venom v1.0.16 - codename: aconitum_nappelus
Author: r00t-3xp10it
Version release: v1.0.16
Codename: aconitum_nappelus
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2019
:: Framework Description ::
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll |
msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses
compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also
starts an multi-handler to receive the remote connection (shell or meterpreter).
:: Version v1.0.16 Changelog ::
New Agents added
| Categorie nº | OS | Agent nº | Description |
|---|---|---|---|
| 1 | Unix payloads | 4 | Linux HTOP deb Trojan |
| 1 | Unix payloads | 5 | Linux MP4 Trojan Horse |
| 2 | Windows payloads | 21 | Windows ICMP (ping) reverse shell |
| 4 | Android ; IOS payloads | 3 | Android PDF Trojan Msf FileFormat |
| 8 | Amsi Evasion | 1 | Windows Reverse TCP Powershell Shell (*) |
| 8 | Amsi Evasion | 2 | Windows Reverse OpenSSL Powershell Shell (**) |
| 8 | Amsi Evasion | 3 | Reverse Powershell Shell Hex Obfuscated (**) |
(*) This module allow us to Download/Execute in-memory (Fileless) our payload.ps1
IF also sellected 'OBFUSCATION=ON' then a 'dropper' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the Fileless function on Windows10 }.
(**) This module allow us to 'persiste' the payload on target system (startup folder) if sellected by attacker.
IF also sellected 'OBFUSCATION=ON' then the 'persistence' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the persistence function on Windows10 }.
New Post-exploitation modules
- nil
Framework Improvements
- Framework CLI interface re-designed (terminal colors displays).
- Framework now gives you the option to Obfuscate the dropper
- Framework now builds android apk certificates ( categorie [4] -> agent nº [1] )
'because android mobiles does not allow installing not signed applications (apk files)' - Framework now auto-compleat's User Inputs with default values (if user have skiped that step)
- Now all HTTPS (x86|x64) payloads will trigger framework SSL payload/handler certificate checks.
- Amsi evasion payloads presents now, two diferent download webpages for attacker to chose from.
- Amsi evasion - agent nº [2|3] - persistence function added (Special thanks to @codings9 - debug)
Framework Bug-fixes
- '@darkoperator' AutoRunScript multi_console_command bugfix (post-exploitation)
- 'certutil.exe' droppers replaced by 'powershell' or 'WinHttpRequest' download methods.
- categorie [2] -> agent nº [16] (wrong python libs deleted) [@ChaitanyaHaritash BugReport]
- 'ResourceHacker | ming-w64' install's under x64 bites arch's bugfix's. [@usama7628674 BugReport]
- zenity checks added to setup.sh and venom.sh [@codings9 BugReport]
:: Download/Update/Install ::
1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git
2º - Set execution permitions
cd venom-main
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
3º - Install all dependencies
cd aux && sudo ./setup.sh
4º - Run main tool
sudo ./venom.sh
Update venom instalation (compare local version againts github oficial version)
sudo ./venom.sh -u
Screenshots of recent updates
Categorie [1] (Unix based payloads) -> agent nº [4] (linux htop deb trojan)
This Module will install/update 'HTOP' software and executes our shellcode in background (orphan process).
Categorie [1] (Unix based payloads) -> agent nº [5] (linux mp4 trojan)
This module asks user to input one .mp4 video file, builds a C program thats going to be compiled to .mp4
(MITRE ATT&CK T1036) Then stores all files on apache2 and provides one 'oneliner' to be executed on target.
That oneliner remote download/exec our mp4 video and our shellcode in diferent processes (orphan process).
Categorie [2] (Windows OS payloads) -> agent nº [21] (Windows ICMP reverse shell)
This module uses ICMP (ping) protocol for C&C comunications over LAN networks (icmpsh.exe).
We can see the Communications between server and client using wireshark (filter: ICMP packets) That allow us to see ALL commands beeing executed from server to client inside the ICMP packets in real-time.
Categorie [4] (Android | IOS payloads) -> agent nº [1] - Sign .APK applications (keytool | jarsigner | zipalign).
After Successfully created the .apk file, we need to sign an certificate to it, because Android mobile devices are not allowing the installing of apps without the signed certificate. This function sign's our apk with an SSL cert.
categorie [4] (Android | IOS payloads) -> agent nº [3] (Android PDF Trojan Exploit)
This module uses 'exploit/android/fileformat/adobe_reader_pdf_js_interface' Msf exploit to build the PDF.
Categorie [8] (Amsi Evasion payloads) -> agent nº [1] (Reverse TCP Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
Categorie [8] (Amsi Evasion payloads) -> agent nº [2] (Reverse OpenSSL Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
Categorie [8] (Amsi Evasion payloads) -> agent nº [3] (Reverse Powershell Shell Hex Obfuscated)
This module will Masquerade (MITRE T1036) the dropper extension by adding one extra extension to dropper (venom random sellection). Conting that target system was the 'hidde extensions for know file types' active.
New dropper Download WebPage (Cumulative Security Update) added to amsi evasion agents
Now framework users can chose between deliver the dropper using Mega-Upload or Cumulative Security Update download webpages, OR we can simple generate droppers/payloads to venom output folder and deliver them using another diferent method. In that case, remmenber that payload.ps1 must be stored in apache2 for the dropper to be abble to pick it up and execute it.
Fast Retrieval Of Target System Information on Netcat Shell (Execute On Netcat)
Special thanks: @hdm(metasploit) | @NickHarbour (PEScrambler.exe)
@HarmJ0y (pyherion) | @g0tmi1k | @ctucker | @0Entropy | @darkoperator
@cortesi (pyinstaller) | @mgraeber | @alor&naga (ettercap mitm+dns_spoof )
@astr0baby | @Rel1k | @nullbyte | @subTee | @enigma0x3 | @carnal0wnage
@Arno0x0x (meterpreter loader random bytes stager) | @ChaitanyaHaritash(SSA)
@paranoidninja | @ZHacker13 | @int0x33 | @markus-oberhumer (UPX packer)
:: venom project playlist ::
https://www.youtube.com/playlist?list=PL6lei9H-Ej0LEsM8QFOGh4slBfuqwvm9z
:: Referencies ::
https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell
https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/