R00t 3xp10it Venom Versions Save
venom - C2 shellcode generator/compiler/handler
v1.0.17.7
3 years agoAuthor: r00t-3xp10it Version release: v1.0.17.7 Codename: shinigami (God of death) Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS Suspicious-Shell-Activity© (SSA) RedTeam develop @2020
:octocat: Framework Description
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named Amsi Evasion Payloads to deal with windows defender detection (or other Anti-Virus detection).
Update Description
Since the release of venom v1.0.17 that some amsi evasion agents have started to get flagged by anti virus solutions.This update (v1.0.17.7) addresses the detection of agents in the amsi evasion category, repairs small bugs in source code
and implements five new post-exploitation modules ready to be used in our reverse tcp shell prompt (remotely).
:octocat: Version v1.0.17.7 Amsi Evasion Changelog
| Categorie | Agent nº | Target OS | Update Description |
|---|---|---|---|
| Amsi Evasion | 2 | Windows systems (8|8.1|10) | OpenSSL reverse TCP shell (Amsi Detection Bypass) |
| Amsi Evasion | 3 | Windows systems (vista|7|8|8.1|10) | PSrevStr obfuscation added (Amsi Detection Bypass) |
| Amsi Evasion | 5 | Windows systems (vista|7|8|8.1|10) | CarbonCopy Pdf Trojan Binary File Signing (Amsi Bypass) |
| Amsi Evasion | 6 | Multi-Platforms (Linux|Mac|Windows) | Emojify obfuscation added (Amsi Detection Bypass) |
| Amsi Evasion | 7 | Windows systems (8|8.1|10) | OpenSSL FileLess reverse TCP shell (Amsi Bypass) |
Remark: Dont scan samples on 'VirusTotal' or similar websites because that will shorten the payload live (flags amsi detection).
Amsi Evasion Netflix (Agent nº7) Dropper/Client execution diagram (FileLess)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this hta dropper. This dropper can execute
(user choise) in an hidden terminal or present an social engineering MsgBox pretending to be one Netflix (or any other appl) installer.
Amsi Evasion (Agent nº 5) updated to sign the binary (dropper.exe) file with CarbonCopy (by @paranoidninja)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this amsi bypass technic.
:octocat: Auxiliarys / Post-Exploitation Modules
| FileName | Description | Target OS | Usage |
|---|---|---|---|
| webserver | cmdlet to read/browse/download files from compromised target machine (*) | Windows | Manual |
| GetBrowsers | Standalone Powershell Script to Leak Installed Browsers Information. | Windows | Manual |
| CompDefault | UAC bypass module OR execute one command with high privileges (Admin) | Windows | Manual |
| CredsPhish | Standalone PS script that will promp the current user for a valid credential. | Windows | Manual |
| Sherlock | PowerShell script to find missing software patches for local privilege escalation | Windows | Manual |
| Persistence Handlers | Persistence handler scripts to store reverse tcp shells settings/Dependencies (**) | Windows | Auto |
| null | CmdLine & Scripts for reverse TCP shell addicts cheat sheet (venom Wiki Pages) | Windows | WiKi Pages |
(*) Venom v1.0.17.7 release will Auto-Upload the 'webserver' to attacker apache2 webroot.
(**) Venom Persistence Handlers are only available in 'Amsi Evasion' categorie builds.
