This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level. The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.

1. Pentester++
From sysadmin to Veil developer

2. uid=0(@christruncer)
● Team Lead for Veris Group’s Adaptive
Threat Division
● Veil-Framework Co-Developer
● Security Researcher
● Interested in research or pen testing?
Talk to me after :)

3. What’s this talk about?
● Why scripting/development is essential
● Case study driven by examining scenarios
and resulting scripts
● Largely Python based, but easily
transferrable

4. Why Learn a Language?
Make a computer do exactly what you want
http://cdn4.thetechjournal.net/wp-content/uploads/2012/03/Control-PC-With-intendiX-SOCI-600x337.png

5. What to start with?
Plenty of great options:

6. My Development Tips
● Start small
○ Veil wasn’t built in a day ;)
● Find tasks that you commonly perform or
fix a problem you’ve encountered
● Pick a language you’re interested in
● Google and StackOverflow
● Dive in!

7. My Development Philosophy
● Create a POC that meets your goal
● Clean up your code and comment it
● Make it usable by everyone, not just you
● Make it publicly available
● Maintain it

8. My Development Philosophy

9. So where did I start?

10. CCDC
● Volunteered to help red-team a practice
event
● @mubix helped provide pointers
○ Get scripts ready to fire
○ Suggested creating resource scripts
○ Prep for common exploits
● Started building scripts to assist in our
red-team workflow

11. Cortana
● Created by Raphael
Mudge (developer of
Armitage and Cobalt
Strike)
● Event driven language,
quite similar to any
scripts you may have
written for use on IRC…
:)

12. Helping the Red Team
● Problem: Blue teamers change
passwords often
● Goal: A solution that automatically grabs
hashes on a set interval
● Solution: Cortana Script

13. Start Small
● Figure out what the script needs to do...
● Get System Privs
● Dump hashes
● Repeat actions on an interval
● Draw from existing examples
○ https://github.com/rsmudge/cortana-scripts

14. https://github.com/rsmudge/cortana-scripts/blob/master/autoDiscover/autoAddEstablishedSessionHosts.cna
https://github.com/rsmudge/cortana-scripts/blob/master/idlewatch/idlewatch.cna

15. https://github.com/rsmudge/cortana-scripts/blob/master/login_autopwn/login_autopwn.cna
https://github.com/rsmudge/cortana-scripts/blob/master/raven/install.cna

17. Fruits of my Labor
● Got my feet wet in a new language
● Met the goals originally outlined
○ System Privs
○ Dump hashes
○ Do it every so often
● Made life a little harder for CCDC blue
teamers :)

18. Let’s Write from Scratch
● Try to find a (minor) problem/task that
needs help at your work
● Outline exactly what you need
● Pick your language of choice

19. Learn the basics (FNG phase)
● Hello world!
● Basic data types (strings, integers, etc.)
● Math, concatenation, loops, user-defined
functions, etc.

20. Python and Hasher
● Problem: The fastest way to check
hashes on our tests were to submit them
online… #opsecfail
● Goal: Create a script that generates
hashes and can perform comparisons
between hashes and plaintext strings
● Solution: Hasher :)

21. Hasher Requirements
● Capability to do this without submitting
hashes online
● Create hash from plaintext string
● Compare plaintext string and hash
● Support multiple hash types

22. https://docs.python.org/2/library/hashlib.html & http://stackoverflow.com/questions/5297448/how-to-get-md5-sum-of-a-string

23. Version 0.1
● We figured out the basic functionality
● Now, start making it usable by others
○ Add a basic menu structure
○ Add functions that would be used (generate
and compare)
● Prepare for users…. (Error check)

25. ugh… users… and usability..
● Error checking - half your code :)
● Don’t want a user to be able to crash
your program
○ Lack of usability can be the death of a
project
● Command line arguments?
○ great for ease of use
○ also for scriptability/third party integration

26. https://docs.python.org/2.7/library/argparse.html

27. Wrap it up!
● Added ability to take command line
arguments
● Supports multiple hash types
● Added the ability to generate hashes, or
compare hash with plaintext

