![How Stagers Work
● 1) a tcp connection is opened to the handler
● 2) the handler sends back 4 bytes indicating
the .dll size, and then transfers the .dll
● 3) the socket number for this tcp connection
is pushed into the edi register
● 4) execution is passed to the .dll just like
regular shellcode (void * or VirtualAlloc)
● reverse_http[s] stagers skip steps 2 and 3](https://image.slidesharecdn.com/thestateoftheveilframework-141114131826-conversion-gate01/85/The-State-of-the-Veil-Framework-20-320.jpg)
The State of the Veil Framework
- 1. The State of the Veil Framework @harmj0y @ChrisTruncer
- 2. Who We Are ● Will Schroeder (@harmj0y) o Former national research lab keyboard monkey ● Christopher Truncer (@ChrisTruncer) o Florida State Graduate - Go Noles! ● Red Teamers, Pen Testers, and Security Researchers for the Adaptive Threat Division
- 3. Overview ● Genesis ● The Veil-Framework ○ Evading AV Veil- Evasion ○ Payload Delivery Veil-Catapult ○ Situational Awareness Veil-PowerView ○ Post-Exploitation Veil-Pillage ○ Shellcode Generation Veil-Ordinance ○ demos throughout ● Moving Forward ○ Veil-Framework 3.0
- 4. Genesis Where it all began
- 5. Our Problem ● Why are are pentesters caught but malware authors aren’t?
- 6. Our Initial Solution ● Want a way to bypass antivirus “solutions” as easily as professional malware ● Minimize repetition ○ Don’t roll custom backdoors each assessment ● Execute our agents on targets in a way that bypasses most antivirus detection
- 7. The Veil-Framework ● A toolset aiming to bridge the gap between pentesting and red teaming capabilities ● We started with Veil-Evasion, and began to branch out to payload delivery and PowerShell exploitation ● Nothing revolutionary here, but want to bring together existing techniques and incremental research try to push things forward
- 8. Ethical Considerations ● Similar parallels to the exploit disclosure debate ● The public community is typically 5+ years behind professional malware developers ● The blackhat industry has solved this problem, why shouldn’t the whitehats as well?
- 9. HD’s Take ● “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” ● https://community.rapid7.com/community/ metasploit/blog/2009/02/23/the-best- defense-is-information
- 10. Public Reaction ● “surely this will result in 21 new signatures for all major AVs, and then we’re back to square one?” ● “Isn’t our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” ● “The other point here is that anything that helps to expose how in-effective AV is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
- 11. Twitter Reaction
- 13. Our Approach ● Aggregate various shellcode injection techniques across multiple languages ○ Public techniques used by a variety of open-source tools ● Some shellcodeless Meterpreter stagers and “auxiliary” modules as well ● Focus on usability, automation, and the creation of a true framework
- 14. Previous Work ● Mark Baggett’s post Tips for Evading Anti-Virus During Pen Testing was the first public resource to talk about using Python to inject shellcode ● Dave Kennedy released PyInjector in 2012 ● We ended up mostly drawing from Debasish Mandal's Execute ShellCode Using Python o Uses the VirtualAlloc/CreateThread/ WaitForSingleObject pattern
- 15. Features ● Can use either Metasploit generated or custom written shellcode ○ Metasploit Framework payloads/options are dynamically loaded ● Third-party tools can be easily integrated ○ Hyperion, PE Scrambler, Backdoor Factory, etc. ● Command line switches add in scriptability ● Check payload hashes against VirusTotal
- 17. Shellcode Injection 101 ● Void Pointer Casting ○ Can’t guarantee shellcode is in an executable part of memory ● VirtualAlloc ○ Allocate memory as RWX, inject and execute the shellcode from the allocated section of memory ● HeapAlloc ○ Creates a heap object, allocates memory, injects and executes shellcode
- 18. Pwnstaller ● What if some vendors trigger on the Pyinstaller loader.exe itself? ● How about a (reasonably) obfuscated version of the Pyinstaller loader? :) o BSides Boston ‘14: Pwnstaller 1.0 o https://github.com/harmj0y/pwnstaller/ ● Integrated into Veil-Evasion this past May
- 19. “Pure” Stagers ● Stage 1 Meterpreter loaders don’t have to be implemented in shellcode ● Meterpreter stagers can be written in higher- level languages o Thanks Raffi! https://github.com/rsmudge/metasploit-loader ● Lots of varieties in Python, C, PowerShell, C# and Ruby
- 20. How Stagers Work ● 1) a tcp connection is opened to the handler ● 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll ● 3) the socket number for this tcp connection is pushed into the edi register ● 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc) ● reverse_http[s] stagers skip steps 2 and 3
- 21. V-Day ● Our release cycle, modeled on Microsoft’s Patch Tuesday :) ● New modules are released on the 15th of every month ● Currently there are 34+ modules for use ○ We still have 20+ modules in a development or QA state ● We plan to keep #avloling for quite some time
- 24. Veil-Catapult
- 25. ● After payload generation, our focus moved to payload delivery ● Features integration with Veil-Evasion to generate payloads, and can upload or host/ execute binaries on targets o additional methods (like PowerShell) as well ● Obsoleted with the release of Veil-Pillage Veil-Catapult
- 27. Features ● Trigger Options: o with a preference for stealth o Pillage utilizes pth-winexe, pth-wmis, and Impacket’s smbexec/smb servers for delivery and triggering ● Modularity: o want it to be easy to implement new post- exploitation techniques (common library) o and want to be able to easily integrate our code/ techniques into other tools (cli options) ● Completeness: o automation, comprehensive logging, cleanup, etc.
