codewatchorg/SideStep codewatchorg/SideStep

  • Stars
    star
    118
  • Rank 299,923 (Top 6 %)
  • Language
    C++
  • License
    Other
  • Created over 9 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
codewatchorg/SideStep
github

codewatchorg

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Yet another AV evasion tool

SideStep

SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.

Additional information can be found here: https://www.codewatch.org/blog/?p=414.

Requirements

Software:
Recent release of Metasploit Framework
Ruby 2.x
Windows (tested on 7, 8, and 10)
Python 2.7.x
Visual Studio (free editions should be fine - tested on 2012, 2015, and 2017)
Windows SDK
Cygwin with strip utility (if you want to strip debug symbols)
peCloak (f you want to use it - http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
Ditto (if you want to use it - https://github.com/mubix/ditto)
Mono (if you want to sign the executable - http://www.mono-project.com/download/)
SigThief (if you want to add a signature from another file - https://github.com/secretsquirrel/SigThief)

For code signing, a good example can be found here: https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode

Configuration: Python and strip.exe (if using it) need to be in your path. Sorry, I tried to make it compile with mingw-gcc with no luck.

*** The tool should now autocompile the cryptopp library ***

Usage

You must configure settings in conf\settings.py, and then you must at a minimum provide the Metasploit listening handler IP and port:

  python sidestep.py --ip 192.168.1.1 --port 443

If using the defaults, then a source file will be generated in the .\source directory and the executable will be dropped in the .\exe directory.

peCloak Modifications

If you want to use peCloak in the last step of the executable creation, then you will need to install the pydasm and pefile Python modules. You will also need to download the SectionDoubleP Python module (found here: http://git.n0p.cc/?p=SectionDoubleP.git;a=blob_plain;f=SectionDoubleP.py;h=93717cdd0ac293548fb995a1c54094dbea6005d9;hb=8846697ecda15bc814f99d24f7f5cbf0e06466d0) and save it to the peCloak directory.

Next, you need to make the modifications to pefile that the author of peCloak references on his page. If pefile was installed as an egg file:

  1. Find the egg file, typically in PythonRootDir\Lib\site-packages
  2. Make a copy of the egg file and rename the extension to .zip
  3. Unzip somewhere and rename the folder to the original name, but add .egg. So if the egg file was named pefile-1.2.10_139-py2.7.egg, then make that the directory name.
  4. Make the necessary changes to pefile.py and remove pefile.pyc
  5. Copy the unzipped folder containing the modified pefile.py back to the PythonRootDir\Lib\site-packages directory and remove the .egg file.

If it is installed as an editable Python package, then just find and edit the pefile.py as shown in the peCloak demonstration.

Notes

SideStep generates Meterpreter shellcode, randomly generates an encryption key, and then encrypts the shellcode using AES-128bit with the random key. All variables and function names are also randomly generated.

In addition, to encrypting the shellcode and assigning random names, it also generates a configurable number of random variables with configurable value lengths. Surprisingly, this can also help evade AV (read this: https://github.com/nccgroup/metasploitavevasion).

To evade AV sandboxes, I implemented a function that checks the current time, and then loops until a configurable number of seconds have passed since the current time. As an added small time function, I have added support for generating 1024 or 2048bit DH parameters. I chose these methods as I've read that some AV hook sleep function calls.

SideStep can also be configured to strip debugging and other symbol information from the final executable and then randomly encode the assembly instructions using peCloak.

Future

In the future, I plan on making this more of a framework where additional algorithms can be plugged in and selected more "Metasploit / Veil" style. I would also like to set it up to randomly organize functions and variables.

At some point, I will better organize and design the system using OOP.

License

I have included the CryptoPP source and a 32bit compiled version of the library, which I believe is ok as I have included the CryptoPP license with this repository.

SideStep is free to modify, use, change, and do whatever else to.

More Repositories

1

bypasswaf

Add headers to all Burp requests to bypass some WAF products
Java
328
star
2

sqlipy

SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
Python
251
star
3

cpscam

Bypass captive portals by impersonating inactive users
Perl
75
star
4

Burp-UserAgent

Automatically modify the User-Agent header in all Burp requests
Java
51
star
5

Burp-Yara-Rules

Yara rules to be used with the Burp Yara-Scanner extension
YARA
42
star
6

Burp-AnonymousCloud

Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
Java
40
star
7

Burp-IndicatorsOfVulnerability

Burp extension that checks application requests and responses for indicators of vulnerability or targets for attack
Java
39
star
8

PowerSniper

Password spraying script and helper for creating password lists
PowerShell
34
star
9

gophish

GoPhish is a phishing script that enables rapid deployment of phishing sites.
Python
30
star
10

jnlpdownloader

jnlpdownloader is a Python script that takes a URL to a JNLP and downloads all the associated JARs and native libraries. Another Java based tool exists that provides this functionality, but this Python version extends the capabilities to include the ability to authenticate with BASIC, DIGEST, NTLM, or cookie authentication.
Python
13
star
11

OfficeCracker

Tool to bruteforce Word, Excel, and PowerPoint office document passwords
PowerShell
7
star
12

dirscalate

Dirscalate helps escalate a directory traversal vulnerability to root access (hopefully)
Python
6
star
13

nacpersonate

The nacpersonate script uses configuration files to impersonate an OS likely to be allowed through the device without special authentication. The tool spoofs TCP and IP options as well as the User-Agent header sent in requests to appear to be from the selected OS.
Python
4
star
14

droidboxhelper

A slight modification to the droidbox source and a helper file to convert the output into a more legible/readable form.
Python
2
star
15

CloudKeyHunter

Scan targets via SMB for cloud key files on Windows systems
PowerShell
2
star
16

p2e

Process to escalate to, or p2e, identifies processes on remote hosts running under potentially privileged accounts to be used for escalation in penetration tests
1
star