28. Version Control?
● Use anything you are comfortable with
○ git
○ svn
○ cvs
○ etc…
● You will mess your code up
● You will delete your scripts/tools
● You will be thankful for checking your
code in somewhere

29. complexity++
moving beyond basic scripts

30. EyeWitness
Goal: Wanted a tool to screenshot URLs,
show default creds, generate a report, not
use PhantomJS, and wanted a challenge.
Existing: PeepingTom (@lanmaster53)
https://bitbucket.org/LaNMaSteR53/peepingtom/

31. Google!

32. StackOverflow!
http://stackoverflow.com/questions/16344700/take-a-screenshot-from-a-website-from-commandline-or-
with-python

33. Ghost!

34. Create the POC

35. Improvements
● File input:
○ text
○ nmap
○ Nessus
● Basic port scanning
● Report generation
● “Signatures” for default credentials
● User Agent Switching/Comparison

36. Report Generation
● Simple - HTML table tags
● Store server header and screenshot
● Multi-page reports
● Link structure required multiple loops to
create
○ Counters are my friend

37. Some EyeWitness Info/Stats
● Originally: 409 lines
● Currently: 1762
exactly
● Reasons?
○ port scanning
○ dir name specification
○ login signatures
○ etc.
● Real reason?
○ what’s your best guess

38. Find Your True Calling
#avlol

39. The Veil-Framework
● Problem: antivirus can’t catch malware
but does catch pentesters
● Goal: a way to get around antivirus as
easily as professional malware
● Solution: a Python-based framework for
generating shellcode injectors and
Meterpreter stagers

40. As always, ask the Google

41. Have a POC ...next?
● Research obfuscation methods
○ Look at existing malware
○ Try encryption routines
● Generate random files off of template
○ Framework might help
● Automate as much as possible
○ I probably should do a framework..

42. Released Veil 1.0
● Small, single file
script
● Limited
payloads
● It worked
○ better than it
should have :)

43. Next steps
● Don’t use a single script
○ Maintaining can be a pain
○ Not easily extensible
○ A framework would be nice…
● Find a mentor
○ Ability to bounce questions is invaluable
○ Learning opportunities
○ Collaboration opportunities

44. Team Up
● Teamed up with @harmj0y (formerly
@the_grayhound) & @themightyshiv
● We had separate tools, so we combined
our work
● @harmj0y didn’t sleep, combined code
bases into a framework
○ Took this as an opportunity to learn python-based
framework capabilities

45. Veil 2.0

46. Veil 2.0
● Fully modular framework
○ drag-and-drop payloads!
● “Language agnostic”
○ implement additional language families
○ check out @harmj0y’s presentation later!
● Easily extensible
○ common library methods/crypters
● Huge UI focus
○ tab completion, command line flags, etc.

47. How/What did I learn?
● Went back to learning from “existing”
code (framework from @harmj0y)
● Learned to develop as a team (splitting
tasks, accountability)
● Learned proper version control (git)
○ Don’t delete branches

48. The Veil-Framework
● We started coming up with additional
tool ideas, resulting in the “Veil-
Framework”
○ “A toolset aiming to bridge the gap
between pentesting and red teaming
capabilities”
● Veil was renamed to Veil-Evasion
○ Veil-Catapult: initial payload delivery
system, released at Shmooon ‘14
○ Veil-PowerView: network situational

49. The State of Veil-Evasion
● Still an actively maintained project
● V-Day
○ for victory over antivirus :)
○ since 9/15/2013, we’ve release at least one
new payload on the 15th of every month
● Hoping for community involvement
○ hint.. hint… :)

50. Fin
● Find something you’re
passionate/interested in
● Start small, and finish it
● Make it usable and stable! Lack of
usability and stability is death to a
project.
● Maintain it, and enjoy doing it

51. Questions?
● @ChrisTruncer
● https://github.com/christruncer
● chris@christophertruncer.com
● https://www.veil-framework.com/