV solutions that I/we routinely encounter in most network environments
- Utilize payloads that are compatible with the Metasploit framework, and expand upon these in future releases
- Attempt to make each payload file as random as possible
With these goals in mind, I continued researching methods
of bypassing AV. Since I wanted to maintain metasploit compatibility, I
chose to use shellcode generated by the metasploit framework,
specifically msfvenom. To accomplish this, I began looking into other
available research, which is where I discovered a number of interesting
techniques that a variety of people, such as Dave Kennedy and Debasish
Mandal, already began to develop. From their research, I learned about
really interesting ways to inject shellcode into memory through python.
These methods were the foundation of the rest of my research.
Since the majority of our assessment are against
predominantly Windows environments, it was important that the tool
worked reliably against these systems. Since I chose to write the tool
in Python, I had to figure out how to package the Python output files
containing the obfuscated shellcode to execute on Windows without
requiring Python to be installed on the target machine. One of the
solutions I looked into was using Py2Exe. I knew other software used
this method to convert their Python-based scripts or tools into an
executable that could run on Windows and figured I could do the same. I
began testing Py2Exe with the payload files I developed and was
successful running the executables on various versions of Windows, so I
stuck with that solution. The final part was for me to develop a tool
that automated the payload generation process, and I’m happy to release
Veil.
Veil is currently capable of using 7 different methods to make 21
different payloads, all of which result in meterpreter connections.
Veil provides the user with the option of using either Pyinstaller or
Py2Exe to convert their python payload into an executable. With
Pyinstaller, Veil users and have their file converted into an executable
all within Kali and does not require the use of a second VM/Machine.
When using Py2Exe,Veil will generate three files to which are required
to create the final executable; a payload file (in Python), a file with
runtime instructions for Py2Exe, and a batch script which handles
converting the payload file into an executable. To generate the final
payload, copy the three output files to a Windows host with Python,
Py2Exe, and PyCrypto installed and execute the batch script. This will
build the final executable that is uploaded to the target. The
executable file can be dropped anywhere, on any Windows system, as all
required libraries are stored within the exe file. Once dropped on a
system and executed, the payload will result in a meterpeter callback
that is undetected by AV.
multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on
both test systems and “in the wild,” and have a very high success rate,
bypassing detection in almost every circumstance. I hope that, by
releasing this tool, I can enable others in the community to provide
more effective assessments by allowing them to focus their efforts on
security risks and spend less time bypassing ineffective security
measures that wouldn’t deter an actual adversary.
- Run the setup script (setup.sh) and follow the installation process.
- Once the setup script has completed, delete the setup script.
For Windows (when using Py2Exe)
- Install Python 2.7 - (tested with x86 – http://www.python.org/download/releases/2.7/)
- Install Py2Exe - (http://sourceforge.net/projects/py2exe/ … exe/0.6.9/)
- Install PyCrypto - (http://www.voidspace.org.uk/python/modules.shtml)
Instructions for Use:
- Run Veil from Kali and generate your payload.
- If using Pyinstaller, your payload will be converted into an executable and is available for immediate use.
- If using Py2Exe
- Move the payload.py along with its two accompanying files onto your
Windows machine (that already has python and the other dependencies from
above installed). All three files should be placed in the root of the
directory Python was installed to (likely C:\Python27). - Run the batch script to convert the Python payload into an executable format.
- Move the payload.py along with its two accompanying files onto your
- Place the payload file on your target machine through any means necessary!
Future Direction:
- Research new methods of encrypting or obfuscating the payload.
tests just as it has helped me. Please, if anyone has additional
functionality they would like to add, I’d love to have input from the
community!
0 comments :
Post a Comment