SlideShare a Scribd company logo

Pen Testing Development

Download as PPTX, PDF
C
CTruncer

The talk by Christopher Truncer covers his journey in cybersecurity, focusing on his development of the Veil framework aimed at bypassing antivirus detection. He discusses the importance of tool development, automation in penetration testing, and the evolution of his projects like Egress-Assess for simulating data exfiltration. Truncer emphasizes the value of mentoring, collaboration, and continuous learning in the field of security research.

Internet
1 of 72
Downloaded 27 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Pen Testing Devevelopment Christopher Truncer
uid=0(@ChrisTruncer) ● Christopher Truncer (@ChrisTruncer) β—‹ Open Source Software Developer, Veil Framework Developer, Florida State Seminole ● Red Teamer, Pen Tester, and Security Researcher for Mandiant
What’s this talk about? ● How I got started ● Security through Offense β—‹ EyeWitness β—‹ #avlol β—‹ Own the Exfil β—‹ Misconfigurations ● What (I think) makes successful hackers β—‹ Your drive β—‹ Scripting/Programming ● Tempt the demo gods throughout
How I Started ● College β—‹ College computer security class β—‹ Hack my roommate β–  β€œWow, hacking is real” ● Tech background before Security β—‹ Windows Admin β—‹ Linux Admin - to learn ● Started the plunge into security β—‹ No development experience
First Steps with Development ● Start small β—‹ Veil wasn’t built in day :) ● Fix problems/tasks you always see ● Google and Stack Overflow ● Just try it... ● Nearly all upcoming case studies involve writing some code
When Coding...
Pen Testing Development
Developing for Offensive Operations
My Development Philosophy ● Develop a POC that does what you want ● Clean up your code, and add comments! ● Make it usable by everyone, not just you ● Contribute back and make it public ● Maintain your project
Version Control ● Use anything you’re comfortable with, but use it β—‹ git - my choice (look at Github, it’s free) β—‹ svn β—‹ cvs β—‹ etc… ● You will mess your code up ● You will delete your tools/scripts ● You will be thankful for checking in your code
EyeWitness
EyeWitness ● Problem: When dropped in large network segments, we can see hundreds, if not thousands of web applications. How do we know which to attack?
EyeWitness ● Solution: Automate everything I would manually have to do ● Mandatory: β—‹ Screenshot web applications β—‹ Check for default credentials β—‹ Generate a usable report ● Optional: β—‹ Make report β€œsections” β—‹ Grab server headers
Google!
StackOverflow
Proof of Concept
Make it Usable ● File Input β—‹ File, NMap, Nessus ● Web Timeouts ● Default Credential Checks ● Report Generation β—‹ Create Sections β–  High Value Targets β–  Error Section β–  etc.
Pen Testing Development
EyeWitness Stats ● Originally: 409 Lines ● Now: 3402 Lines ● Reasons: β—‹ Login Signatures β—‹ Multi-Threading ● Guess for the real reason?
Pen Testing Development
#avlol
The Veil-Framework ● Problem: Antivirus can’t catch malware, but it catches pentesters ● Goal: Bypass antivirus as easily as professional malware developers ● Solution: A python-based framework for generating shellcode and meterpreter injectors
As Always, Ask the Google
Have a POC… Next? ● Research obfuscation methods β—‹ Look at existing malware β—‹ Try encryption routines ● Generate random files from a template β—‹ Framework might help ● Automate as much as possible β—‹ I probably should make a framework...
Veil 1.0 - Released ● Small, single file script ● Limited payloads ● It worked… better than it really should
Next Steps... ● Don’t use a single script β—‹ Maintenance can be a pain β—‹ Not easily extensible β—‹ A framework would be nice... ● Find a mentor β—‹ Ability to ask questions is invaluable β—‹ Learning & Collaboration opportunities
Teamed Up ● Teamed up with Will Schroeder (@harmj0y) and Mike Wright (@themightyshiv) ● We had separate tools, so we combined code bases ● @Harmj0y didn’t sleep and combined the code β—‹ Took this as an opportunity to learn framework development
Veil 2.0
Veil 2.0 ● Fully modular framework β—‹ Drag and drop payloads ● β€œLanguage agnostic” β—‹ implement additional languages ● Easily Extensible β—‹ common libraries/methods available ● Huge UI focus β—‹ Tab completion, command line flags, etc.
The Veil-Framework ● We continued to come up with additional tools which resulted in The Veil-Framework β—‹ β€œA toolset aiming to bridge the gap between pen testing and red team toolsets.” ● Veil renamed to Veil-Evasion β—‹ Veil-Catapult - Initial payload delivery tool β—‹ Veil-Pillage - Post-Exploitation and payload delivery
State of The Veil-Framework ● Still an actively maintained project ● V-Day β—‹ Victory over antivirus :) β—‹ Since 9/15/2013 we’ve released at least one new payload on the 15th of every month ● Hoping for community involvement β—‹ hint hint… :)
Pen Testing Development
Egress-Assess