Screenshot of @webserver and Sherlock working together under venom v1.0.17.7 reverse TCP shell prompt (remote)
Screenshot of @webserver And Sherlock Searching for missing KB security patchs
Screenshot of @webserver capturing keytrokes (-Keylogger parameter) under venom v1.0.17.7 reverse tcp shell prompt (remote)
:octocat: Improvements / Bug-fixes
| Improvements / Issues | Description | Credits |
|---|---|---|
| venom CLI terminal displays updated | venom CLI interface outputs updated (bg colors) | @r00t-3xp10it |
| Client HTA taskbar/application icon | Added taskbar/application icon to Netflix.hta dropper | @r00t-3xp10it |
| Amsi Evasion Agent nº7 (FileLess) | replaced WinHttpRequest by Msxml2.XMLHTTP | @root-3xp10it |
| @webserver Auto-Upload | Amsi Evasion modules auto-uploads webserver to apache2 webroot | @r00t-3xp10it |
| Persistence Handlers | replace xterm by gnome-terminal in persistence handlers | @youhacker55 |
| gnome-terminal implementation | replace xterm by gnome-terminal in Amsi Evasion | @youhacker55 |
:octocat: Install venom v1.0.17.7 shinigami (Christmas Gift)
git clone https://github.com/r00t-3xp10it/venom.git
Set execution permitions
cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
Install all dependencies
cd aux && sudo ./setup.sh
Run main tool
sudo ./venom.sh
🥇 Credits & Special Thanks
| Credits | Description |
|---|---|
| Emojify (@chris-rands) | Obfuscate your python script as emoji icons ( Obfuscation ) |
| CarbonCopy (@paranoidninja) | Sign an executable for AV evasion ( Obfuscation / Binary Signing ) |
| Sherlock (@rasta-mouse) | PowerShell script to find missing software patches for local privilege escalation vulnerabilitys. |
:octocat: Suspicious-Shell-Activity© (SSA) RedTeam develop @2020 :octocat:
v1.0.17
3 years agoAuthor: r00t-3xp10it Version release: v1.0.17 Codename: shinigami (God of death) Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS Suspicious-Shell-Activity© (SSA) RedTeam develop @2020
Framework Description
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named 'Amsi Evasion Payloads' to deal with windows defender detection (and other Anti-Virus detections).
Version v1.0.17 Changelog
New Agents added
| Categorie nº | Target OS | Agent nº | Description |
|---|---|---|---|
| 8 (Amsi Evasion) | Windows systems (vista|7|8|8.1|10) | 4 | meterpeter C2 command & Control PowerShell rat (*) |
| 8 (Amsi Evasion) | Windows systems (vista|7|8|8.1|10) | 5 | Social Engineering - Fake PDF Trojan Horse (**) |
| 8 (Amsi Evasion) | Multi-Platforms (Linux|Mac|Windows) | 6 | SillyRAT multi-platform reverse TCP python shell (***) |
| 3 (Multi-OS) | Multi-Platforms (Linux|Mac|Windows) | 5 | SillyRAT multi-platform reverse TCP python shell (***) |
Dropper/Client execution diagrams
(*) meterpeter C2 Command & Control rat its only available in venom for linux x64 bit because Microsoft does not support powershell under
linux x86 (32-bit) arch's and meterpeter rat its written using powershell language. the bellow diagram demonstrates meterpeter on x64 bit.
(**) This Venom module will ask the attacker to insert a PDF document, creates a C program that will be compiled with the help of GCC
(mingw32 or mingw-W64) into a binary.exe where is main task its to download and run the attacker Legitimate PDF document and the
Client.exe (reverse tcp shell) from attacker's apache2 webserver. Using for that the Remote-Host PowerShell interpreter.
(***) This venom module uses SillyRAT (python) rat to build the Client.py and to recive the connection back (server.py), venom then
Creates a standalone executable (Windows OR Linux distros) to be deliver to target user using one URL link. dropper main task its
to download and run Client.py (reverse tcp shell) from attacker's apache2 webserver to the sellected location chosen before..
Remark: Under categorie nº8 (Amsi Evasion) SillyRAT will create an dropper.bat insted of dropper.exe to evade AV detection.
Improvements/Bug-fixes
| Issue | Description | Bug Reports |
|---|---|---|
| The requested URL was not found on this server | setup.sh 'venom domain name' obsolect configs | @ricko2991 |
| review Setup.sh | sourcecode review/Improved | @r00t-3xp10it |
| venom CLI displays improved | venom CLI interface improved | @r00t-3xp10it |
:octocat: Install venom v1.0.17 shinigami :octocat:
'Download the framework from github'
Remark: Allways use git clone to download the tool because it downloads the lastest commits to sourcecode.