- 28. Veil-Pillage
- 29. exe_delivery ● Catapult functionality ported to Pillage ● Executables can be specified, or generated with seamless Veil-Evasion integration ● .EXEs are then uploaded/triggered, or hosted/triggered with a UNC path o This gets some otherwise disk-detectable .EXEs right by some AVs!
- 30. Hashdumping ● Let’s aggregate some of the best existing techniques and build some logic in: if (Powershell working) { Powerdump/PowerSploit } else { determine_arch { host/execute appropriate binaries } } ● Expose these techniques to the user for situation-dependent decisions
- 31. powersploit/* ● Several PowerSploit modules are included in Pillage ● A web server is stood up in the background o the ‘IEX (New-Object Net.WebClient).DownloadString(...)’ cradle is transparently triggered ● Makes it easy to run PowerSploit across multiple machines
- 33. Veil-PowerView ● Pure PowerShell situational awareness tool ● Arose partially because a client banned “net” commands on domain machines ● Otherwise initially inspired by Rob Fuller’s netview.exe tool ○ Wanted something a bit more flexible that also didn’t drop a binary to disk ● Started to explore and expand functionality
- 34. Get-Net* ● Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls o Get-NetUsers, Get-NetGroup, Get-NetServers, Get- NetSessions, Get-NetLoggedon, etc. ● Think dsquery on steroids ● See README.md for complete list, and function descriptions for usage options
- 35. The Fun Stuff ● Invoke-Netview: netview.exe replacement ● Invoke-ShareFinder: finds open shares on the network and checks if you have read access ● Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module ● Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
- 36. User-Hunting ● Goal: find which machines specific users are logged into ● Invoke-UserHunter: finds where target users or group members are logged into on the network ● Invoke-StealthUserHunter: extracts user HomeDirectories from AD, and runs Get- NetSessions on file servers to hunt for targets o Significantly less traffic than Invoke-UserHunter
- 37. Domain Trusts ● PowerView can now enumerate and exploit existing domain trusts: o Get-NetDomainTrusts: enumerates all existing domain trusts, à la nltest o Invoke-MapDomainTrusts: recursively maps all reachable trusts ● Most PowerView functions now accept a “-Domain <name>” flag, allowing them to operate across trusts o e.g. Get-NetUsers –Domain sub.test.local will enumerate all the users from the sub.test.local domain if an implicit trust exists
- 38. Sidenote: Mapping Domain Trusts ● Another ATD member recently released http://sixdub.net/2014/10/nodal-analysis-of- domain-trusts-maximizing-the-win/ ● Shows you how to take output from Invoke- MapDomainTrusts and perform nodal analysis on it (centrality, etc.) ● Also, can make neat looking graphs :)
- 42. Veil-Evasion and Shellcode ● Veil-Evasion outsources its shellcode generation capabilities to msfvenom ● Reliance on outside tools can sometimes cause complications: ○ If msfvenom output changes, our parsing can break ■ This has happened twice :( ○ Speed - MSF can be slow to start (even when instantiating the simplified framework)
- 43. What we need ● We need a tool that generates shellcode ○ Output doesn’t change ■ Allows us to easily control what we want to parse ○ Still provide bad character avoidance ○ Speed is always nice too ● Encoders! Send us any/all python POCs! ○ We will slowly work through MSF encoders ● Feedback!
- 44. Veil-Ordnance ● 6 different payloads ○ Tried to pick from the most commonly used payloads (rev_tcp, bind_tcp, rev_https, rev_http, rev_tcp_dns, rev_tcp_all_ports) ○ All payloads were ported from MSF (read: we did not develop them) ● 1 current encoder ○ Single Byte Xor Encoder - Developed by Justin Warner (@sixdub)
- 46. Moving Forward
- 47. Evasion Steps Forward ● Still have a large backlog of techniques and languages to release ● Looking into the generation of 64-bit payload modules ● Researching more complex shellcode- injection methods
- 48. Veil-Framework 3.0 ● We’re beginning a reorganization and ground-up rewrite of the Veil-Framework o Veil-Framework/Veil will include Evasion, Catapult, Pillage, and Ordnance o Veil-Framework/PowerTools will include PowerView and PowerUp ● Will keep a common theme of evasion, interoperability, and a big UI focus ● Planning on a Spring release timeframe
- 49. Questions? ● harmj0y@veil-framework.com o @harmj0y ● chris@veil-framework.com o @ChrisTruncer ● #veil on freenode ● https://www.veil-framework.com