Evading Anti-Virus Without Being A Wizard

Recently, I became curious just how different AV evasion tools actually worked. This is a very interesting topic as AV  vendors seem to be playing catch-up. Granted, they are pretty good at this cat and mouse game but the problem is that they are the mouse.

Lots of posts I have seen on AV evasion are simple tutorials on how to run the tools but I don’t find that very helpful. Without understanding what you’re doing, you aren’t going to be able to propose a solution. Anyways, the techniques used to trick AV are pretty clever!

This is not meant to be a simple tutorial since there are plenty of those out there; what I wanted this to be is a way to understand how AV bypass tools work.


Hyperion: Hyperion is an older tool that is only on this list to demonstrate a pretty cool obfuscation technique. Hyperion use a technique that encrypts your malicious binary with a shortened AES key. The decrypter, or stub, which is not encrypted, gets packed into the binary as well. What that does is brute forces the AES key every time the binary is run. The problem with this is that AV vendors look for this brute forcing stub which forces Hyperion to rely on original obfuscation techniques such as Assembly Ghostwriting. Assembly Ghostwriting is in short placing junk inside your program in order to hide its true purpose.

Tutorial: http://e-spohn.com/blog/2012/08/02/pe-crypters-hyperion/

Documentation: https://www.exploit-db.com/docs/18849.pdf


Veil-Evasion: Veil is a framework that can use multiple obfuscation techniques. One of these is taking the same method Hyperion uses. It also can take a python shell and using py2exe, Pyinstaller, or pwnstaller, it can bypass AV. Since Pyinstaller is a fairly common tool, AV rarely flags binaries created with it. Pwninstaller is a variation of Pyinstaller. What it does is recompiles a part of Pyinstaller to force your binary to NOT opt-in for DEP protection which can increase the reliability of your binary.

Another method Veil uses is custom code, obfuscating code and using non-standard code for Windows binaries. Hopefully, you can already see a trend. There are multiple ways to obfuscate malicious code, no one way works for all AV vendors and no one way will work for very long before they catch up.

Here is a chart of how well AV vendors are faring against Veil payloads: https://docs.google.com/spreadsheets/d/1GkNmPkaPrHevO0tHnc-W_xctBNWtnL3LaQIeejTNX6U/edit#gid=0

Tutorial: https://www.security-sleuth.com/sleuth-blog/2015/2/3/using-veil-with-metasploit

Documentation: http://www.slideshare.net/VeilFramework/the-veilframework


Shellter: This tool is simply a PE injector. It allows you to inject a shell into a binary. Because you can choose any application to inject code into, as well as choose any injection point, you basically have an extremely polymorphic malicious binary tool. Shellter also has options to load several built in meterpreter shells. This is also the only Closed-Source project on this list so you might want to take that into consideration before using this tool.

Tutorial: https://www.doctorchaos.com/shellter-project-bypassing-av-detection/

Documentation: https://www.shellterproject.com/introducing-shellter/


Overview:

There are of course many other ways to bypass AV. This post was meant to gain an understanding of the point-n-click tools for AV bypass.

Hyperion fares the worst since its “stub” or decryption code is well known by AV vendors. This could be bypassed by writing your own stub. After obfuscating my meterpreter shell, the detection rate actually went up.

Veil fares pretty well! Its framework also has a bunch of other convenient tools as well which makes it the most robust tool on this list. You can check out this list of proven bypassed AV vendors above.

Shellter actually seemed to be the most in depth AV obfuscation tool on this list. With my first try, I got a meterpreter shell with a perfect score on Virus Total. Once again, with this tool being closed-source, it will be interesting to see how long it takes for AV to catch up!

OSCP – Penetration Testing With Kali – Overview

 

offsec

Intro:

My experience with penetration testing before taking this course was nearly nothing.

Pre-Experience:

1-2 years of system administration

Almost done with a BS in IT Security

Several years of captaining a CCDC team. (Collegiate Cyber Defense Team)

Other than that, I was comfortable with Linux, Server Administration, Python and other sys-adminy type stuffs. I would highly recommend at least getting comfortable with the following concepts before jumping into the labs:

Web Servers,Linux, Windows Servers, DNS, FTP, SMB, SMTP, POP3, SNMP, etc.

You don’t need to know everything about these concepts but you should know enough to explain what they are and how they generally work.

Exercise:

The exercises are pretty well laid out. They advance slowly and near the end of the exercises, you are required to understand earlier exercises. They skim many of the concepts needed to get through the labs and it is up to the student to expound on any given topic. If you already have lots of professional experience, you might not need to go through the exercises but if you are like me, the exercises are definitely necessary.

