HTTP scout

[jinafaz]

Hey I really like your project. I started playing around with developing my own backdoor but my python kung foo is not there yet. I have a idea to contribute though. You can add an option to create a HTTP scout using covertutils. I have tested it and it works pretty well, both on Windows and Linux. I dont know how easy/hard would be to "merge" PyIris handler code with covertutil handler but can be a good start.

[not-sekiun]

Oh snap, first issue! Thanks! Ive been thinking of adding an http base component for a while to evade network IDS and make the traffic seem more legit. it shouldnt be too hard just need to create a new handler/listener and modify the base component in how data is received. As of now im still murdering some bugs so ill work on it soon. Ill add it to the roadmap though. Thanks for the feedback :)

[Dharshan2004]

Maybe @jinafex we could work on it together as I have some experience working with the pyiris framework

[jinafaz]

Sure! That would be great. What I have so far is a hybrid between PyIris and Covertutils. @angus-y I hope you dont mind that I butchered your code a bit to make it work:

Handler catching a session:

Wireshark communication:

Following a http or tcp stream:

[jinafaz]

In above scenario I use multi-handler as a handler/listener object to handle my sessions. So far I just "borrowed" agent generation idea from PyIris. That of course required providing new reverse_http_base and amending the code here and there. I am personally interested in developing my project using covertutils as it seems the most expandable. I am planning to add reverse ICMP, DNS and UDP as the framework comes with already provided examples. @Dharshan2004 Have you had any experience with covertutils as well?

[Dharshan2004]

@jinafaz I have some experience with covertutils

[not-sekiun]

@jinafaz its fine, the pyiris-covertutils poc looks great! However I was hoping the http thing could be a component. In the generator there are windows/bases/(module_name) and linux/bases/(module_name) my idea was to allow you to load on these base modules to control the network protocol used when sending and receiving data. So far i only have windows/base/bind_tcp_base and windows/base/reverse_tcp_base which handle connections through bind or reverse tcp (the bind one is still a work in progress trying to make better UX for it). The idea would be to have a sort of windows/bases/http_base component. The base components just act as data handlers they determine how data is sent and received through reverse or bind tcp for example. And maybe I could create an http specific listener so you could in the menu of the listener generator select whether the listener is reverse tcp, bind tcp or http and they would only connect to those specific types of scouts.

Sorry for wall of text, tl;dr we should make the http based scout have a http base component to communicate over http and add http specific listeners through covertutils.

[ghost]

@angus-y [nick similarities are completely accidental] (just writing from a different account)

No need to say sorry, any insight from a fellow backdoor engineer:) is helpful. Taking about a HTTP Base as a component, yeah, of course there is that way as well. I just have not noticed it when I modified the code. Silly me. But it is there:)

Choosing the bases through "show options" seemed quicker for me. However I do need to add my listeners/handler independently of PyIris, which I do not really mind at the moment.

Although in my case the progress in slow, I am getting somewhere. I like the idea of the backdoor being in python. Huge extensibility for sure and an ability to run a lot of stuff from memory (shellcode, send over a simple code - wget.py - when usual Windows binaries are blocked or when there is no access to cmd.exe due to Applocker restrictions, or pointing subprocess.popen to a custom cmd.exe and executing commands through that. )

Does your module number 10 relies on powershell being accessible ?

I am wondering what else we could come up with:)

PS. I have noticed that if you want to compile python file on Windows it wont be detected by AV but it will if you did it on Linux ;/.

[ghost]

One more trick to collection, hey if you want to make your backdoor immune to Applocker bypass restrictions on cmd.exe and powershell.exe (specifically), point your command:

result = Popen('powershell.exe ' + execute, shell=True, stdout=PIPE, stderr=PIPE, stdin=PIPE)

to this project executable: https://github.com/p3nt4/PowerShdll

Of course that first requires uploading generated PowerShdll.exe to the victim and executing through that, but if you know an in memory execution I am all ears. Just a thought.

[not-sekiun]

@angusonmacgyver Nice name, but yes powershell has to be allowed for the windows/control/execute_command_powershell function to work. Its an interesting idea to use powershdll to bypass powershell restrictions but I would as much as possible like to keep all of the scouts operations in memory to reduce hard drive footprints. I'm not very experienced with working with in memory execution so I can't really do much :(. For the AV detection of scouts in linux I may have to work on better obfuscaters to change scout file signatures. Right now I only have a base64 encoder but Im planning on adding AES, XOR and other encoders that can be stacked on top of each other. For example : AES encoded on top of XOR on top of XOR again all base64 encoded just to really mix up the signature (wont help against decoder stub detection though ;-;). You can check my CHANGE_LOG.md file at around update entry 0.7.2 I added a roadmap for other features I would like PyIris to have before I can say its out of the alpha stage.

[ghost]

Code obfuscation is great if you wanted to give somebody a hard time at looking inside the executable to see what is it doing. Defender AV detection is primarily the issue of using: wine pyinstaller. Even the simple "print("hello") python code will be detected as bad. Compiling the agent/scout on Windows OS with 2.7 python installer does not give this warning. (That was at least my experience) Maybe I am missing something.

Should we want to compile the thing on Linux we would have to see if AV behavior is the same when you compile the code with: nuitka or py2exe - I will test those two and report my findings soon.

I checked your CHANGE_LOG, wow recording all the work you have done over the year really makes me think that building a project like that is like having a mistress:). Merry Christmas and am looking forward to June!

[not-sekiun]

Wow I haven't used wine pyinstaller myself so I never noticed that I guess the only alternative is to compile on windows ;-;. I may have to add support for another compiler like nutika/py2exe as you mentioned in the hopes that their compilers exes do not get falsely flagged. Ill just pin that to the roadmap :>

[ghost]

Hey there fellow anguson. I had a bit of a breakthrough this morning. I have found a way of creating a small, undetectable (at least by recent AV Defender), agent (or scout as you prefer) on a Linux, that will spit out *.exe ready to be executed on Windows. Size of the file is much, much smaller than using pyinstaller. I have tested the functions of my agent and everything seems to work fine so far.

So here it goes: create a *.py scout and feed in to cython on Wine. Here is a little script I have found that will automate the whole process. Put all of the commands into build.bat. You just need to set up a project name, should be easy to automate further:

set PROJECT_NAME=test set PYTHON_DIR=C:\Python27 %PYTHON_DIR%\python -m cython --embed -o %PROJECT_NAME%.c %PROJECT_NAME%.py

test.py should be present in a current directory from which you are executing the batch script.

gcc -Os -I %PYTHON_DIR%\include -o %PROJECT_NAME%.exe %PROJECT_NAME%.c -lpython27 -lm -L %PYTHON_DIR%\libs

Execute: wine cmd /c build.bat. Profit!

EDIT: Facepalm. That will create just an *.exe extension, dependencies needs to be installed on the target machine. More research needed.