Skip to content

Releases: r00t-3xp10it/venom

venom v1.0.17.7 - Codename: shinigami (Christmas Gift)

23 Dec 21:10
Compare
Choose a tag to compare

Author: r00t-3xp10it
Version release: v1.0.17.7
Codename: shinigami (God of death)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2020

pdf1

:octocat: Framework Description

This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named Amsi Evasion Payloads to deal with windows defender detection (or other Anti-Virus detection).

Update Description

Since the release of venom v1.0.17 that some amsi evasion agents have started to get flagged by anti virus solutions.
This update (v1.0.17.7) addresses the detection of agents in the amsi evasion category, repairs small bugs in source code
and implements five new post-exploitation modules ready to be used in our reverse tcp shell prompt (remotely).



:octocat: Version v1.0.17.7 Amsi Evasion Changelog

Categorie Agent nº Target OS Update Description
Amsi Evasion 2 Windows systems (8|8.1|10) OpenSSL reverse TCP shell (Amsi Detection Bypass)
Amsi Evasion 3 Windows systems (vista|7|8|8.1|10) PSrevStr obfuscation added (Amsi Detection Bypass)
Amsi Evasion 5 Windows systems (vista|7|8|8.1|10) CarbonCopy Pdf Trojan Binary File Signing (Amsi Bypass)
Amsi Evasion 6 Multi-Platforms (Linux|Mac|Windows) Emojify obfuscation added (Amsi Detection Bypass)
Amsi Evasion 7 Windows systems (8|8.1|10) OpenSSL FileLess reverse TCP shell (Amsi Bypass)

Remark: Dont scan samples on 'VirusTotal' or similar websites because that will shorten the payload live (flags amsi detection).



Amsi Evasion Netflix (Agent nº7) Dropper/Client execution diagram (FileLess)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this hta dropper. This dropper can execute
(user choise) in an hidden terminal or present an social engineering MsgBox pretending to be one Netflix (or any other appl) installer.
Netflix


Amsi Evasion (Agent nº 5) updated to sign the binary (dropper.exe) file with CarbonCopy (by @paranoidninja)
Venom users require to edit 'venom\settings' file and activate 'OBFUSCATION=ON' to use this amsi bypass technic.
pdf2



:octocat: Auxiliarys / Post-Exploitation Modules

FileName Description Target OS Usage
webserver cmdlet to read/browse/download files from compromised target machine (*) Windows Manual
GetBrowsers Standalone Powershell Script to Leak Installed Browsers Information. Windows Manual
CompDefault UAC bypass module OR execute one command with high privileges (Admin) Windows Manual
CredsPhish Standalone PS script that will promp the current user for a valid credential. Windows Manual
Sherlock PowerShell script to find missing software patches for local privilege escalation Windows Manual
Persistence Handlers Persistence handler scripts to store reverse tcp shells settings/Dependencies (**) Windows Auto
null CmdLine & Scripts for reverse TCP shell addicts cheat sheet (venom Wiki Pages) Windows WiKi Pages

(*) Venom v1.0.17.7 release will Auto-Upload the 'webserver' to attacker apache2 webroot.
(**) Venom Persistence Handlers are only available in 'Amsi Evasion' categorie builds.


Screenshot of @webserver and Sherlock working together under venom v1.0.17.7 reverse TCP shell prompt (remote)
rasta-mouse-EOP

Screenshot of @webserver And Sherlock Searching for missing KB security patchs
keylogger2

Screenshot of @webserver capturing keytrokes (-Keylogger parameter) under venom v1.0.17.7 reverse tcp shell prompt (remote)
keyloggerVoid