Attackers don’t just target this... http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp- content/uploads/041514_1356_MurderingDe30.png
What’s the point? ● End Goal - Money/Data β—‹ Data - grab it, get it out β—‹ !disrupt β—‹ !deny β—‹ !degrade, β—‹ !destroy (maybe deceive) β—‹ Not just shells anymore
...they target this
Attacker C2 Comms
Tradecraft Evolution ● Pen Tests traditionally exploit vulnerabilities β—‹ Find and exploit vulnerabilities β—‹ Assess the security as a point in time ● Why not add in some exfiltration testing as well? β—‹ Attackers DO this, why not help prep our customers? β—‹ Let’s emulate our threats
Our Solution
Pen Testing Development
What does it do? ● Standard client/server model ● Simulates data exfiltration β—‹ Faux social security numbers or credit cards β—‹ And now real files :) ● Exfil data over multiple protocols
Project Goals ● Fast to set up for use ● Minimal (if any) configurations required to work ● Lightweight and no excessive dependencies ● Exfiltrate data over different protocols ● Modular framework that allows easy expansion of capabilities
Project Goals ● Store all data/files transferred for proof of transfer β—‹ Stored in a specific directory β—‹ Time and date stamped for correlation with blue team logs ● Demonstrate different options for data exfiltration and educate the blue team
Tunneling Protocols
Supported Tunneling Protocols ● Protocols merged into Egress-Assess ● ICMP ● SMB ● DNS ● DNS_Resolved ● HTTP ● HTTPS ● FTP ● SFTP
FTP and SFTP ● Generates faux data and writes it to disk, or transfers a file specified by user ● Creates FTP or SFTP connection to server and transfers the file to the server ● If faux data is used, it deletes the file
FTP Transfer
ICMP ● Takes advantage of ICMP type 8 (echo) β—‹ Protocol allows you to specify the data used in the echo request ● Splits data in 1100 byte chunks ● Base64 encodes data ● Uses encoded data for the echo
ICMP Transfer
DNS (Direct) ● Uses DNS TXT records β—‹ Max 255 bytes ● Split data into chunks, base64 encode each chunk, send packets directly to Egress-Assess server ● Multiple limitations when working with DNS β—‹ Size restrictions, UDP, etc. β–  We’d say a joke, but you might not get it :)
DNS (Direct) Transfer
DNS Info ● Other protocol modules work well, but fail when a proxy is used ● Other tools have shown that DNS can be used as a communications channel β—‹ Cobalt Strike’s Beacon, dns tunnelling projects (dnscat), etc. β—‹ Began researching different methods to exfil data via DNS
Why Use DNS ● β€œBut we don’t allow port 53 out!” ● Locked down environments can have proxies ● How many people inspect DNS? β—‹ How many people only resolve certain domains? β—‹ Can you block protocol compliant C2 comms or data exfiltration attempts? ● Customer’s own DNS server FTW!
DNS (Resolved) ● Resolves local system’s nameserver ● Send request to system/network nameserver β—‹ <base64encodeddata>.subdomain.domain.com ● Server listens for incoming DNS A record request β—‹ Grabs record being requested, decodes it, and writes data to disk
http://blog.cobaltstrike.com/2013/06/20/thatll-never-work-we-dont-allow-port-53-out/
DNS Resolved Setup ● Create DNS A record for your final destination ● Create NS Record for subdomain, point to A record https://www.christophertruncer.com/exfiltrate-data-via-dns-with-egress- assess/
DNS (Direct) Transfer
More DNS Woes
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g2d0184395_097
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g34d85052a_ 00
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g34d85052a_00
DNS Woes ● Leads to problems when transferring files β—‹ Faux data, don’t need to preserve order, or 100% integrity β—‹ Binary files, this is a problem ● Currently working on essentially TCP over UDP DNS transfers
Powershell all the things ● Same client modules as python client ● Simulate attackers from Windows systems ● Domain proxy support ● Deployable through Beacon, Meterpreter, etc..
Get-Help
HTTP Snort Capture
Pen Testing Development
What I Wish I Knew
What I wish I knew ● Programming/Scripting β—‹ Start doing this β—‹ You can literally control a computer, and make it do exactly what you want
What I wish I knew ● Programming β—‹ Get the theme? :) ● Mentor β—‹ You’re always one step in front and one step behind someone ● Build a lab and play with it β—‹ You can’t break anything that costs money!
What I wish I knew ● Be prepared to be uncomfortable at times β—‹ Always in a new environment with new β€œstuff” and you’re expected to break it β—‹ Perk of the job too :) ● Build your process β—‹ Learn how you best approach networks, web apps, etc. β—‹ Use this to face what you don’t know
The difference between a new and experienced hacker is the experienced hacker can count on their problem solving ability to navigate an unknown environment.
? ● Chris Truncer β—‹ @ChrisTruncer β—‹ CTruncer@christophertruncer.com β—‹ https://www.christophertruncer.com β—‹ https://github.com/ChrisTruncer