If you wish to download the stable version then scrool until the end of this page and download the .zip or .tar.gz packages.
git clone https://github.com/r00t-3xp10it/venom.git
Set execution permitions
cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
Install all dependencies
cd aux && sudo ./setup.sh
Run main tool
sudo ./venom.sh
Remark: SillyRAT project under venom framework will build droppers (Windows|Linux) to auto-Install Client.py requirements
on target machine before download the Client.py from attacker apache2 webserver and finally executes it in background (child).
Linux droppers will fake the installation of some package [Steam-Installer] to silent execute the Client in a child process detach from dropper parent process. And Mac (Apple) build only creates the Client.py that requires to be manual executed on target systems.
Finally the Windows dropper will reproduce Linux dropper job, but all steps are taken in Background mode (none prompt displays).
Remark: Under 'Linux' or 'Mac' systems the Client.py needs to be manual stoped because it 'beacons home' in intervals of 8 sec.
Under 'Windows' systems its the 'dropper' process that requires to be manual stoped to abort the 'beacon home' Client function.
🥇 Credits & Special Thanks 🎉
| Name | Job |
|---|---|
| Shanty Damayanti (my geek wife) | For having 'commissioned' me the 'Amsi Evasion PDF Trojan module' |
| @codings9 | for helping me debug PDF Trojan Server\Client execution on linux x64 system |
| @paranoidninja | CarbonCopy - Sign an executable for AV evasion (OBFUSCATION=ON) |
| @ZHacker13 | For is original work in meterpeter reverse tcp powershell shell |
| @hash3liZer | SillyRAT multi-platform reverse TCP python shell/server |
Remark: Once any of the Amsi Evasion builds (agent's) starts to get flagged by AV solluctions, it will be deleted from amsi evasion
sub-categorie and copy to any of the venom main-menu above categories to be stored has a technic used (not bypassing AV anymore).
:octocat: Suspicious-Shell-Activity© (SSA) RedTeam develop @2020 :octocat:
v1.0.16
4 years agoAuthor: r00t-3xp10it Version release: v1.0.16 Codename: aconitum_nappelus Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS Suspicious-Shell-Activity© (SSA) RedTeam develop @2019
:: Framework Description ::
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also starts an multi-handler to receive the remote connection (shell or meterpreter).
:: Version v1.0.16 Changelog ::
New Agents added
| Categorie nº | OS | Agent nº | Description |
|---|---|---|---|
| 1 | Unix payloads | 4 | Linux HTOP deb Trojan |
| 1 | Unix payloads | 5 | Linux MP4 Trojan Horse |
| 2 | Windows payloads | 21 | Windows ICMP (ping) reverse shell |
| 4 | Android ; IOS payloads | 3 | Android PDF Trojan Msf FileFormat |
| 8 | Amsi Evasion | 1 | Windows Reverse TCP Powershell Shell (*) |
| 8 | Amsi Evasion | 2 | Windows Reverse OpenSSL Powershell Shell (**) |
| 8 | Amsi Evasion | 3 | Reverse Powershell Shell Hex Obfuscated (**) |
(*) This module allow us to Download/Execute in-memory (Fileless) our payload.ps1
IF also sellected 'OBFUSCATION=ON' then a 'dropper' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the Fileless function on Windows10 }.
(**) This module allow us to 'persiste' the payload on target system (startup folder) if sellected by attacker.
IF also sellected 'OBFUSCATION=ON' then the 'persistence' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the persistence function on Windows10 }.
New Post-exploitation modules
- nil
Framework Improvements
- Framework CLI interface re-designed (terminal colors displays).
- Framework now gives you the option to Obfuscate the dropper
- Framework now builds android apk certificates ( categorie [4] -> agent nº [1] ) 'because android mobiles does not allow installing not signed applications (apk files)'
- Framework now auto-compleat's User Inputs with default values (if user have skiped that step)
- Now all HTTPS (x86|x64) payloads will trigger framework SSL payload/handler certificate checks.
- Amsi evasion payloads presents now, two diferent download webpages for attacker to chose from.
- Amsi evasion - agent nº [2|3] - persistence function added (Special thanks to @codings9 - debug)
Framework Bug-fixes
- '@darkoperator' AutoRunScript multi_console_command bugfix (post-exploitation)
- 'certutil.exe' droppers replaced by 'powershell' or 'WinHttpRequest' download methods.