:octocat: Improvements / Bug-fixes

Improvements / Issues Description Credits
venom CLI terminal displays updated venom CLI interface outputs updated (bg colors) @r00t-3xp10it
Client HTA taskbar/application icon Added taskbar/application icon to Netflix.hta dropper @r00t-3xp10it
Amsi Evasion Agent nº7 (FileLess) replaced WinHttpRequest by Msxml2.XMLHTTP @root-3xp10it
@webserver Auto-Upload Amsi Evasion modules auto-uploads webserver to apache2 webroot @r00t-3xp10it
Persistence Handlers replace xterm by gnome-terminal in persistence handlers @youhacker55
gnome-terminal implementation replace xterm by gnome-terminal in Amsi Evasion @youhacker55



:octocat: Install venom v1.0.17.7 shinigami (Christmas Gift)

git clone https://github.com/r00t-3xp10it/venom.git

Set execution permitions

cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;

Install all dependencies

cd aux && sudo ./setup.sh

Run main tool

sudo ./venom.sh



🥇 Credits & Special Thanks

Credits Description
Emojify (@chris-rands) Obfuscate your python script as emoji icons ( Obfuscation )
CarbonCopy (@paranoidninja) Sign an executable for AV evasion ( Obfuscation / Binary Signing )
Sherlock (@rasta-mouse) PowerShell script to find missing software patches for local privilege escalation vulnerabilitys.

:octocat: Suspicious-Shell-Activity© (SSA) RedTeam develop @2020 :octocat:

venom v1.0.17 - Codename: shinigami

29 Aug 21:55
Compare
Choose a tag to compare

Author: r00t-3xp10it
Version release: v1.0.17
Codename: shinigami (God of death)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2020


pdf1

Framework Description

This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named 'Amsi Evasion Payloads' to deal with windows defender detection (and other Anti-Virus detections).


Version v1.0.17 Changelog


New Agents added

Categorie nº Target OS Agent nº Description
8 (Amsi Evasion) Windows systems (vista|7|8|8.1|10) 4 meterpeter C2 command & Control PowerShell rat (*)
8 (Amsi Evasion) Windows systems (vista|7|8|8.1|10) 5 Social Engineering - Fake PDF Trojan Horse (**)
8 (Amsi Evasion) Multi-Platforms (Linux|Mac|Windows) 6 SillyRAT multi-platform reverse TCP python shell (***)
3 (Multi-OS) Multi-Platforms (Linux|Mac|Windows) 5 SillyRAT multi-platform reverse TCP python shell (***)



Dropper/Client execution diagrams

(*) meterpeter C2 Command & Control rat its only available in venom for linux x64 bit because Microsoft does not support powershell under
linux x86 (32-bit) arch's and meterpeter rat its written using powershell language. the bellow diagram demonstrates meterpeter on x64 bit.

diagram2

(**) This Venom module will ask the attacker to insert a PDF document, creates a C program that will be compiled with the help of GCC
(mingw32 or mingw-W64) into a binary.exe where is main task its to download and run the attacker Legitimate PDF document and the
Client.exe (reverse tcp shell) from attacker's apache2 webserver. Using for that the Remote-Host PowerShell interpreter.

diagram1

(***) This venom module uses SillyRAT (python) rat to build the Client.py and to recive the connection back (server.py), venom then
Creates a standalone executable (Windows OR Linux distros) to be deliver to target user using one URL link. dropper main task its
to download and run Client.py (reverse tcp shell) from attacker's apache2 webserver to the sellected location chosen before..
Remark: Under categorie nº8 (Amsi Evasion) SillyRAT will create an dropper.bat insted of dropper.exe to evade AV detection.

