SlideShare a Scribd company logo

The Veil-Framework

Download as PPTX, PDF
V
VeilFramework

This presentation is about the Veil-Framework and its various components. This talk was given at CarolinaCon X (2014).

Technology
1 of 42
The Veil-Framework @HarmJ0y @ChrisTruncer @VeilFramework
Who Are We?  Will Schroeder (@harmj0y)  Former national research lab keyboard monkey  Chris Truncer (@ChrisTruncer)  Florida State Graduate – Go Noles!  Veris group pentesters by day, offensive security researchers by night  And we’re hiring!
Overview  The Initial Problem  Public Reaction and Ethical Considerations  The Veil-Framework  Evading AV: Veil-Evasion  Payload Delivery: Veil-Catapult  Situation Awareness: Veil- PowerView  Demos Throughout
The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode in an AV-evading way
The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation  Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
Ethical Considerations  The disclosure debate is not new…  Pentesters are 5+ years behind the professional malware community  This is already a problem the bad guys have solved
HD Moore’s Take  “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”  https://community.rapid7.com/community/meta sploit/blog/2009/02/23/the-best-defense-is- information
Public Reaction  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”  http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a _metasploit_payload_generator_for_bypassing/
Twitter Reaction
Twitter Reaction
Evading AV Veil-Evasion
Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
Veil-Evasion Features  Can use Metasploit-generated or custom shellcode  MSF payloads/options dynamically loaded  In the process of porting msfvenom  Third party tools can be easily integrated  Hyperion, PEScrambler, BackDoor Factory, etc.  Command line switches to allow scriptability
Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
Module Development  Implement your own obfuscation methods!  Lots of reusable functionality  Shellcode generation is abstracted and can be invoked as needed  https://www.veil-framework.com/tutorial-veil- payload-development/
Shellcode Injection  Void pointer casting  no guarantee the memory region is executable  VirtualAlloc  allocate memory as RWX, copy code in and create a thread  HeapAlloc  create a heap object and manually allocate memory
Pyinstaller and DEP  Pyinstaller produced .exe’s are DEP enabled by default  this ruins some shellcode injection methods  Luckily Pyinstaller is open source  we can recompile to turn off DEP opt-in  https://www.veil-evasion.com/dep-pyinstaller/
Pwnstaller  A generator for obfuscated Pyinstaller loaders  BSides Boston „14 – Pwnstaller 1.0  Dynamically generates and compiles a new Pyinstaller loader on the fly  http://www.harmj0y.net/blog/python/pwnstaller- 1-0/
Payload Releases #VDay
VDay  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  32 currently published payloads  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
Native Stagers  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode  Meterpreter stagers can be written in higher-level languages  https://github.com/rsmudge/metasploit-loader
Veil-Evasion Stagers  The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
How Stagers Work  1) a tcp connection is opened to the handler  2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll  3) the socket number for this tcp connection is pushed into the edi register  4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)  reverse_http stagers skip steps 2 and 3
Veil-Evasion Demo
Payload Delivery Veil-Catapult
Veil-Catapult
Veil-Catapult  After payload generation, our focus shifted to delivery  Features nice integration with Veil-Evasion for on- the-fly payload generation  Cleanup scripts generated for payload killing and deletion  Command line flags for every option  https://www.veil-framework.com/catapult/
.EXE Delivery  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe  Payloads are delivered in one of two ways:  upload/execute using Impacket and pth-toolkit  host/execute UNC path to the attacker’s box  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
Standalone Payloads  Powershell: shellcode injector, bye bye disk writes  http://www.exploit- monday.com/2011/10/exploiting-powershells- features-not.html  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
Barebones Python  Uploads a minimal python .zip installation and 7zip binary  Python environment unzipped, shellcode invoked using “-c …”  The only files that touch disk are trusted python libraries and a python interpreter  Gets right by some reputation filters and antivirus!  https://www.veil-framework.com/barebones- python-injection/
Veil-Catapult Demo
Situational Awareness Veil-PowerView
Situational Awareness; redux  Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration  Old schoolz:  net group /domain  net group “domain admins” /domain  net users /domain  net user “jsmith” /domain  net view //hostname  netsess.exe  custom tools utilizing WinAPI calls  blah blah blah
Veil-PowerView  A pure Powershell situational awareness tool  https://www.veil-framework.com/veil-powerview/  Arose partially because a client banned “net” commands on domain machines  annoying, but only a minor roadblock  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See README.md for complete list, and function descriptions for usage options
Meta-Functions  Invoke-Netview: full-featured netview.exe replacement, plus more:  hostlists, jitter/delay, check share access, etc.  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  finds machines the current user has admin access to  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
User Hunting  Goal: find which domain machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users!  Utilizes Get-NetSessions and Get-NetLoggedon  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
Veil-PowerView Demo
Get the Veil-Framework  Github: https://github.com/Veil-Framework/  Read more: https://www.veil-framework.com  Now in Kali: apt-get install veil
Questions?  harmj0y@veil-framework.com  @harmj0y  chris@veil-framework.com  @ChrisTruncer  #veil on freenode  forums at https://veil-framework.com/forums/