- categorie [2] -> agent nº [16] (wrong python libs deleted) [@ChaitanyaHaritash BugReport]
- 'ResourceHacker | ming-w64' install's under x64 bites arch's bugfix's. [@usama7628674 BugReport]
- zenity checks added to setup.sh and venom.sh [@codings9 BugReport]
:: Download/Update/Install ::
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git
2º - Set execution permitions
cd venom-main
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
3º - Install all dependencies
cd aux && sudo ./setup.sh
4º - Run main tool
sudo ./venom.sh
Update venom instalation (compare local version againts github oficial version)
sudo ./venom.sh -u
Screenshots of recent updates
Categorie [1] (Unix based payloads) -> agent nº [4] (linux htop deb trojan)
This Module will install/update 'HTOP' software and executes our shellcode in background (orphan process).
Categorie [1] (Unix based payloads) -> agent nº [5] (linux mp4 trojan)
This module asks user to input one .mp4 video file, builds a C program thats going to be compiled to .mp4
(MITRE ATT&CK T1036) Then stores all files on apache2 and provides one 'oneliner' to be executed on target.
That oneliner remote download/exec our mp4 video and our shellcode in diferent processes (orphan process).
Categorie [2] (Windows OS payloads) -> agent nº [21] (Windows ICMP reverse shell)
This module uses ICMP (ping) protocol for C&C comunications over LAN networks (icmpsh.exe).
We can see the Communications between server and client using wireshark (filter: ICMP packets) That allow us to see ALL commands beeing executed from server to client inside the ICMP packets in real-time.
Categorie [4] (Android | IOS payloads) -> agent nº [1] - Sign .APK applications (keytool | jarsigner | zipalign).
After Successfully created the .apk file, we need to sign an certificate to it, because Android mobile devices are not allowing the installing of apps without the signed certificate. This function sign's our apk with an SSL cert.
categorie [4] (Android | IOS payloads) -> agent nº [3] (Android PDF Trojan Exploit)
This module uses 'exploit/android/fileformat/adobe_reader_pdf_js_interface' Msf exploit to build the PDF.
Categorie [8] (Amsi Evasion payloads) -> agent nº [1] (Reverse TCP Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
Categorie [8] (Amsi Evasion payloads) -> agent nº [2] (Reverse OpenSSL Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
Categorie [8] (Amsi Evasion payloads) -> agent nº [3] (Reverse Powershell Shell Hex Obfuscated)
This module will Masquerade (MITRE T1036) the dropper extension by adding one extra extension to dropper (venom random sellection). Conting that target system was the 'hidde extensions for know file types' active.
New dropper Download WebPage (Cumulative Security Update) added to amsi evasion agents
Now framework users can chose between deliver the dropper using Mega-Upload or Cumulative Security Update download webpages, OR we can simple generate droppers/payloads to venom output folder and deliver them using another diferent method. In that case, remmenber that payload.ps1 must be stored in apache2 for the dropper to be abble to pick it up and execute it.
Fast Retrieval Of Target System Information on Netcat Shell (Execute On Netcat)
Special thanks: @hdm(metasploit) | @NickHarbour (PEScrambler.exe) @harmj0y (pyherion) | @G0tmi1k | @ctucker | @0entropy | @darkoperator @Cortesi (pyinstaller) | @MGraeber | @alor&naga (ettercap mitm+dns_spoof ) @astr0baby | @ReL1K | @nullbyte | @subTee | @enigma0x3 | @carnal0wnage @arno0x0x (meterpreter loader random bytes stager) | @ChaitanyaHaritash(SSA) @paranoidninja | @ZHacker13 | @int0x33 | @markus-oberhumer (UPX packer)
:: venom project playlist ::
https://www.youtube.com/playlist?list=PL6lei9H-Ej0LEsM8QFOGh4slBfuqwvm9z
:: Referencies ::
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/
Suspicious-Shell-Activity© (SSA) RedTeam develop @2019
v1.0.15
6 years agoVersion release: v1.0.15 Author: pedro ubuntu [ r00t-3xp10it ] Codename: Pandora's box (pithos) Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS Suspicious-Shell-Activity© (SSA) RedTeam develop @2018
:: Framework Description ::
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also starts an multi-handler to recibe the remote connection (shell or meterpreter).