Sillypic



Improvements/Bug-fixes

Issue Description Bug Reports
The requested URL was not found on this server setup.sh 'venom domain name' obsolect configs @ricko2991
review Setup.sh sourcecode review/Improved @r00t-3xp10it
venom CLI displays improved venom CLI interface improved @r00t-3xp10it



:octocat: Install venom v1.0.17 shinigami :octocat:
'Download the framework from github'
Remark: Allways use git clone to download the tool because it downloads the lastest commits to sourcecode.
If you wish to download the stable version then scrool until the end of this page and download the .zip or .tar.gz packages.

git clone https://github.com/r00t-3xp10it/venom.git

Set execution permitions

cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;

Install all dependencies

cd aux && sudo ./setup.sh

Run main tool

sudo ./venom.sh



Remark: SillyRAT project under venom framework will build droppers (Windows|Linux) to auto-Install Client.py requirements
on target machine before download the Client.py from attacker apache2 webserver and finally executes it in background (child).
Linux droppers will fake the installation of some package [Steam-Installer] to silent execute the Client in a child process detach from dropper parent process. And Mac (Apple) build only creates the Client.py that requires to be manual executed on target systems.
Finally the Windows dropper will reproduce Linux dropper job, but all steps are taken in Background mode (none prompt displays).
bannersilly
Remark: Under 'Linux' or 'Mac' systems the Client.py needs to be manual stoped because it 'beacons home' in intervals of 8 sec.
Under 'Windows' systems its the 'dropper' process that requires to be manual stoped to abort the 'beacon home' Client function.


🥇 Credits & Special Thanks 🎉

Name Job
Shanty Damayanti (my geek wife) For having 'commissioned' me the 'Amsi Evasion PDF Trojan module'
@codings9 for helping me debug PDF Trojan Server\Client execution on linux x64 system
@paranoidninja CarbonCopy - Sign an executable for AV evasion (OBFUSCATION=ON)
@ZHacker13 For is original work in meterpeter reverse tcp powershell shell
@hash3liZer SillyRAT multi-platform reverse TCP python shell/server

Remark: Once any of the Amsi Evasion builds (agent's) starts to get flagged by AV solluctions, it will be deleted from amsi evasion
sub-categorie and copy to any of the venom main-menu above categories to be stored has a technic used (not bypassing AV anymore).

:octocat: Suspicious-Shell-Activity© (SSA) RedTeam develop @2020 :octocat:

venom v1.0.16 - codename: aconitum_nappelus

26 Dec 00:29
Compare
Choose a tag to compare

Author: r00t-3xp10it
Version release: v1.0.16
Codename: aconitum_nappelus
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2019


banner

:: Framework Description ::

This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll |
msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses
compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also
starts an multi-handler to receive the remote connection (shell or meterpreter).


:: Version v1.0.16 Changelog ::

New Agents added

Categorie nº OS Agent nº Description
1 Unix payloads 4 Linux HTOP deb Trojan
1 Unix payloads 5 Linux MP4 Trojan Horse
2 Windows payloads 21 Windows ICMP (ping) reverse shell
4 Android ; IOS payloads 3 Android PDF Trojan Msf FileFormat
8 Amsi Evasion 1 Windows Reverse TCP Powershell Shell (*)
8 Amsi Evasion 2 Windows Reverse OpenSSL Powershell Shell (**)
8 Amsi Evasion 3 Reverse Powershell Shell Hex Obfuscated (**)
(*) This module allow us to Download/Execute in-memory (Fileless) our payload.ps1
IF also sellected 'OBFUSCATION=ON' then a 'dropper' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the Fileless function on Windows10 }.

Fileless2

(**) This module allow us to 'persiste' the payload on target system (startup folder) if sellected by attacker.
IF also sellected 'OBFUSCATION=ON' then the 'persistence' script will be written in 'VBS' to allow silent execution.
{ Special Thanks to @codings9 for all the help provided in debugging the persistence function on Windows10 }.