More Related Content

PPTX
Pen Testing, Red Teaming, and More
CTruncer
Β 
PDF
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
Β 
PDF
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
Β 
PDF
The Art of AV Evasion - Or Lack Thereof
CTruncer
Β 
PDF
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
Β 
PDF
TestIstanbul May 2013 Keynote Experiences With Exploratory Testing
Alan Richardson
Β 
PDF
Open source tools - Test Management Summit - 2009
Alan Richardson
Β 
PDF
1.1. course introduction
Nicholas Wong
Β 
Pen Testing, Red Teaming, and More
CTruncer
Β 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
Β 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
Β 
The Art of AV Evasion - Or Lack Thereof
CTruncer
Β 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
Β 
TestIstanbul May 2013 Keynote Experiences With Exploratory Testing
Alan Richardson
Β 
Open source tools - Test Management Summit - 2009
Alan Richardson
Β 
1.1. course introduction
Nicholas Wong
Β 

What's hot (11)

PDF
Understanding and implementing website security
Drew Gorton
Β 
PDF
Unit testing in PHP
Lee Boynton
Β 
PDF
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
NECST Lab @ Politecnico di Milano
Β 
PDF
Evil testers guide to technical testing
Alan Richardson
Β 
PDF
Confessions of an Accidental Security Tester
Alan Richardson
Β 
PDF
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Krzysztof (Chris) Ozog
Β 
PPTX
Entering the matrix
Francesco Garavaglia
Β 
PDF
Distributed deep rl on spark strata singapore
Adam Gibson
Β 
PDF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
Β 
PDF
The Evil tester's Guide to Web Testing
Alan Richardson
Β 
PDF
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
Jorge Orchilles
Β 
Understanding and implementing website security
Drew Gorton
Β 
Unit testing in PHP
Lee Boynton
Β 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
NECST Lab @ Politecnico di Milano
Β 
Evil testers guide to technical testing
Alan Richardson
Β 
Confessions of an Accidental Security Tester
Alan Richardson
Β 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Krzysztof (Chris) Ozog
Β 
Entering the matrix
Francesco Garavaglia
Β 
Distributed deep rl on spark strata singapore
Adam Gibson
Β 
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
Β 
The Evil tester's Guide to Web Testing
Alan Richardson
Β 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
Jorge Orchilles
Β 
Ad

Similar to Pen Testing Development (20)