venom also gives you the oportunity to deliver your payloads using apache2 webserver (LAN networks), and ships with self-writen post-modules that enchants metasploit framework: linux_hostrecon.rb (host info gather) or enigma_fileless_uac_bypass.rb (privilege escalation for microsoft systems disclosed by enigma0x3) or arno0x0x - meterpreter loader random bytes stager (msf meterpreter improved loaders).
It also implements recent disclosed vulnerabilitys in 'Applications Whitelisting Bypasses' by: @subTee @enigma0x3 | @mattifestation, etc .. By using signed Microsoft binaries, and injecting code into them, we effectively cloak our binaries so that they can execute, even under the watchful eye of Device Guard.
[certutil.exe -urlcache module] disclosed by subTee, download/exec remote binary using one HTA
[MSbuild xml-exec module] disclosed by subTee, abusing M$ signed binarys to achieve RCE
:: v1.0.15 Changelog ::
New agents added
- @subTee - certutil remote download/execute agent(.bat|.exe)
- @subTee - csharp shellcode.xml (MSbuild.exe - appl_whitelisting_bypass)
- node.js reverse shell added to categorie: 'system built-in shells'
- unix_exploit (agent.php uploaded/executed in target apache2)
- linux elf agent (x86|x64 bits - doubleclick execution)
- CVE-2017-11882 (Microsoft office word rtf) agent.rft
- SSL CERT connection payloads: 'windows/meterpreter/reverse_winhttps' 'linux/x86/meterpreter_reverse_https' 'linux/x64/meterpreter_reverse_https'
- IOS devices macho payloads: 'osx/armle/shell_reverse_tcp' 'apple_ios/aarch64/meterpreter_reverse_tcp' 'osx/x64/meterpreter/reverse_tcp'
New Post-exploitation modules
- linux_hostrecon.rb added to apache2 attack vector
- wifi_dump_linux.rb added to apache2 attack vector
Framework Improvements
- Abort funtion improved in all module builds
- Framework CLI interface re-designed (terminal displays).
- All builds detection ratio review (no-distribute url recent reports)
- x64 arch support added to kimi.py (debian payload generator)
- Executable DLL payload (.cpl) option, added to all dll agents
- uuid (@nullbyte) obfuscation module added to some builds
- arno0x0x meterpreter loader random bytes stager (av evasion)
Framework Bug-fixes
- msf encoders arch bug-fixed under venom
- support to x64 AMD chiptechs review/bug-fixes
:: v1.0.15 Update Detailed Description ::
The biggest update in version 1.0.15 can be found on its CLI interface, which now provides users with
a more intuitive/polish main-menu and sub-menus terminal displays, This new release now packs the
agents based on target operative system (Unix, Microsoft, Osx, Android, etc) and displays a more
detailed information about the agents like: target systems, agent execution, agent detection ratio,etc ..
:: SSL CERT Connection Payloads ::
venom 1.0.15 ships with 3 new special payloads that allows users to secure your initial staged/stageless connection for Meterpreter by having it check the certificate (SSL) of the listener it is connecting to.
- windows/meterpreter/reverse_winhttps (staged)
- linux/x86/meterpreter_reverse_https (stageless)
- linux/x64/meterpreter_reverse_https (stageless)
Every time venom users decide to use this payloads, the agent (client) will authenticate (SHA1)
the connection to the handler (server) using venom's SSL certificate to encrypt the connection.
@OJ - staged-vs-stageless handlers: http://buffered.io/posts/staged-vs-stageless-handlers/
:: Meterpreter Random Bytes Stager ::
Another big update was the implemention of: 'arno0x0x - meterpreter loader random bytes stager'.
This setting forces venom toolkit at start to backup/replace the msf meterpreter_loader.rb (x86) and
is counterpart (x64), rebuild msf database (msfdb) and reload venom's meterpreter_loaders into msf.