Batch


New Post-exploitation modules

  • nil

Framework Improvements

  • Framework CLI interface re-designed (terminal colors displays).
  • Framework now gives you the option to Obfuscate the dropper
  • Framework now builds android apk certificates ( categorie [4] -> agent nº [1] )
    'because android mobiles does not allow installing not signed applications (apk files)'
  • Framework now auto-compleat's User Inputs with default values (if user have skiped that step)
  • Now all HTTPS (x86|x64) payloads will trigger framework SSL payload/handler certificate checks.
  • Amsi evasion payloads presents now, two diferent download webpages for attacker to chose from.
  • Amsi evasion - agent nº [2|3] - persistence function added (Special thanks to @codings9 - debug)

Framework Bug-fixes

  • '@darkoperator' AutoRunScript multi_console_command bugfix (post-exploitation)
  • 'certutil.exe' droppers replaced by 'powershell' or 'WinHttpRequest' download methods.
  • categorie [2] -> agent nº [16] (wrong python libs deleted) [@ChaitanyaHaritash BugReport]
  • 'ResourceHacker | ming-w64' install's under x64 bites arch's bugfix's. [@usama7628674 BugReport]
  • zenity checks added to setup.sh and venom.sh [@codings9 BugReport]



:: Download/Update/Install ::

1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git

2º - Set execution permitions
cd venom-main
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;

3º - Install all dependencies
cd aux && sudo ./setup.sh

4º - Run main tool
sudo ./venom.sh

Update venom instalation (compare local version againts github oficial version)
sudo ./venom.sh -u


Screenshots of recent updates

Categorie [1] (Unix based payloads) -> agent nº [4] (linux htop deb trojan)
This Module will install/update 'HTOP' software and executes our shellcode in background (orphan process).
htop
htop2

Categorie [1] (Unix based payloads) -> agent nº [5] (linux mp4 trojan)
This module asks user to input one .mp4 video file, builds a C program thats going to be compiled to .mp4
(MITRE ATT&CK T1036) Then stores all files on apache2 and provides one 'oneliner' to be executed on target.
That oneliner remote download/exec our mp4 video and our shellcode in diferent processes (orphan process).
mp4

Categorie [2] (Windows OS payloads) -> agent nº [21] (Windows ICMP reverse shell)
This module uses ICMP (ping) protocol for C&C comunications over LAN networks (icmpsh.exe).
new2
We can see the Communications between server and client using wireshark (filter: ICMP packets) That allow us to see ALL commands beeing executed from server to client inside the ICMP packets in real-time.
pfik

Categorie [4] (Android | IOS payloads) -> agent nº [1] - Sign .APK applications (keytool | jarsigner | zipalign).
After Successfully created the .apk file, we need to sign an certificate to it, because Android mobile devices are not allowing the installing of apps without the signed certificate. This function sign's our apk with an SSL cert.
signed

categorie [4] (Android | IOS payloads) -> agent nº [3] (Android PDF Trojan Exploit)
This module uses 'exploit/android/fileformat/adobe_reader_pdf_js_interface' Msf exploit to build the PDF.
PDF

Categorie [8] (Amsi Evasion payloads) -> agent nº [1] (Reverse TCP Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
1

Categorie [8] (Amsi Evasion payloads) -> agent nº [2] (Reverse OpenSSL Powershell Shell)
This Module was build to evade Windows Defender (ASLR,AMSI,DEP) detection.
2

Categorie [8] (Amsi Evasion payloads) -> agent nº [3] (Reverse Powershell Shell Hex Obfuscated)
This module will Masquerade (MITRE T1036) the dropper extension by adding one extra extension to dropper (venom random sellection). Conting that target system was the 'hidde extensions for know file types' active.
3

New dropper Download WebPage (Cumulative Security Update) added to amsi evasion agents
Now framework users can chose between deliver the dropper using Mega-Upload or Cumulative Security Update download webpages, OR we can simple generate droppers/payloads to venom output folder and deliver them using another diferent method. In that case, remmenber that payload.ps1 must be stored in apache2 for the dropper to be abble to pick it up and execute it.
4


Fast Retrieval Of Target System Information on Netcat Shell (Execute On Netcat)
gft