Labs:

The labs are pretty impressive. Lots of blogs go over the structure of the lab so I will save my characters. However, the range of concepts needed to successfully get access to most of the boxes is very broad. Only a couple boxes have repeat vulnerabilities and these typically have multiple paths to root. The notoriety of gh0st, pain, sufferance and humble is definitely well deserved. I spent lots of time with these and ended up with a low priv shell on pain and nothing on sufferance. I did end up getting root on gh0st and humble though. Had I extended my lab, sufferance would have been on the agenda.

The labs were awesome at making the student build his own toolkit and create his own methodology which is where I think its real value comes in. Figuring out what tools worked best was a huge part of the learning process.

Exam:

The exam was hard. I went in not really knowing what to expect. Even though my toolkit was proven throughout the labs, it seemed as if it wasn’t enough for the exam. I spent 18 hours on the exam and at 3 AM, when my brain wasn’t working quite well, I decided to call it a day.

Fast forward a couple days.. And I got that awesome email..

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

Recap:

Overall, I would say I learned more from the PWK and OSCP process than I have from any one course in school. Like everyone else who took it, I would highly recommend the course! It is a very rewarding exam, it will be interesting to see how much this stuff pertains to actual penetration testing! I do wish there was more AD stuff but that was about my only thought on improvements!

How the Hacking Team Got Hacked

For Fisher, Hacking Team was a perfect target.

The Hacking Team is a group of 50+ hackers who provide offensive tools for governments across 6 continents. In mid-2015, they were exposed to the world. Everything from their source code to their email database was published on their defaced Twitter page via a torrent.

Little was known about the attack. Until several days ago. Phineas Fisher posted a full write-up on the steps taken to gain access and ex filtrate the goods.

His write-up can be found here on Ghost Bin.

The tactics used by Fisher are very complicated. It’s easy to say that this guy definitely is not a noob. You can check out the link about for the full write-up which is pretty interesting or if you don’t got time for that, I summarized for you.

For Fisher, Hacking Team was a perfect target. According to him, it was run by a “Fascist” and worked against “journalists, activists, political opposition, and other threats to their power”

Fisher followed the typical steps to gather information for a target. He used Google, Subdomain Enumeration, Whois and Port Scanning. These are your typical beginning steps. After this he began to collect information from social sites such as LinkedIn and Metadata from public files. Once again, these are all typical steps for reconnaissance.

Fisher avoided social engineering, after all, the Hacking Team are experts at it so they likely know how to spot spear phishing!

With all this information collected, Fisher found that they don’t have much exposed to the internet. What they did have was a website, a mail server, a couple routers, two VPN appliances and a spam filter.

His options were pretty slim so he began to search for a 0day in an embedded device. This is that impressive part..

After two weeks of reverse engineering, he had a remote root exploit. And after some more testing and assuring that it would not raise a red flag, he created a back door firmware to hide his 0day.

He did not include his exploit or the device used since he claims that it still is not patched.

Once he was in their network, his process was pretty straight forward. Slow network scans and a NetBios poisoner responder.py

He soon finds their backups and attained access to their email database and eventually their development network. He used iscsi to access their backups and mounted them using some clever iptables rules.

He ended up pulling all their passwords as well which he lists in the report.

HACKINGTEAM         c.pozzi         P4ssword

Using powershell, he downloaded all the mailboxes and then used his proxy and smb to download all the files.

All of the emails leaked can be found here.

He included quite a few links to all the tools he used and some good times and use cases for those. I would recommend you check that out!

It appears that at the end of his summary he encourages similar behavior. Heres an excerpt from his report..

“Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don’t attack systems you
don’t have permission to, etc. I’ll say the same, but with a more rebellious
conception of “ethical” hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people who call themselves “ethical hackers” just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.”

 

However, the Hacking Team seems to call Fisher out on some of the details..

Moral of the story, no one is invincible, and there is always someone out there ready to play your game better than you.

hackingteam hacked logo

Credit: Steve Ragan / Twitter

 

 

Cybersecurity Information Sharing Act and your privacy

Since the first computer virus in 1989, the US government has been struggling to keep up with the rapidly evolving world of cybersecurity. Hackers use constantly evolving methods while Congress sluggishly passes inefficient measures against these hackers. Over the past 30 or so years, multiple bills have been put in place to battle this misuse of technology. The most recent bill is the CISA.

The Cybersecurity Information Sharing Act passed in the Senate in Oct. with a whopping vote of 74-21. This bills main purpose is to help prevent data breaches like the famous Office of Personnel Managements breach that exposed the personal data of more than 20 million current and former federal employees.

CISA aims to do this by offering legal protection to companies who opt in, enabling these companies to share information without the risk of legal repercussion. In theory, when a company is attacked, the federal government is alerted immediately and the warning is distributed to all companies taking part in CISA.

Why does this need to go through Congress?

CISA eliminates a company’s liability, thus, protecting them from lawsuits for sharing too much information.