Recommended

Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 

Recommended

Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 

More Related Content

What's hot

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 

What's hot (20)

Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
 

Viewers also liked

Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayAntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayINCIDE
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suitevasuballa
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Iikathomas
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyJulia Yu-Chin Cheng
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security VisualizationDoug Cogswell
 
The real and another
The real and anotherThe real and another
The real and anotherIshika Biswas
 

Viewers also liked (12)

Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
 
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDayAntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay
 
Staged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business SuiteStaged Patching Approach in Oracle E-Business Suite
Staged Patching Approach in Oracle E-Business Suite
 
Honeywall roo 2
Honeywall roo 2Honeywall roo 2
Honeywall roo 2
 
The Beginning Of World War Ii
The Beginning Of World War IiThe Beginning Of World War Ii
The Beginning Of World War Ii
 
Clientside attack using HoneyClient Technology
Clientside attack using HoneyClient TechnologyClientside attack using HoneyClient Technology
Clientside attack using HoneyClient Technology
 
Cyber Security Visualization
Cyber Security VisualizationCyber Security Visualization
Cyber Security Visualization
 
The real and another
The real and anotherThe real and another
The real and another
 

Similar to The Veil-Framework

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfprithaaash
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization HacksNiel Bornstein
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Prometheus for Monitoring Metrics (Fermilab 2018)
Prometheus for Monitoring Metrics (Fermilab 2018)Prometheus for Monitoring Metrics (Fermilab 2018)
Prometheus for Monitoring Metrics (Fermilab 2018)Brian Brazil
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Codeerikmsp
 

Similar to The Veil-Framework (20)

Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization Hacks
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Prometheus for Monitoring Metrics (Fermilab 2018)
Prometheus for Monitoring Metrics (Fermilab 2018)Prometheus for Monitoring Metrics (Fermilab 2018)
Prometheus for Monitoring Metrics (Fermilab 2018)
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Code
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 

