Git Product home page Git Product logo

sidestep's Introduction

SideStep

SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.

Additional information can be found here: https://www.codewatch.org/blog/?p=414.

Requirements

Software:
Recent release of Metasploit Framework
Ruby 2.x
Windows (tested on 7, 8, and 10)
Python 2.7.x
Visual Studio (free editions should be fine - tested on 2012, 2015, and 2017)
Windows SDK
Cygwin with strip utility (if you want to strip debug symbols)
peCloak (f you want to use it - http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
Ditto (if you want to use it - https://github.com/mubix/ditto)
Mono (if you want to sign the executable - http://www.mono-project.com/download/)
SigThief (if you want to add a signature from another file - https://github.com/secretsquirrel/SigThief)

For code signing, a good example can be found here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode

Configuration: Python and strip.exe (if using it) need to be in your path. Sorry, I tried to make it compile with mingw-gcc with no luck.

*** The tool should now autocompile the cryptopp library ***

Usage

You must configure settings in conf\settings.py, and then you must at a minimum provide the Metasploit listening handler IP and port:

  python sidestep.py --ip 192.168.1.1 --port 443

If using the defaults, then a source file will be generated in the .\source directory and the executable will be dropped in the .\exe directory.

peCloak Modifications

If you want to use peCloak in the last step of the executable creation, then you will need to install the pydasm and pefile Python modules. You will also need to download the SectionDoubleP Python module (found here: http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py;h=93717cdd0ac293548fb995a1c54094dbea6005d9;hb=8846697ecda15bc814f99d24f7f5cbf0e06466d0) and save it to the peCloak directory.

Next, you need to make the modifications to pefile that the author of peCloak references on his page. If pefile was installed as an egg file:

  1. Find the egg file, typically in PythonRootDir\Lib\site-packages
  2. Make a copy of the egg file and rename the extension to .zip
  3. Unzip somewhere and rename the folder to the original name, but add .egg. So if the egg file was named pefile-1.2.10_139-py2.7.egg, then make that the directory name.
  4. Make the necessary changes to pefile.py and remove pefile.pyc
  5. Copy the unzipped folder containing the modified pefile.py back to the PythonRootDir\Lib\site-packages directory and remove the .egg file.

If it is installed as an editable Python package, then just find and edit the pefile.py as shown in the peCloak demonstration.

Notes

SideStep generates Meterpreter shellcode, randomly generates an encryption key, and then encrypts the shellcode using AES-128bit with the random key. All variables and function names are also randomly generated.

In addition, to encrypting the shellcode and assigning random names, it also generates a configurable number of random variables with configurable value lengths. Surprisingly, this can also help evade AV (read this: https://github.com/nccgroup/metasploitavevasion).

To evade AV sandboxes, I implemented a function that checks the current time, and then loops until a configurable number of seconds have passed since the current time. As an added small time function, I have added support for generating 1024 or 2048bit DH parameters. I chose these methods as I've read that some AV hook sleep function calls.

SideStep can also be configured to strip debugging and other symbol information from the final executable and then randomly encode the assembly instructions using peCloak.

Future

In the future, I plan on making this more of a framework where additional algorithms can be plugged in and selected more "Metasploit / Veil" style. I would also like to set it up to randomly organize functions and variables.

At some point, I will better organize and design the system using OOP.

License

I have included the CryptoPP source and a 32bit compiled version of the library, which I believe is ok as I have included the CryptoPP license with this repository.

SideStep is free to modify, use, change, and do whatever else to.

sidestep's People

Contributors

codewatchorg avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.