danielsauder

So after exploring libssh a little bit I wanted to do something useful, so my idea was to have a kind of a reverse (pseudo) shell that works via SSH. the client connects to the ssh server of the attacker with a port forward on the attacker machine port 8080 will be opened on localhost…

Here I describe some first steps for using libssh on an old setup (WinXP with Visual Studio 2008). I think steps for other platforms are more or less similar. OpenSSL: Win32OpenSSL-1_0_2m.exe from http://slproweb.com/products/Win32OpenSSL.html -> Install it. zlib123dll.zip from http://www.winimage.com/zLibDll/ zlibwapi.dll renamed to zlib1.dll -> I placed it into my working directory. libssh-0.7.2-msvc.zip from https://red.libssh.org/projects/libssh/files ->…

Slides from Owasp Meeting Cologne 14.09.17: Post_Exploitation_and_Attack_Vectors_in_vSphere

Recently lots of people talked about killswitches, so I decided to make a quick test. Using gethostbyname as a sandbox evasion technique seems to work just fine. The function gets a hostname and tries to give back the IP address. The shellcode in the PoC is only executed if the IP cannot be resolved. Hope…

Hello folks, I wrote a paper for the presentation of AVET at BH USA 2017 Tools Arsenal, explaining the tool and basics about antivirus evasion: BH_USA_2017_AVET Thx to @mback2k and @blubbfiction for the review.

For enhancing AVET I had a look at the alpha_mixed encoder from the metasploit project. An ASCII only shellcode can be produced that way: # msfvenom -a x86 –platform windows -p windows/shell/bind_tcp -e x86/alpha_mixed BufferRegister=EAX -f c With the common technique of a shellcode binder (or function pointer) the shellcode can not be executed, because…

Someone made a youtube video about AVET, with a full run and setup. Might be useful for first time users. Stay tuned for the next version that will be released end of July ’17 at Blackhat USA.

Lately I made some research about metasploit’s psexec module and how to write your own service executable. This will be integrated into AVET within the next weeks. The PoC is simple (download: https://github.com/govolution/avepoc/blob/master/psexecservice.c): // compile: // wine gcc -m32 psexecservice.c #include <windows.h> #include <stdio.h> #define SLEEP_TIME 5000 #define LOGFILE “C:\\status.txt” SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE hStatus; void…

There are several reasons for using unstaged payloads for meterpreter. Since the dlls are not loaded over the network, but are included in the executable file, this may reduce the chance for an IDS/IPS to detect the connection. The executable will be much bigger: # ls -al pwn_unstaged.exe -rwxr-xr-x 1 root root 1578548 May 6…

Yesterday I had a presentation about the AVET AntiVirus Evasion Tool at the OWASP meeting Cologne. The main part was demonstration, but nevertheless: here are the slides.