Veil-Framework / Veil

Veil 3.1.X (Check version info in Veil at runtime)
GNU General Public License v3.0
4.01k stars 887 forks source link

introduce a proper setup.py #243

Closed blshkv closed 6 years ago

blshkv commented 6 years ago

We are trying to port this tool to pentoo in https://github.com/pentoo/pentoo-overlay/issues/354 but I realised after quick look that it will be a nightmare.

The current "official" way (https://github.com/Veil-Framework/Veil/blob/master/config/setup.sh) is NOT how it supposed to be done. It will also not going to work for Pentoo Linux since we install all tools in a sandbox environment.

Please use the proper distutils tool, create setup.py and do not change/install any system packages on your own. This is a typical malicious behaviour

necrose99 commented 6 years ago

dev-python/pycryptodome

https://gitlab.com/lanodan/overlay/issues/6

pycrypto uses broken algorithm and is vulnerable ,

dat not good..

https://gpo.zugaina.org/Search?search=pycrypto Known Forks at least maintenanced dev-python/pycryptodome https://github.com/Legrandin/pycryptodome https://www.pycryptodome.org/en/latest/ dev-python/pycryptodomex likewise just the C/C++ extensions for pycryptodome

tombstone

ChrisTruncer commented 6 years ago

Honestly, I was planning on closing this issue outright as it's just rude and demanding. Telling someone that porting something they worked on "will be a nightmare", saying how they are doing things is "not how it's supposed to be done" and making a claim that it's essentially malicious behavior isn't a great way to get someone to help you with an issue. However, I decided to actually respond and give my take.

Veil is not a python package. It wasn't ever designed to be. In order for Veil to work, there are many different packages and environments (WINE) that need to be installed and configured for Veil to run. Veil has dependencies beyond just python libraries, hence the reason for installing system packages. Claiming doing so essentially malicious behavior is ridiculous and incorrect. Please review the source code and show any signs of malicious use.

The setup script is designed to be an easy way to install everything that is needed. User's are in no way required to use the setup script, they are free to install all the dependencies manually and configure the environment themselves. It's included for usability purposes, people can get up and running quickly with it.

As for the additional comment from @necrose99, I can somewhat understand the argument that the library isn't updated anymore, but the library itself works. If there were to be a security vulnerability in it which left Veil user's vulnerable to something, that would prompt a quick review and modification. But the linked issue talking about supporting "vulnerable" algorithms don't really hold ground in my opinion. Veil output was never designed to withstand cryptographic analysis. It's purpose was simply to make a human, or software analyzing a payload, take an additional step before seeing the actual code. I mean, the key is literally embedded in the binary itself (in most payloads), you could probably just strings the file and get it. Again, the point of encryption in Veil was not to withstand cryptographic analysis nor act as a perfect crypto system. You can think of it almost as a layer of obfuscation.

If someone wants to submit code that completes the requested modifications, I am always happy to review it and merge approved changes in. But to speak rudely to an open source developer, who does work on their own time because they enjoy it, and make demands of them, it's just offputting. If you look to make requests to me, or really anyone in the future, consider talking to them as a person.

blshkv commented 6 years ago

I might sounded root but I'm simple being lazy and tired. I file dozens of such reports like a bot and trying to see a feedback from authors .

The last report was https://github.com/derv82/wifite2/issues/102 . The wifite tool is much simpler but it got similar problem - it has to call external tools in addition to python modules. Nevertheless, they managed to come up with a solution.

The current setup.sh script is meant for end users so they can install your tool easier. However, I suggested to create a proper setup (dont get too upset about this word) so that each linux distribution could add the tool to their repository and the tool could be installed with one single command like apt-get veil or similar instead of the current script limited to few distros only.

Feel free to re-open this issue (i'm unable to do it) if you are ready for the dialog.

P.S. Your opinion about the unsupported pycrypto library is ridiculous. This library was replaced (or forked) by pycryptodome and these two libraries could not be installed at the same time. That means that Veil tool cannot be installed together with other modern tools which switched to pycryptodome.

ChrisTruncer commented 6 years ago

Veil already has an apt package for Kali Linux. @g0tmi1k successfully created one and users can choose to install Veil on Kali via apt thanks to his work.

You're saying my argument is "ridiculous" for pycrypto, but you don't address any of the points that I make.

I still go back to my original statement. When you are looking for others people to do work, speaking kindly is the best way to do so. This unfortunately, isn't.

necrose99 commented 6 years ago

week magical Crypto Ferry Dust .... o right OCT OWASP indianapolis 2013 @SpiderLabs Team Gave that talk years ago.. sure the Crypto is good , but the fact that they used week keys made it very easy for the spiderlabs guy's to pown the crap out of the webdev's test boxes... with full test env whom were brave enough to volunteer them for pownage... as to not have them with flaws going live... not using 8-16 bit keys and say full keys with a pinch of salting was the days lesson...