IF the option 'RANDOM_STAGER_BYTES=ON' its active in venom settings file. This new loaders will
add an arbitrary number of random bytes at the beginning of the stage being sent back to the stager
in an attempt to evade AV signature detection and runtime detection. If the setting its set to OFF then
venom will not copy the new meterpreter loaders to msf, using metasploit default ones to work .
REMARK: This method was not tested yet using https payloads (@arno0x0x) ..
REMARK: This obfuscation technic can only be used in windows/meterpreter staged payloads,
because the 'obfuscation' it requires a stage (dll reflection) being sent back to the agent (client) ..
Staged Payloads Connection Diagram:
- agent (client) its executed in target system
- connects to server (handler) to ask for stage (dll reflection)
- random bytes are added in the beggining of the stage <-- arno0x0x obfuscation method
- stage its send back to agent (client)
- dll reflection executed in target ram
- meterpreter session open
Obfuscation Supported Payloads
- windows/meterpreter/reverse_tcp
- windows/meterpreter/reverse_tcp_dns
- windows/meterpreter/reverse_http
- windows/x64/meterpreter/reverse_tcp
- windows/x64/meterpreter/reverse_http
:: Automate Venom's Post-Exploitation Modules ::
This version also allows users to automate venom's post-exploitation modules (resource_files.rc) "venom triggers the post-exploitation modules by using apache2 webserver to deliver the agents". Lets look at the follow example: linux_hostecon.rb in venom runs by default only one system enumeration module, but the post-module was more advanced options that can be manually set:
- sessions <-- the session number to run the module againts
- store_loot <-- allow users to write session logfile into .msf4/loot folder
- single_command <-- allow users to execute a remote bash command
- agressive_dump <-- uses agressive modules to gather more info about target
- credentials_dump <-- dumps credentials from target system
- the_fapenning <-- searchs in target system for hidden porn related folders/files
Edit /venom/aux/linux_hostrecon.rc and set any of the above described options, save file, run venom.
run post/linux/gather/linux_hostrecon SINGLE_COMMAND="netstat -atnp | grep "ESTABLISHED""
This will trigger linux_hostrecon.rb default enumeration module and execute the inputed bash command.
REMARK: All post-exploitation modules can be found under ../venom/aux folder and they can also be executed using meterpreter prompt: meterpreter > resource /root/venom/aux/[resource_name.rc]
REMARK: New metasploit release has deleted multi_console_command.rb (by darkoperator) that allows venom users to auto-run post-exploitation modules at session creation, but venom's resource files can yet be called using: meterpreter > resource /root/venom/aux/[resource_name.rc]
:: Video Tutorials ::
linux_hostrecon(rc|rb) post-module automatization (multi-OS - agent.py) https://www.youtube.com/watch?v=xROot1-NAaI
certutil.exe -urlcache - download/execute an bat|exe remotelly (Windows-OS - agent.hta)
PE shellcode cave injection - inject shellcode into legit applications (Windows-OS - agent.exe) https://www.youtube.com/watch?v=L87YvJTsucE
ELF - inject shellcode into 'Executable and Linkable Format' files (Unix-OS - agent.elf) https://www.youtube.com/watch?v=D894pMieQcM
:: Git download/install ::
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git
2º - Set files execution permitions
cd venom
sudo chmod -R +x *.sh
sudo chmod -R +x *.py
3º - Install all dependencies
cd aux
sudo ./setup.sh
4º - Run main tool
sudo ./venom.sh
Special thanks: @arno0x0x (meterpreter loader random bytes stager) @subTee @enigma0x3 @carnal0wnage (applications_whitelisting_bypass + uac_bypass) @H4d3s(SSA) @ChaitanyaHaritash(SSA) <-- 'The guy who encomended this job to me' :1st_place_medal:
All the hard work goes to: @HDMoore (metasploit) | @NickHarbour (PEScrambler.exe) @harmj0y (pyherion) | @G0tmi1k @ChrisTuncker @harmj0y (ruby template stager.rb) @Cortesi (pyinstaller) | @0entropy (powershell poc's) | @MGraeber (powershell poc's) @Liviu (encrypt_polarSSL) | @alor&naga (ettercap mitm+dns_spoof ) | @astr0baby (poc's) @ReL1K (set/unicorn shellcode poc's) | @nullbyte (powershell+shellcode poc's)
:: Referencies ::
https://twitter.com/subtee/status/888122309852016641 http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/ https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-mshta-exe/ https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-msbuild-exe/
Suspicious-Shell-Activity© (SSA) RedTeam develop @2018
v1.0.13
7 years ago
Version release: v1.0.13 Author: pedro ubuntu [ r00t-3xp10it ] Codename: release the kraken (the mitologic sea monster) Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS Suspicious-Shell-Activity© (SSA) RedTeam develop @2017
:: Framework description ::
This tool will use msfvenom (metasploit) to generate shellcode in diferent formats
( c | python | ruby | dll | msi | hta-psh | docm | deb) injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode into
RAM" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to
build the executable file, it also starts an multi-handler to recibe the remote connection
(shell or meterpreter session).