Special thanks: @hdm(metasploit) | @NickHarbour (PEScrambler.exe)
@HarmJ0y (pyherion) | @g0tmi1k | @ctucker | @0Entropy | @darkoperator
@cortesi (pyinstaller) | @mgraeber | @alor&naga (ettercap mitm+dns_spoof )
@astr0baby | @Rel1k | @nullbyte | @subTee | @enigma0x3 | @carnal0wnage
@Arno0x0x (meterpreter loader random bytes stager) | @ChaitanyaHaritash(SSA)
@paranoidninja | @ZHacker13 | @int0x33 | @markus-oberhumer (UPX packer)


:: venom project playlist ::

https://www.youtube.com/playlist?list=PL6lei9H-Ej0LEsM8QFOGh4slBfuqwvm9z

:: Referencies ::

https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell
https://www.virusbulletin.com/virusbulletin/2016/07/journey-evasion-enters-behavioural-phase/

Suspicious-Shell-Activity© (SSA) RedTeam develop @2019


venom v1.0.15 :: Pandora's box (pithos)

25 Feb 22:10
Compare
Choose a tag to compare

Version release: v1.0.15
Author: pedro ubuntu [ r00t-3xp10it ]
Codename: Pandora's box (pithos)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2018


release-the-kraken.png

:: Framework Description ::

This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll |
msi | hta-psh | docm | deb | xml | ps1 | bat | exe | elf | macho | etc ) then injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode in RAM" and uses
compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to build the executable file, it also
starts an multi-handler to recibe the remote connection (shell or meterpreter).

venom also gives you the oportunity to deliver your payloads using apache2 webserver (LAN networks),
and ships with self-writen post-modules that enchants metasploit framework: linux_hostrecon.rb (host
info gather) or enigma_fileless_uac_bypass.rb (privilege escalation for microsoft systems disclosed by
enigma0x3) or arno0x0x - meterpreter loader random bytes stager (msf meterpreter improved loaders).

It also implements recent disclosed vulnerabilitys in 'Applications Whitelisting Bypasses' by: @subTee
@enigma0x3 | @mattifestation, etc .. By using signed Microsoft binaries, and injecting code into them,
we effectively cloak our binaries so that they can execute, even under the watchful eye of Device Guard.


[certutil.exe -urlcache module] disclosed by subTee, download/exec remote binary using one HTA
release-the-kraken.png

[MSbuild xml-exec module] disclosed by subTee, abusing M$ signed binarys to achieve RCE
release-the-kraken.png





:: v1.0.15 Changelog ::

New agents added

  • @subTee - certutil remote download/execute agent(.bat|.exe)
  • @subTee - csharp shellcode.xml (MSbuild.exe - appl_whitelisting_bypass)
  • node.js reverse shell added to categorie: 'system built-in shells'
  • unix_exploit (agent.php uploaded/executed in target apache2)
  • linux elf agent (x86|x64 bits - doubleclick execution)
  • CVE-2017-11882 (Microsoft office word rtf) agent.rft
  • SSL CERT connection payloads: 'windows/meterpreter/reverse_winhttps'
    'linux/x86/meterpreter_reverse_https' 'linux/x64/meterpreter_reverse_https'
  • IOS devices macho payloads: 'osx/armle/shell_reverse_tcp'
    'apple_ios/aarch64/meterpreter_reverse_tcp'
    'osx/x64/meterpreter/reverse_tcp'

New Post-exploitation modules

  • linux_hostrecon.rb added to apache2 attack vector
  • wifi_dump_linux.rb added to apache2 attack vector

Framework Improvements

  • Abort funtion improved in all module builds
  • Framework CLI interface re-designed (terminal displays).
  • All builds detection ratio review (no-distribute url recent reports)
  • x64 arch support added to kimi.py (debian payload generator)
  • Executable DLL payload (.cpl) option, added to all dll agents
  • uuid (@nullbyte) obfuscation module added to some builds
  • arno0x0x meterpreter loader random bytes stager (av evasion)

Framework Bug-fixes

  • msf encoders arch bug-fixed under venom
  • support to x64 AMD chiptechs review/bug-fixes