“Attack is the secret of defense; defense is the planning of an attack.” ― Sun Tzu, The Art of War

better Crypter/Crypto better going under the radar only helps veil...

also helps keep the work off [VULS] (https://github.com/future-architect/vuls)
wich can Chronically scan Virus total.. and network/devices , think of it as golang version of Nexpose or Openvas/Nessus , however all baked in to a very IoT friendly pkg.. 2 megs compile or less. can be used likely to defend or attack.. USED for Wheel or Woe.. also could be easily baked in by to EP class routers .. Cisco/ Palo Alto for next to nothing... which could make the metasploit mods with weeksuase crypto a very @#$#$#^$ day for Redteam..

So let me guys you'd rather us just wrap the ebuild from debs can be done... but not terribly good... Likewise I can use Parrot OS/Kahli Debs to wrap via Ebuild.. but also not ish as good on Q/A. and for arm64 ... that's going to bite...

as well pycryptodome provides pycrypto could be added , IE nuke pycrypto by pointing to newer well maintained forks... and use newer pycryptodome.. but stating pycryptodome as a "Virtual" to pycrypto. package provides ...

Point @blshkv python2/3 setup.py install makes is good one..
(/opt/veil or /usr/bin/veil | symlink veil.py /usr/bin/veil ) can still prefer to setup to reg folders. Blackarch , Pentoo , Gentoo , and any other Linux/BSD distro benefits.. you don't have to support down stream distros if you don't care to , but the option is their's, doors open to other distro makers/maintainers to step in.. Ideally Distutils setup.py makes it multi-platform .. or more universal..

as well can still use your prefered distro script on those distros... apt-get deps , python3 setup.py install have a nice day.. as well makes for a Wine install into the local python ./veil-wine tree also very cake..

https://wiki.ubuntu.com/PackagingGuide/Python#The_debhelper_way

as for wine , I have in my necromancy repo already a veil-wine ebuild template... with setup.sh/nuke scripts . essentially , copy script to build a /home/$user/.veil-wine jail... needs bit of work.. winetricks for only being lazier , can go get python3.x and all the Windows deps for your users.. and when campaign ends shred it clean ,rebuild as well you can ensure wine has corect depends via setup.py on the wine side as well.. that being said less hell on you ... less it works for me vs it doesn't work for me... less issues..

anyrate , I've been researching a new Pentest "Framework" more or less a Cluster Glue for IOT and known packages , and making the IOT endpoints more or less "Tentacles" of the Pentersrs PC Rig or Faraday etc.. With 5 G modem , 2-5 gigs up/down RPI3/Rock64 and via vpn/aws/cloud backhaul insted of 1 jump box at a client I have 4-5 floors covered with nodes well hidden for weeks. 700 ish for Nuk's , for the same I can have a 5-12 units.. of IoT ... alone not very powerful ... but in a swarm like a hive of angry Bees. https://www.telesploit.com/ dose this with NUKs but IoT is cheep and if client doesn't return or pay in full 700 vs 50-150 bucks ? ... IoT can be remote killed. and or deemed expendable.

more speculative research...

metasploit on arm64 YUP , veil 2.x yup , wine not as much , but cygwin Cross-gcc or Mingw 32/64 can do.. far as getting wine or dosbox to run under IoT with Emu we got a few years till 8-16 gigs goes standard on SBC's... but getting a cross-cywin to bake wrapped bins via console and py-virtualenv with windows python py2exe/etc likely easier..

so using veil and putting out mingw or cygwin pkgs and pushing them directly from IOT to victim on a client site or via "EVILGATE/WIFI PUPKIN" so no Facebook @ Work click hear for "Free-WIFI" ("the network Security "police got it blocked" ) have images loaded with meterpreter bins have sucker @wallofsheep .powned give out email for SET (set toolkit) to send nice emails with that "extra special" thank you for using "OUR CORP Caffe wireless" . PC or Mac & perhaps Android/IoS ... "thankyou's" ... with 5-G even T-Mobile can send 4K-HDMI TV so giving victims half-assed wifi to seed out metasploit around the sheep .... so the wolves can dine... better yet its already past the firewall... (https://www.theverge.com/2017/12/13/16773232/layer3-tv-tmobile-streaming-service-iptv-internet-protocol ) as for backhaul 5-G tower to tower Corp building A-B 48 gigs at fiberoptic speeds none too terable as therotical max. ..

ChrisTruncer commented 6 years ago

Honestly I have no idea how to read what you just posted. This has gone off topic and no longer makes sense. I'm locking this