venom also gives you the oportunity to deliver your payloads using apache2 webserver(LAN)
in two diferent ways: http://<your-ip-address> OR http://mega-upload.com (mitm+dns_spoof)
this last one can only be configurated using: venom-main/aux/setup.sh conf-script..
:: Changelog ::
Some payloads execution bug-fixes, Many improvements in framework post-exploitation
abilitys (resource files review/new ones added), Framework displays review/improved
framework internal funtions improved and 5 new payload builds added to main menu ..
FUNTION DESCRIPTION - [CHANGELOG VERSION 1.0.13] - release the kraken
------- ---------------------------------------------------------------------------
bug fix -> msfdb postgresql datatase connection bug
bug fix -> build 1 - shellcode unix C sourcecode fix (int main() C89)
bug fix -> build 2 - C to dll sourcecode fix (#include <winsock2.h>)
bug fix -> build 16 - payload.php execution fixed (new php syntax)
bug fix -> build 17 - python.py trigger execution fixed (multi_OS)
bug fix -> build 19 - python.py trigger execution fixed (multi_OS)
improved -> venom framework terminal displays review
improved -> venom framework GPLv3 personal license review
improved -> venom domain name attack vector (http://mega-upload.com)
improved -> build 1 - shellcode unix C post-exploitation funtion added
improved -> build 23 - exploit/windows/fileformat/office_word_macro (deprecate)
exploit/multi/fileformat/office_word_macro (upgraded)
added -> 'settings' config framework internal settings
added -> 'office.ppsx' python_word_doc_payload (windows systems)
added -> 'kimi.py' Malicious_Debian_Packet_Creator (linux systems)
added -> 'astrobaby.docm' word_macro_trojan_horse (multi_OS systems)
added -> 'system built-in-shells' -> perl_reverse_shell (pentestmonkey)
added -> 'exploit_suggester.rc' multi_post_exploits_suggester (multi_OS)
added -> 'post_linux.rc' linux gather information module (post-exploitation)
added -> 'post_multi.rc' multi system gather information module (post-exploitation)
added -> 'privilege_escalation.rc' windows privilege escalation (post-exploitation)
added -> 'enigma_fileless_uac_bypass.rb' windows privilege escalation (post-exploitation)
:: Detail description ::
One of the major updates in this release was the introduction of: 'venom-main/settings'
that allow users to config framework internal setting like: check/rebuild msf database
(msfdb) and update it (msfupdate) automatic at framework startup with recent exploits ..
Another usefull funtion its the implementation of framework logfiles creation, that allow
users to record session activity (spool command) in: venom-main/output/report.log All user
needs its to activate 'MSF_LOGFILES=ON' in: 'venom-main/settings' to start record logfiles
Another major improvement can be found in post-exploitation with the implementation
of: 'exploit_suggester.rc', that allow users to further search for entry points ..
Other improvement its the implementation of: 'privilege_escalation.rc' post-module to
windows systems using 'enigma_fileless_uac_bypass' msf module to upload our payload
to target system and execute it with elevated privileges (admnistrator) ..
