SlideShare ist ein Scribd-Unternehmen logo

BH Arsenal '14 TurboTalk: The Veil-framework

Als PPTX, PDF herunterladen
V
VeilFramework

These are the slides given at the Blackhat 2014 Arsenal Turbo talk on the Veil-Framework.

1 von 24
The Veil-Framework Will (@harmJ0y) Veris Group – Adaptive Threat Division
The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  Veil-Evasion: flagship tool, generates AV- evading executables  Veil-Catapult: initial payload delivery tool  Veil-PowerView: situational awareness with Powershell  Veil-Pillage: fully-fledged post-exploitation framework
Veil-Evasion #avlol
The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode/our stagers in an AV-evading way
Twitter Reaction
Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
V-Day  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  30+ currently published payload modules  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
Veil-Catapult Payload Delivery
Veil-Catapult
Veil-Catapult  Our basic payload delivery tool, released at Shmoocon ’14  Tight integration with Veil-Evasion for on-the-fly payload generation, can upload/execute or host/execute  Cleanup scripts generated for payload killing and deletion  Now obsoleted with the release of Veil-Pillage
Veil-PowerView Situational Awareness with Powershell
Veil-PowerView  A pure Powershell situational awareness tool  Arose partially because a client banned “net” commands on domain machines  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See README.md for complete list, and function descriptions for usage options
Meta-Functions  Invoke-Netview: netview.exe replacement  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
User Hunting  Goal: find which machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get- NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
Domain Trusts  PowerView can now enumerate and exploit existing domain trusts:  Get-NetForestDomains: get all domains in the forest  Get-NetDomainTrusts: enumerates all existing domain trusts, à la nltest  Most PowerView functions now accept a “-Domain <name>” flag, allowing them to operate across trusts  e.g. Get-NetUsers –Domain sub.test.local will enumerate all the users from the sub.test.local domain if an implicit trust exists
Veil-Pillage Post-exploitation 2.0
Veil-Pillage  A post-exploitation framework being released at Defcon  Multiple trigger options (wmis, psexec, etc.)  Completely modular, making it easy to implement additional post-exploitation actions  Comprehensive logging and cleanup capabilities
exe_delivery  Catapult functionality ported to Pillage  Executables can be specified, or generated with seemless Veil-Evasion integration  .EXEs are then uploaded/triggered, or hosted/triggered with a UNC path  This gets some otherwise disk-detectable .EXEs right by some AVs
powersploit/*  Several PowerSploit modules are included in Pillage  A web server is stood up in the background  the ‘IEX (New-Object Net.WebClient).DownloadString(...)’ cradle is transparently triggered  Makes it easy to run PowerSploit across multiple machines
Hashdumping  Different approaches work in different situations  Dependent on architecture, Powershell installation, AV-installation, etc.  Some involve dropping well-known, close- sourced tools to disk  sometimes this is needed, but we want to stay off disk as much as possible
Hashdumping: Pillage Style  Let’s aggregate some of the best techniques and build some logic in: if (powershell_installed) { Powerdump/PowerSploit} else { determine_arch { host/execute appropriate binaries } }  Expose these techniques to the user for situation-dependent decisions
Questions?  harmj0y@veil-framework.com  @harmj0y  harmj0y in #veil/#armitage on freenode  https://www.veil-framework.com  Get the Veil-Framework:  Github: https://github.com/Veil-Framework/  Read more: https://www.veil-framework.com

Empfohlen

Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 

Empfohlen

Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortanaWill Schroeder
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORKSukesh Shetty
 
Extend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation stepsExtend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation stepsDragos_Mihailescu
 

Weitere ähnliche Inhalte

Was ist angesagt?

PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 

Was ist angesagt? (20)

PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 

Ähnlich wie BH Arsenal '14 TurboTalk: The Veil-framework

Extend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation stepsExtend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation stepsDragos_Mihailescu
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxsimonlbentley59018
 
Opendaylight SDN Controller
Opendaylight SDN ControllerOpendaylight SDN Controller
Opendaylight SDN ControllerSumit Arora
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introductionvstorm83
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!Puneet Kala
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)Wail Hassan
 
Dockerization of Azure Platform
Dockerization of Azure PlatformDockerization of Azure Platform
Dockerization of Azure Platformnirajrules
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Venkat Raman
 
Managing Your Runtime With P2
Managing Your Runtime With P2Managing Your Runtime With P2
Managing Your Runtime With P2Pascal Rapicault
 
Virtualization terminology
Virtualization terminologyVirtualization terminology
Virtualization terminologyZeno Idzerda
 
V terminology guide
V terminology guideV terminology guide
V terminology guideRizi Butt
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfprithaaash
 

Ähnlich wie BH Arsenal '14 TurboTalk: The Veil-framework (20)

THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORK
 
Extend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation stepsExtend Eclipse p2 framework capabilities: Add your custom installation steps
Extend Eclipse p2 framework capabilities: Add your custom installation steps
 
Build server
Build serverBuild server
Build server
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docx
 
Opendaylight SDN Controller
Opendaylight SDN ControllerOpendaylight SDN Controller
Opendaylight SDN Controller
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
eXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework IntroductioneXo Platform SEA - Play Framework Introduction
eXo Platform SEA - Play Framework Introduction
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!
Selenium-Webdriver With PHPUnit Automation test for Joomla CMS!
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
incs775_lect6.ppt
incs775_lect6.pptincs775_lect6.ppt
incs775_lect6.ppt
 