PDF
Pentester++
CTruncer
Β 
PDF
An EyeWitness View into your Network
CTruncer
Β 
PDF
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
Β 
PDF
Egress-Assess and Owning Data Exfiltration
CTruncer
Β 
PDF
Higher Level Malware
CTruncer
Β 
PDF
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
Β 
PDF
Secure Developer Access at Decisiv
Teleport
Β 
PDF
Mp26 : Tachyon, sloppiness is bliss
Montreal Python
Β 
PDF
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
Β 
PDF
Introduction to Exploitation
UTD Computer Security Group
Β 
PDF
Monitoring Big Data Systems - "The Simple Way"
Demi Ben-Ari
Β 
PPTX
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Demi Ben-Ari
Β 
PDF
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Demi Ben-Ari
Β 
PPTX
Ple18 web-security-david-busby
David Busby, CISSP
Β 
ODP
Security and why you need to review yours.
David Busby, CISSP
Β 
PDF
Crikeycon 2019 Velociraptor Workshop
Velocidex Enterprises
Β 
PDF
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
Β 
PDF
OpenSearch.pdf
Abhi Jain
Β 
PPTX
Course_Presentation cyber --------------.pptx
ssuser020436
Β 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
Β 
Pentester++
CTruncer
Β 
An EyeWitness View into your Network
CTruncer
Β 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
Β 
Egress-Assess and Owning Data Exfiltration
CTruncer
Β 
Higher Level Malware
CTruncer
Β 
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
Β 
Secure Developer Access at Decisiv
Teleport
Β 
Mp26 : Tachyon, sloppiness is bliss
Montreal Python
Β 
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
Β 
Introduction to Exploitation
UTD Computer Security Group
Β 
Monitoring Big Data Systems - "The Simple Way"
Demi Ben-Ari
Β 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Demi Ben-Ari
Β 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Demi Ben-Ari
Β 
Ple18 web-security-david-busby
David Busby, CISSP
Β 
Security and why you need to review yours.
David Busby, CISSP
Β 
Crikeycon 2019 Velociraptor Workshop
Velocidex Enterprises
Β 
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
Β 
OpenSearch.pdf
Abhi Jain
Β 
Course_Presentation cyber --------------.pptx
ssuser020436
Β 
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
Β 
Ad

More from CTruncer (8)

PDF
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
CTruncer
Β 
PDF
Aggressive Autonomous Actions - Operating with Automation
CTruncer
Β 
PDF
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
Β 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
Β 
PDF
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
Β 
PDF
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
CTruncer
Β 
PPTX
Hacking - Breaking Into It
CTruncer
Β 
PDF
EyeWitness - A Web Application Triage Tool
CTruncer
Β 
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
CTruncer
Β 
Aggressive Autonomous Actions - Operating with Automation
CTruncer
Β 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
Β 
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
Β 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
Β 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
CTruncer
Β 
Hacking - Breaking Into It
CTruncer
Β 
EyeWitness - A Web Application Triage Tool
CTruncer
Β 

Recently uploaded (20)

PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
Β 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
Β 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
Β 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
Β 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
Β 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
Β 
PDF
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
Β 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
Β 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
Β 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
Β 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
Β 
PPTX
artificial intelligence overview of it and more
yafotin445
Β 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
Β 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
Β 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
Β 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
Β 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
Β 
tcp ip networks nd ip layering assotred slides
pakadamfdp
Β 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
Β 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
Β 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
Β 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
Β 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
Β 
πŸ’° π”πŠπ“πˆ πŠπ„πŒπ„ππ€ππ†π€π πŠπˆππ„π‘πŸ’πƒ π‡π€π‘πˆ 𝐈𝐍𝐈 πŸπŸŽπŸπŸ“ πŸ’°
GRAB
Β 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
Β 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
Β 
Introduction to Information and Communication Technology
AkmadArzieAyao1
Β 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
Β 
Internet___Basics___Styled_ presentation
poonam62133
Β 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
Β 
artificial intelligence overview of it and more
yafotin445
Β 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
Β 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
Β 
Digital Literacy And Online Safety on internet
riksa rifqi
Β 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
Β 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
Β 