WARNING: To revert changes made by enigma_fileless_uac_bypass you need to (manually):
1º - use post/windows/escalate/enigma_fileless_uac_bypass
2º - unset all
3º - set [session number]
4º - set DEL_REGKEY true
5º - exploit
Other major improvement can be found in 'venom domain name attack vector' funtion
(http://mega-upload.com) sutch as: 'phishing_webpage' and 'mitm+dns' small-bug-fixes ..
"mitm+dns_spoof payload delivery method can be turn on/off in venom-main/aux/setup.sh"
REMARK: All venom framework 'resource files' can be called in meterpreter prompt by simple executing: meterpreter > resource /root/venom-main/aux/[resource-name.rc] except: persistence.rc - persistence2.rc - privilege_escalation.rc (they need venom configurations)
:: Usefull links ::
venom - GPLv3 license venom - project main page venom - project bug reports venom - youtube videos
:: Git download/install ::
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git
2º - Set files execution permitions
cd venom-main
sudo chmod -R +x *.sh
sudo chmod -R +x *.py
3º - Install all dependencies - turn on/off mega-upload.com domain
cd aux
sudo ./setup.sh
4º - Run main tool
sudo ./venom.sh
Special thanks: @ChaitanyaHaritash (MDPC-kimi.py debian agent) @0xyx3n (hta-to-javascript-obfuscator) | @suriya (VBS-crypter.exe obfuscator)
All the hard work goes to: @HDMoore (metasploit) | @NickHarbour (PEScrambler.exe) @harmj0y (pyherion) | @G0tmi1k @ChrisTuncker @harmj0y (ruby template stager.rb) @Cortesi (pyinstaller) | @0entropy (powershell poc's) | @MGraeber (powershell poc's) @Liviu (encrypt_polarSSL) | @alor&naga (ettercap mitm+dns_spoof ) | @astr0baby (poc's) @ReL1K (set/unicorn shellcode poc's) | @nullbyte (powershell+shellcode poc's)
Suspicious-Shell-Activity© (SSA) RedTeam develop @2017
v1.0.12-beta
7 years ago
:: CHANGELOG ::
Major changes:
Better KALI2 rolling release intergration, sourcecode fixes, misspeling fixes
external encoders,crypters added, nse and msf private auxiliary modules added.
improved -> 'persistence' post-exploitation module added to most windows payloads
improved -> 'timestomp' added to persistence.rc to change target payload mace values
improved -> no more need to write the extension (.exe .bat etc) in payload output name
added -> x64 arch payloads added to 'availabe payloads list'
added -> dalvik android meterpreter payload [payload.apk]
added -> payload.vbs [powershell base64 enc] exec.vbs template
added -> exe-service payload [windows service control manager (SCM)]
added -> payload.exe [powershell base64 enc] c template compiled to stand-alone exec
added -> payload.jar [poweshell base64 enc] exec.jar template added to [option 17]
added -> payload.pdf [powershell+base64 OR C+random_xor] PDF trojan horse builds
added -> 'system built-in shells' -> simple powershell shell
added -> 'system built-in shells' -> simple php reverse shell
added -> 'system built-in shells' -> simple reverse python shell2
added -> 'system built-in shells' -> simple ruby Reverse_bash_shell
added -> 'system built-in shells' -> simple ruby Reverse_bash_shell2
added -> 'MSI_privilege_escalation' msf post-module to elevate MSI privs
added -> 'CleanTracks.rb' msf module to clear tracks in target (post-exploitation)
added -> 'deploy_service_payload.rb' msf module to deploy a service payload (windows)
added -> 'reverse_engineering_venom.pdf' shows custom technics used by venom tool
added -> 'hta-to-javascript.html' further encrypt hta payloads (thanks to 0xyg3n)
added -> 'VBS-crypter.exe' further encrypt vbs payloads (thanks to suriya)
added -> 'crypter_vbs_1.0_by_the_dark_side' further encrypt your vbs payloads
Special thanks: Shubham Singh | Chaitanya Haritash | Suriya Prakash "For all the help provided in debuging this tool in diferent operative systems"