Some privacy advocates however have major concerns regarding CISA. Several senators took heed of these warnings and proposed amendments to the bill, such as requiring companies to remove personal data from any information before sharing. Ultimately, all of the proposed amendments were shut down and the bill was passed without any of the privacy reforms.

Privacy advocates also aren’t sure how much the bill will even promote data sharing to mitigate attacks. This is based on the argument that data sharing is already taking place among many companies and introducing the government has not historically improved matters. Ben Johnson, Chief Security Strategist is quoted saying in a Forbes article:

“While cyber defense, security and safety should be a top national priority, the time the federal government continues to spend on CISA demonstrates that’s not the case. Threat intelligence is already being shared bountifully. It is the processing of that information, the application of that information, the operationalizing [sic] of that information, and finally the incorporation of that information into an overarching cyber strategy and risk mitigation platform that is sorely lacking. Threat intelligence sharing is not the problem.”

CISA is also criticized for lacking clarity – the bill does not specifically define just how the information will be shared or managed. Nowhere in the bill does it disallow shared information from being used outside the scope of cybercrime investigations. On the wake of Edward Snowden’s disclosures, passing a bill that allows the NSA to gather personal information even easier, could be seen as ironic.

For those of you unfamiliar with Edward Snowden, Snowden revealed thousands of documents exposing the US governments vast reach of information gathering. Ex-NSA contractor Snowden is currently hiding in Russia and according to this CNN article, he criticizes CISA, commenting that the FBI and NSA already collect this kind of hacking data all over the internet, but CISA would allow them to collect even more directly from companies.

Recap

This bill may have good intentions, but due to its vagueness, it can be very costly and may cause problems. Some view it as progress but many view it as just another infraction on our right to privacy. Currently, CISA has only made it through the Senate and now must be combined with several other cyber security bills at the House and finally, the President must sign off on it. However, the Obama Administration has already made it clear that they support the bill.

Your Information is For Sale

Big data is a booming business in today’s world. With companies wanting more information about consumers, and data analytics becoming easier for large companies, you might want to be informed of what information they are gathering.

So, where is all this information collected from?

You. Whenever you purchase something from almost any store, your information is collected. It may not be surprising that stores keep a record of what you buy, but it is noteworthy that these stores are all more than willing to sell your information to big data collectors like Datalogix.

Is any of my data private?

There are some limits on what can and cannot be sold. Unfortunately, this list of restrictions are not very long. Of course, medical data cannot be sold under HIPAA regulations. Other information, such as anything that may have to do with your credit score is also somewhat prohibited from selling or purchasing under the Fair Credit Act. These restrictions however, are fairly loose.

Finding out that you have a medical condition is not very difficult for these big data companies. For example, if you search online for allergy medicine or home remedies for back pains, your search data is collected and then sold to these companies. In fact, some health insurance are purchasing data to predict future medical conditions based on purchases such as plus-sized clothing.

Target gives us an example of data analytics gone wrong. According to an article featured in Forbes, Target knew that a young girl was pregnant before her parents knew. Target began sending the girl coupons for baby clothes and cribs and the father confronted Target thinking that they were encouraging her teenage daughter to get pregnant. After speaking with his daughter, he found out that she was in fact pregnant and Target’s algorithms had picked this up and began targeting the girl.

After this scandal, Target changed the way they targeted consumers.

A Target executive is quoted in the New York Times saying, “Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random. We’d put an ad for a lawn mower next to diapers. We’d put a coupon for wineglasses next to infant clothes. That way, it looked like all the products were chosen by chance. And we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer for diapers and cribs. As long as we don’t spook her, it works.”

The largest asset to data collection companies is social media.

Facebook recently purchased a patent from Friendster, a company that created algorithms from big data collections. In this case, Facebook can now determine your credit score based on your online friends. While the Fair Credit Opportunity Act prohibits certain ways to determine how an individual can get a loan, this algorithm may be used to decide on people who are borderline to begin with.

Would it make you feel better to know that you can find out what information they know about you and have them delete it?

Well, that’s not possible, at least not yet. Some companies that collect data will tell you what data they have about you, but often this is not the full report. There is usually a fee and it’s not one single company you would have to request the information from. There is an option to opt-out of this as well, but taking the time to track down all of the data brokers may take quite a bit of time.

Are you using Windows 10?

Windows 10 by default includes Cortana Digital Assistant. This includes access to all your personal information as well as sending your searches to Bing to improve future results and ads. This is data collection, so as long as you are fine with Microsoft building a database about you and predicting what food you like, what ads you want to see, as well as a host of other personal information, don’t worry about any of this.

For those with Windows 10, a quick Google search will lead to instructions to disable Cortana from collecting data. This is not just Microsoft. Google, Apple and most of your favorite stores also use your information for their own gain.