Pen Testing Development

  • 2. uid=0(@ChrisTruncer) ● Christopher Truncer (@ChrisTruncer) β—‹ Open Source Software Developer, Veil Framework Developer, Florida State Seminole ● Red Teamer, Pen Tester, and Security Researcher for Mandiant
  • 3. What’s this talk about? ● How I got started ● Security through Offense β—‹ EyeWitness β—‹ #avlol β—‹ Own the Exfil β—‹ Misconfigurations ● What (I think) makes successful hackers β—‹ Your drive β—‹ Scripting/Programming ● Tempt the demo gods throughout
  • 4. How I Started ● College β—‹ College computer security class β—‹ Hack my roommate β–  β€œWow, hacking is real” ● Tech background before Security β—‹ Windows Admin β—‹ Linux Admin - to learn ● Started the plunge into security β—‹ No development experience
  • 5. First Steps with Development ● Start small β—‹ Veil wasn’t built in day :) ● Fix problems/tasks you always see ● Google and Stack Overflow ● Just try it... ● Nearly all upcoming case studies involve writing some code
  • 9. My Development Philosophy ● Develop a POC that does what you want ● Clean up your code, and add comments! ● Make it usable by everyone, not just you ● Contribute back and make it public ● Maintain your project
  • 10. Version Control ● Use anything you’re comfortable with, but use it β—‹ git - my choice (look at Github, it’s free) β—‹ svn β—‹ cvs β—‹ etc… ● You will mess your code up ● You will delete your tools/scripts ● You will be thankful for checking in your code
  • 12. EyeWitness ● Problem: When dropped in large network segments, we can see hundreds, if not thousands of web applications. How do we know which to attack?
  • 13. EyeWitness ● Solution: Automate everything I would manually have to do ● Mandatory: β—‹ Screenshot web applications β—‹ Check for default credentials β—‹ Generate a usable report ● Optional: β—‹ Make report β€œsections” β—‹ Grab server headers
  • 17. Make it Usable ● File Input β—‹ File, NMap, Nessus ● Web Timeouts ● Default Credential Checks ● Report Generation β—‹ Create Sections β–  High Value Targets β–  Error Section β–  etc.
  • 19. EyeWitness Stats ● Originally: 409 Lines ● Now: 3402 Lines ● Reasons: β—‹ Login Signatures β—‹ Multi-Threading ● Guess for the real reason?
  • 22. The Veil-Framework ● Problem: Antivirus can’t catch malware, but it catches pentesters ● Goal: Bypass antivirus as easily as professional malware developers ● Solution: A python-based framework for generating shellcode and meterpreter injectors
  • 23. As Always, Ask the Google
  • 24. Have a POC… Next? ● Research obfuscation methods β—‹ Look at existing malware β—‹ Try encryption routines ● Generate random files from a template β—‹ Framework might help ● Automate as much as possible β—‹ I probably should make a framework...
  • 25. Veil 1.0 - Released ● Small, single file script ● Limited payloads ● It worked… better than it really should
  • 26. Next Steps... ● Don’t use a single script β—‹ Maintenance can be a pain β—‹ Not easily extensible β—‹ A framework would be nice... ● Find a mentor β—‹ Ability to ask questions is invaluable β—‹ Learning & Collaboration opportunities
  • 27. Teamed Up ● Teamed up with Will Schroeder (@harmj0y) and Mike Wright (@themightyshiv) ● We had separate tools, so we combined code bases ● @Harmj0y didn’t sleep and combined the code β—‹ Took this as an opportunity to learn framework development
  • 29. Veil 2.0 ● Fully modular framework β—‹ Drag and drop payloads ● β€œLanguage agnostic” β—‹ implement additional languages ● Easily Extensible β—‹ common libraries/methods available ● Huge UI focus β—‹ Tab completion, command line flags, etc.
  • 30. The Veil-Framework ● We continued to come up with additional tools which resulted in The Veil-Framework β—‹ β€œA toolset aiming to bridge the gap between pen testing and red team toolsets.” ● Veil renamed to Veil-Evasion β—‹ Veil-Catapult - Initial payload delivery tool β—‹ Veil-Pillage - Post-Exploitation and payload delivery
  • 31. State of The Veil-Framework ● Still an actively maintained project ● V-Day β—‹ Victory over antivirus :) β—‹ Since 9/15/2013 we’ve released at least one new payload on the 15th of every month ● Hoping for community involvement β—‹ hint hint… :)
  • 34. Attackers don’t just target this... http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp- content/uploads/041514_1356_MurderingDe30.png