The Veil-Framework

  • 2. Who Are We?  Will Schroeder (@harmj0y)  Former national research lab keyboard monkey  Chris Truncer (@ChrisTruncer)  Florida State Graduate – Go Noles!  Veris group pentesters by day, offensive security researchers by night  And we’re hiring!
  • 3. Overview  The Initial Problem  Public Reaction and Ethical Considerations  The Veil-Framework  Evading AV: Veil-Evasion  Payload Delivery: Veil-Catapult  Situation Awareness: Veil- PowerView  Demos Throughout
  • 4. The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
  • 5. Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode in an AV-evading way
  • 6. The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  We started with Veil-Evasion, and began to branch out to payload delivery and Powershell exploitation  Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
  • 7. Ethical Considerations  The disclosure debate is not new…  Pentesters are 5+ years behind the professional malware community  This is already a problem the bad guys have solved
  • 8. HD Moore’s Take  “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.”  https://community.rapid7.com/community/meta sploit/blog/2009/02/23/the-best-defense-is- information
  • 9. Public Reaction  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?”  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?”  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.”  http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a _metasploit_payload_generator_for_bypassing/
  • 13. Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
  • 14. Veil-Evasion Features  Can use Metasploit-generated or custom shellcode  MSF payloads/options dynamically loaded  In the process of porting msfvenom  Third party tools can be easily integrated  Hyperion, PEScrambler, BackDoor Factory, etc.  Command line switches to allow scriptability
  • 16. Module Development  Implement your own obfuscation methods!  Lots of reusable functionality  Shellcode generation is abstracted and can be invoked as needed  https://www.veil-framework.com/tutorial-veil- payload-development/
  • 17. Shellcode Injection  Void pointer casting  no guarantee the memory region is executable  VirtualAlloc  allocate memory as RWX, copy code in and create a thread  HeapAlloc  create a heap object and manually allocate memory
  • 18. Pyinstaller and DEP  Pyinstaller produced .exe’s are DEP enabled by default  this ruins some shellcode injection methods  Luckily Pyinstaller is open source  we can recompile to turn off DEP opt-in  https://www.veil-evasion.com/dep-pyinstaller/
  • 19. Pwnstaller  A generator for obfuscated Pyinstaller loaders  BSides Boston „14 – Pwnstaller 1.0  Dynamically generates and compiles a new Pyinstaller loader on the fly  http://www.harmj0y.net/blog/python/pwnstaller- 1-0/
  • 21. VDay  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  32 currently published payloads  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
  • 22. Native Stagers  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode  Meterpreter stagers can be written in higher-level languages  https://github.com/rsmudge/metasploit-loader
  • 23. Veil-Evasion Stagers  The following are the stagers currently available in the framework (as of 5/15/14): Language Stager Python meterpreter/rev_tcp Python meterpreter/rev_http Python meterpreter/rev_http_contained Python meterpreter/rev_https Python meterpreter/rev_https_contained
  • 24. Veil-Evasion Stagers Language Stager C# meterpreter/rev_tcp C# meterpreter/rev_http C# meterpreter/rev_https C meterpreter/rev_tcp C meterpreter/rev_tcp_service C meterpreter/rev_http C meterpreter/rev_http_service
  • 25. How Stagers Work  1) a tcp connection is opened to the handler  2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll  3) the socket number for this tcp connection is pushed into the edi register  4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)  reverse_http stagers skip steps 2 and 3
  • 29. Veil-Catapult  After payload generation, our focus shifted to delivery  Features nice integration with Veil-Evasion for on- the-fly payload generation  Cleanup scripts generated for payload killing and deletion  Command line flags for every option  https://www.veil-framework.com/catapult/
  • 30. .EXE Delivery  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe  Payloads are delivered in one of two ways:  upload/execute using Impacket and pth-toolkit  host/execute UNC path to the attacker’s box  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  • 31. Standalone Payloads  Powershell: shellcode injector, bye bye disk writes  http://www.exploit- monday.com/2011/10/exploiting-powershells- features-not.html  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide)  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  • 32. Barebones Python  Uploads a minimal python .zip installation and 7zip binary  Python environment unzipped, shellcode invoked using “-c …”  The only files that touch disk are trusted python libraries and a python interpreter  Gets right by some reputation filters and antivirus!  https://www.veil-framework.com/barebones- python-injection/
  • 35. Situational Awareness; redux  Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration  Old schoolz:  net group /domain  net group “domain admins” /domain  net users /domain  net user “jsmith” /domain  net view //hostname  netsess.exe  custom tools utilizing WinAPI calls  blah blah blah
  • 36. Veil-PowerView  A pure Powershell situational awareness tool  https://www.veil-framework.com/veil-powerview/  Arose partially because a client banned “net” commands on domain machines  annoying, but only a minor roadblock  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
  • 37. Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See README.md for complete list, and function descriptions for usage options
  • 38. Meta-Functions  Invoke-Netview: full-featured netview.exe replacement, plus more:  hostlists, jitter/delay, check share access, etc.  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  finds machines the current user has admin access to  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
  • 39. User Hunting  Goal: find which domain machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network, optionally checking if you have admin access on targets with found users!  Utilizes Get-NetSessions and Get-NetLoggedon  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get-NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
  • 41. Get the Veil-Framework  Github: https://github.com/Veil-Framework/  Read more: https://www.veil-framework.com  Now in Kali: apt-get install veil
  • 42. Questions?  harmj0y@veil-framework.com  @harmj0y  chris@veil-framework.com  @ChrisTruncer  #veil on freenode  forums at https://veil-framework.com/forums/