During our second Shmoocon demo, we briefly demonstrated the newly released Cortana script, veil_evasion.cna, included at Veil-Evasion/tools/cortana/veil_evasion.cna. We wanted to go over exactly what this script is and how it can be used effectively.
Cortana is an attack scripting language based on Sleep, both written by Raphael Mudge. Cortana allows for advanced manipulation of Armitage or Cobalt Strike, the free and paid versions of a gui-type environment (and more) for Metasploit. (Note: armitage is freely available in Kali with apt-get install armitage). With Cortana, you can trigger on specific events or user actions, interact with the full Metasploit backend, modify menus, and more. There are some great examples on Raffi’s github of what you can do with this powerful language at your fingertips.
We wanted to fully integrate Veil-Evasion’s capabilities into Armitage/Cobalt Strike utilizing Cortana. In order to get the menu structure desired, Armitage (bsd-licensed) backend code was stripped apart and custom menus were constructed using Raffi’s existing code examples. We were finally able to get our graphical menus to what we wanted. To load up the veil_evasion.cna script in Armitage, go to Armitage -> Scripts, select the Load button and navigate to the veil_evasion.cna script:
On first run, you will be prompted for your Veil-Evasion installation path:
After loading the Cortana script, a Veil-Evasion menu will be opened in the top menu bar. Clicking on it will allow you to Generate a payload, check the Current PSEXEC Payload, or Set Veil-Evasion Path to your current installation. Choosing Generate will present the main Veil-Evasion menu:
Double-clicking on Payload will fill a dynamically-generated list of all current Veil-Evasion payloads in your installation:
Double-clicking MSFPayload will present a set of selectable msfpayload options for shellcode_inject payloads:
Clicking Generate will run the appropriate Veil-Evasion command in the backend and generate the output path for your generated payload If you select Set as PSEXEC Payload, then all straight Metasploit psexec module executions will be hooked and your generated payload will be substituted in:
If you ever want to chance the hooked PSEXEC payload to something else, choose Veil-Evasion -> Current PSEXEC Payload and either enter a custom .EXE path or clear to eliminate the custom .EXE hooking. If you’re utilizing Cobalt Strike, selecting Use Listener will allow you to select one of your existing listeners and fill in all appropriate options for payload generation.
If you’re interested in Cortana, check out Raffi’s master github, his tutorial, and/or the Cortana script pack I’ll be maintaining here. And if you happen to be in Austin in mid-to-late March, check out my talk on Cortana scripting at @BSidesAustin, “Wielding a Cortana” where I’ll cover this particular Cortana effort and others in more detail. The slides are up on slideshare and the video is posted here.