Stickykeys Backdoors, Tradecraft, and Obligatory Powershell Goodness

I am currently working on an inter-team exercise as a red teamer against a Network Defender / Forensic Analysis team and we are all trying to get as much out of this as possible. I am getting plenty as I have a huge playground to hone my abilities on, but I wanted to also give them something a different to look at / analyze. This led me to creating a little script or two in powershell to make their job harder / more interesting than the typical stuff. I took a few techniques ( sticky keys backdoor / windows path canonicalization ) to achieve the desired affect with a little powershell seasoning to make things interesting.

My ideas were as follows:

1. Create a dropper which will download an unknown payload which can be dynamically changed and removed from the attacker’s machine to prevent analysis of it by the network defenders.
2. Try to obfuscate any files being transferred over the net to prevent file carving / figuring out what was transferred over the net.
3. Prevent AV from catching the payload.
4. Try to make it hard for them to delete said payload if they DO manage to find it.
5. USE POWERSHELL! :)

(more…)

Read More

C2 With Python, Powershell, and Favicons

As I was leisurely browsing the web recently, I saw the icon for a website pop up on one of my tabs and an idea popped into my head — the favicon is such a common thing to see in packet captures and the like that it would surely be overlooked as a potential vector for c2 of malware. There may be people doing this already, I’m not saying it’s a completely groundbreaking idea, but merely another tool to stick in the toolbox as I am always trying to adapt and find new ways of doing things. Python makes this task very trivial too, so I decided to whip up some code to see how well it would work out.

Having spent time during CTFs utilizing the Python Image Library to create / read images I knew the creation of the PNG file would be the easy part. A simple implementation could be the following:

(more…)

Read More

Playing in the Windows API with Python

I have been meaning to make a post like this forever as I feel it is imperative that you learn how to interact with the Windows API to get past the typical “Metasploit Pentester” plateau and take your knowledge and understanding to the next level.    Not only is it important to augment your understanding of what is happening under the hood, but also to give you a little more imagination and to expand the boundaries of your toolmaking ventures!

Also, I want to point out that this is not meant to be either an exhaustive or an advanced walkthrough, it is only meant to get people started and providing them the tools to get started with interaction with the Windows API. So without further ado…

First thing you need to know, is that we will be using the amazing “ctypes” module within python to do all of our interactions, so be sure to start all of your code off with this:
(more…)

Read More