:: v1.0.15 Update Detailed Description ::

The biggest update in version 1.0.15 can be found on its CLI interface, which now provides users with
a more intuitive/polish main-menu and sub-menus terminal displays, This new release now packs the
agents based on target operative system (Unix, Microsoft, Osx, Android, etc) and displays a more
detailed information about the agents like: target systems, agent execution, agent detection ratio,etc ..
venom shellcode v1.0.13




:: SSL CERT Connection Payloads ::

venom 1.0.15 ships with 3 new special payloads that allows users to secure your initial staged/stageless
connection for Meterpreter by having it check the certificate (SSL) of the listener it is connecting to.

  • windows/meterpreter/reverse_winhttps (staged)
  • linux/x86/meterpreter_reverse_https (stageless)
  • linux/x64/meterpreter_reverse_https (stageless)

Every time venom users decide to use this payloads, the agent (client) will authenticate (SHA1)
the connection to the handler (server) using venom's SSL certificate to encrypt the connection.
venom shellcode v1.0.13
@OJ - staged-vs-stageless handlers: http://buffered.io/posts/staged-vs-stageless-handlers/




:: Meterpreter Random Bytes Stager ::

Another big update was the implemention of: 'arno0x0x - meterpreter loader random bytes stager'.
This setting forces venom toolkit at start to backup/replace the msf meterpreter_loader.rb (x86) and
is counterpart (x64), rebuild msf database (msfdb) and reload venom's meterpreter_loaders into msf.
venom shellcode v1.0.13


IF the option 'RANDOM_STAGER_BYTES=ON' its active in venom settings file. This new loaders will
add an arbitrary number of random bytes at the beginning of the stage being sent back to the stager
in an attempt to evade AV signature detection and runtime detection. If the setting its set to OFF then
venom will not copy the new meterpreter loaders to msf, using metasploit default ones to work .
venom shellcode v1.0.13


REMARK: This method was not tested yet using https payloads (@Arno0x0x) ..
venom shellcode v1.0.13
REMARK: This obfuscation technic can only be used in windows/meterpreter staged payloads,
because the 'obfuscation' it requires a stage (dll reflection) being sent back to the agent (client) ..


Staged Payloads Connection Diagram:

  • agent (client) its executed in target system
  • connects to server (handler) to ask for stage (dll reflection)
  • random bytes are added in the beggining of the stage <-- arno0x0x obfuscation method
  • stage its send back to agent (client)
  • dll reflection executed in target ram
  • meterpreter session open

Obfuscation Supported Payloads

  • windows/meterpreter/reverse_tcp
  • windows/meterpreter/reverse_tcp_dns
  • windows/meterpreter/reverse_http
  • windows/x64/meterpreter/reverse_tcp
  • windows/x64/meterpreter/reverse_http



:: Automate Venom's Post-Exploitation Modules ::

This version also allows users to automate venom's post-exploitation modules (resource_files.rc)
"venom triggers the post-exploitation modules by using apache2 webserver to deliver the agents".
Lets look at the follow example: linux_hostecon.rb in venom runs by default only one system
enumeration module, but the post-module was more advanced options that can be manually set:

  • sessions <-- the session number to run the module againts
  • store_loot <-- allow users to write session logfile into .msf4/loot folder
  • single_command <-- allow users to execute a remote bash command
  • agressive_dump <-- uses agressive modules to gather more info about target
  • credentials_dump <-- dumps credentials from target system
  • the_fapenning <-- searchs in target system for hidden porn related folders/files

Edit /venom/aux/linux_hostrecon.rc and set any of the above described options, save file, run venom.
venom shellcode v1.0.13


run post/linux/gather/linux_hostrecon SINGLE_COMMAND="netstat -atnp | grep "ESTABLISHED""
This will trigger linux_hostrecon.rb default enumeration module and execute the inputed bash command.
venom shellcode v1.0.13

