Archive for August, 2012

 

Hiding Your Shells

Aug 19, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
 

I’ve been working on a couple of little of side projects and finally had a couple hours to sit down and test some things out.  I’m always looking for better ways to hide my reverse shells (and of course meterpreter) and evade anti-virus.  Through some of the conferences I recently attended, here are a couple of new techniques.

1) Hyperion [http://www.nullsecurity.net/binary.html]

Hyperion is a run-time encrypter for 32-bit portable executables.  Runtime crypter accepts binary executable files as input and transforms them into an encrypted version (preserving its original behavior). When executed, the encrypted file decrypts itself on startup and executes its original content.

In short, to summarize what Hyperion does, is that it encrypts a binary with AES 128.  Usually, you’d have to input the cipher key, but this is where Hyperion does it differently. The newly generated encrypted file doesn’t contain the AES cipher key within its code.  It actually doesn’t even know what it is.  During execution, the encrypted version brute forces through every AES key, then decrypts the PE file in memory and executes it. Sweet!

The concept is really cool, where every file will be unique and even if you try to reverse it (using static methods), you won’t be able to find out the original key (easily at least).  I created some meterpreter reverse shells and encrypted them and when I checked against AV, only about 11/43 picked them up as potentially malicious or encryptor.

The problem is that the stub for Hyperion is not polymorphic and doesn’t change, so it’s easy to pick up.  This tool is just a PoC and I’m sure we could build a unique encryptor using the same type of functionality that won’t be picked up by any AV.

Installing Hyperion:
a) Download Hyperion from nullsecurity’s site: http://www.nullsecurity.net/binary.html
b) Requirements – Download a Windows Compiler http://sourceforge.net/projects/mingw/
c) Run “make” in the extracted Hyperion folder and you should have the binary.

Running Hyperion:
a) crypter.exe <input file> <output file>   –  [ Image ]
b) Execute the encrypted file

Notice when you run the encrypted file, your CPU ramps up to 100% for about 10-15 seconds.  This is the brute forcing of AES keys before decrypting your file. [ Image ]

You can read more about Hyperion at :
http://www.nullsecurity.net/papers/nullsec-bsides-slides.pdf
http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf

2) Python Shells FTW

We all know and love python.  It can pretty much do everything you need it to including making some nice reverse shells.  So I created a little script using some code from David Kennedy (which I’ll link at the bottom) to create a reverse shell and package it into a single file.  Before we can start, we need to install some software:

a) Install Python 2.7
b) Install Pyinstaller
https://github.com/downloads/pyinstaller/pyinstaller/pyinstaller-2.0.zip
–Extract pyinstaller to C:\\pyinstaller-2.0\
c) Install Pywin32
http://sourceforge.net/projects/pywin32/files/pywin32/Build%20217/

Now we can run my little python script Shell_Generator.py Script.  The Shell_Generator.py script does the following:

a) Prompts you for the reverse IP and Ports you want [ Image ]
b) Creates the python reverse shell [ Image ]
c) Uses pyinstaller to create a single executable from the python reverse shell and makes sure not to prompt a console during execution
d) Your new reverse shell is located under : C:\shell\dist\shell.exe [ Image ]

Just put up a netcat listener on the port you specified, send your reverse shell to the victim host, and now you have your shell!!!!

Again, since you created the script through python, it is not detected by any antivirus!  woot woot!

Tools: Shell Generator Script

References: http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf

-Peter