  • 35. What’s the point? ● End Goal - Money/Data β—‹ Data - grab it, get it out β—‹ !disrupt β—‹ !deny β—‹ !degrade, β—‹ !destroy (maybe deceive) β—‹ Not just shells anymore
  • 38. Tradecraft Evolution ● Pen Tests traditionally exploit vulnerabilities β—‹ Find and exploit vulnerabilities β—‹ Assess the security as a point in time ● Why not add in some exfiltration testing as well? β—‹ Attackers DO this, why not help prep our customers? β—‹ Let’s emulate our threats
  • 41. What does it do? ● Standard client/server model ● Simulates data exfiltration β—‹ Faux social security numbers or credit cards β—‹ And now real files :) ● Exfil data over multiple protocols
  • 42. Project Goals ● Fast to set up for use ● Minimal (if any) configurations required to work ● Lightweight and no excessive dependencies ● Exfiltrate data over different protocols ● Modular framework that allows easy expansion of capabilities
  • 43. Project Goals ● Store all data/files transferred for proof of transfer β—‹ Stored in a specific directory β—‹ Time and date stamped for correlation with blue team logs ● Demonstrate different options for data exfiltration and educate the blue team
  • 45. Supported Tunneling Protocols ● Protocols merged into Egress-Assess ● ICMP ● SMB ● DNS ● DNS_Resolved ● HTTP ● HTTPS ● FTP ● SFTP
  • 46. FTP and SFTP ● Generates faux data and writes it to disk, or transfers a file specified by user ● Creates FTP or SFTP connection to server and transfers the file to the server ● If faux data is used, it deletes the file
  • 48. ICMP ● Takes advantage of ICMP type 8 (echo) β—‹ Protocol allows you to specify the data used in the echo request ● Splits data in 1100 byte chunks ● Base64 encodes data ● Uses encoded data for the echo
  • 50. DNS (Direct) ● Uses DNS TXT records β—‹ Max 255 bytes ● Split data into chunks, base64 encode each chunk, send packets directly to Egress-Assess server ● Multiple limitations when working with DNS β—‹ Size restrictions, UDP, etc. β–  We’d say a joke, but you might not get it :)
  • 52. DNS Info ● Other protocol modules work well, but fail when a proxy is used ● Other tools have shown that DNS can be used as a communications channel β—‹ Cobalt Strike’s Beacon, dns tunnelling projects (dnscat), etc. β—‹ Began researching different methods to exfil data via DNS
  • 53. Why Use DNS ● β€œBut we don’t allow port 53 out!” ● Locked down environments can have proxies ● How many people inspect DNS? β—‹ How many people only resolve certain domains? β—‹ Can you block protocol compliant C2 comms or data exfiltration attempts? ● Customer’s own DNS server FTW!
  • 54. DNS (Resolved) ● Resolves local system’s nameserver ● Send request to system/network nameserver β—‹ <base64encodeddata>.subdomain.domain.com ● Server listens for incoming DNS A record request β—‹ Grabs record being requested, decodes it, and writes data to disk
  • 56. DNS Resolved Setup ● Create DNS A record for your final destination ● Create NS Record for subdomain, point to A record https://www.christophertruncer.com/exfiltrate-data-via-dns-with-egress- assess/
  • 62. DNS Woes ● Leads to problems when transferring files β—‹ Faux data, don’t need to preserve order, or 100% integrity β—‹ Binary files, this is a problem ● Currently working on essentially TCP over UDP DNS transfers
  • 63. Powershell all the things ● Same client modules as python client ● Simulate attackers from Windows systems ● Domain proxy support ● Deployable through Beacon, Meterpreter, etc..
  • 67. What I Wish I Knew
  • 68. What I wish I knew ● Programming/Scripting β—‹ Start doing this β—‹ You can literally control a computer, and make it do exactly what you want
  • 69. What I wish I knew ● Programming β—‹ Get the theme? :) ● Mentor β—‹ You’re always one step in front and one step behind someone ● Build a lab and play with it β—‹ You can’t break anything that costs money!
  • 70. What I wish I knew ● Be prepared to be uncomfortable at times β—‹ Always in a new environment with new β€œstuff” and you’re expected to break it β—‹ Perk of the job too :) ● Build your process β—‹ Learn how you best approach networks, web apps, etc. β—‹ Use this to face what you don’t know
  • 71. The difference between a new and experienced hacker is the experienced hacker can count on their problem solving ability to navigate an unknown environment.
  • 72. ? ● Chris Truncer β—‹ @ChrisTruncer β—‹ CTruncer@christophertruncer.com β—‹ https://www.christophertruncer.com β—‹ https://github.com/ChrisTruncer