Dockerization of Azure Platform
Dockerization of Azure PlatformDockerization of Azure Platform
Dockerization of Azure Platform
 
Puppet
PuppetPuppet
Puppet
 
Introduction to docker security
Introduction to docker securityIntroduction to docker security
Introduction to docker security
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
 
Managing Your Runtime With P2
Managing Your Runtime With P2Managing Your Runtime With P2
Managing Your Runtime With P2
 
Virtualization terminology
Virtualization terminologyVirtualization terminology
Virtualization terminology
 
V terminology guide
V terminology guideV terminology guide
V terminology guide
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 

BH Arsenal '14 TurboTalk: The Veil-framework

  • 1. The Veil-Framework Will (@harmJ0y) Veris Group – Adaptive Threat Division
  • 2. The Veil-Framework  A toolset aiming to bridge the gap between pentesting and red teaming capabilities  Veil-Evasion: flagship tool, generates AV- evading executables  Veil-Catapult: initial payload delivery tool  Veil-PowerView: situational awareness with Powershell  Veil-Pillage: fully-fledged post-exploitation framework
  • 4. The Initial Problem  Antivirus doesn’t catch malware but (sometimes) catches pentesters
  • 5. Our Initial Solution  A way to get around antivirus as easily as professional malware  Don’t want to roll our own backdoor each time  Find a way to execute existing shellcode/our stagers in an AV-evading way
  • 7. Veil-Evasion’s Approach  Aggregation of various shellcode injection techniques across multiple languages  These have been known and documented in other tools  Focused on automation, usability, and developing a true framework  Some shellcodeless Meterpreter stagers and “auxiliary” modules as well
  • 8. V-Day  Since 9/15/2013, we’ve release at least one new payload on the 15th of every month  30+ currently published payload modules  20+ additional payloads have been developed so far  we’re going to be releasing for a while :)
  • 11. Veil-Catapult  Our basic payload delivery tool, released at Shmoocon ’14  Tight integration with Veil-Evasion for on-the-fly payload generation, can upload/execute or host/execute  Cleanup scripts generated for payload killing and deletion  Now obsoleted with the release of Veil-Pillage
  • 13. Veil-PowerView  A pure Powershell situational awareness tool  Arose partially because a client banned “net” commands on domain machines  Otherwise initially inspired by Rob Fuller’s netview.exe tool  Wanted something a bit more flexible that also didn’t drop a binary to disk  Started to explore and expand functionality
  • 14. Get-Net*  Full-featured replacements for almost all “net *” commands, utilizing Powershell AD hooks and various API calls  Get-NetUsers, Get-NetGroup, Get-NetServers, Get-NetSessions, Get-NetLoggedon, etc.  See README.md for complete list, and function descriptions for usage options
  • 15. Meta-Functions  Invoke-Netview: netview.exe replacement  Invoke-ShareFinder: finds open shares on the network and checks if you have read access  Invoke-FindLocalAdminAccess: port of local_admin_search_enum.rb Metaspoit module  Invoke-FindVulnSystems: queries AD for machines likely vulnerable to MS08-067
  • 16. User Hunting  Goal: find which machines specific users are logged into  Invoke-UserHunter: finds where target users or group members are logged into on the network  Invoke-StealthUserHunter: extracts user.HomeDirectories from AD, and runs Get- NetSessions on file servers to hunt for targets  Significantly less traffic than Invoke-UserHunter
  • 17. Domain Trusts  PowerView can now enumerate and exploit existing domain trusts:  Get-NetForestDomains: get all domains in the forest  Get-NetDomainTrusts: enumerates all existing domain trusts, à la nltest  Most PowerView functions now accept a “-Domain <name>” flag, allowing them to operate across trusts  e.g. Get-NetUsers –Domain sub.test.local will enumerate all the users from the sub.test.local domain if an implicit trust exists
  • 19. Veil-Pillage  A post-exploitation framework being released at Defcon  Multiple trigger options (wmis, psexec, etc.)  Completely modular, making it easy to implement additional post-exploitation actions  Comprehensive logging and cleanup capabilities
  • 20. exe_delivery  Catapult functionality ported to Pillage  Executables can be specified, or generated with seemless Veil-Evasion integration  .EXEs are then uploaded/triggered, or hosted/triggered with a UNC path  This gets some otherwise disk-detectable .EXEs right by some AVs
  • 21. powersploit/*  Several PowerSploit modules are included in Pillage  A web server is stood up in the background  the ‘IEX (New-Object Net.WebClient).DownloadString(...)’ cradle is transparently triggered  Makes it easy to run PowerSploit across multiple machines
  • 22. Hashdumping  Different approaches work in different situations  Dependent on architecture, Powershell installation, AV-installation, etc.  Some involve dropping well-known, close- sourced tools to disk  sometimes this is needed, but we want to stay off disk as much as possible
  • 23. Hashdumping: Pillage Style  Let’s aggregate some of the best techniques and build some logic in: if (powershell_installed) { Powerdump/PowerSploit} else { determine_arch { host/execute appropriate binaries } }  Expose these techniques to the user for situation-dependent decisions
  • 24. Questions?  harmj0y@veil-framework.com  @harmj0y  harmj0y in #veil/#armitage on freenode  https://www.veil-framework.com  Get the Veil-Framework:  Github: https://github.com/Veil-Framework/  Read more: https://www.veil-framework.com

Hinweis der Redaktion

  1. Will
  2. Chris