REMARK: All post-exploitation modules can be found under ../venom/aux folder and they can also
be executed using meterpreter prompt: meterpreter > resource /root/venom/aux/[resource_name.rc]

REMARK: New metasploit release has deleted multi_console_command.rb (by darkoperator)
that allows venom users to auto-run post-exploitation modules at session creation, but venom's
resource files can yet be called using: meterpreter > resource /root/venom/aux/[resource_name.rc]




:: Video Tutorials ::

linux_hostrecon(rc|rb) post-module automatization (multi-OS - agent.py)
https://www.youtube.com/watch?v=xROot1-NAaI

certutil.exe -urlcache - download/execute an bat|exe remotelly (Windows-OS - agent.hta)

PE shellcode cave injection - inject shellcode into legit applications (Windows-OS - agent.exe)
https://www.youtube.com/watch?v=L87YvJTsucE

ELF - inject shellcode into 'Executable and Linkable Format' files (Unix-OS - agent.elf)
https://www.youtube.com/watch?v=D894pMieQcM





:: Git download/install ::

1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git

2º - Set files execution permitions
cd venom
sudo chmod -R +x *.sh
sudo chmod -R +x *.py

3º - Install all dependencies
cd aux
sudo ./setup.sh

4º - Run main tool
sudo ./venom.sh





Special thanks: @Arno0x0x (meterpreter loader random bytes stager)
@subTee @enigma0x3 @carnal0wnage (applications_whitelisting_bypass + uac_bypass)
@H4D3S(SSA) @ChaitanyaHaritash(SSA) <-- 'The guy who encomended this job to me' 🥇


All the hard work goes to: @HDMoore (metasploit) | @NickHarbour (PEScrambler.exe)
@HarmJ0y (pyherion) | @g0tmi1k @ChrisTuncker @HarmJ0y (ruby template stager.rb)
@cortesi (pyinstaller) | @0Entropy (powershell poc's) | @mgraeber (powershell ...

Read more

venom v1.0.13 :: release the kraken

17 Mar 22:51
Compare
Choose a tag to compare

release-the-kraken.png

Version release: v1.0.13
Author: pedro ubuntu [ r00t-3xp10it ]
Codename: release the kraken (the mitologic sea monster)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2017


:: Framework description ::

This tool will use msfvenom (metasploit) to generate shellcode in diferent formats
( c | python | ruby | dll | msi | hta-psh | docm | deb) injects the shellcode generated
into one template (example: python) "the python funtion will execute the shellcode into
RAM" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller.py to
build the executable file, it also starts an multi-handler to recibe the remote connection
(shell or meterpreter session).

venom also gives you the oportunity to deliver your payloads using apache2 webserver(LAN)
in two diferent ways: http://<your-ip-address> OR http://mega-upload.com (mitm+dns_spoof)
this last one can only be configurated using: venom-main/aux/setup.sh conf-script..

:: Changelog ::

Some payloads execution bug-fixes, Many improvements in framework post-exploitation
abilitys (resource files review/new ones added), Framework displays review/improved
framework internal funtions improved and 5 new payload builds added to main menu ..
FUNTION        DESCRIPTION       - [CHANGELOG VERSION 1.0.13] -      release the kraken
-------        ---------------------------------------------------------------------------
bug fix    ->  msfdb postgresql datatase connection bug
bug fix    ->  build 1 - shellcode unix C sourcecode fix (int main() C89)
bug fix    ->  build 2 - C to dll sourcecode fix (#include <winsock2.h>)
bug fix    ->  build 16 - payload.php execution fixed (new php syntax)
bug fix    ->  build 17 - python.py trigger execution fixed (multi_OS)
bug fix    ->  build 19 - python.py trigger execution fixed (multi_OS)

improved   ->  venom framework terminal displays review
improved   ->  venom framework GPLv3 personal license review
improved   ->  venom domain name attack vector (http://mega-upload.com)
improved   ->  build 1 - shellcode unix C post-exploitation funtion added
improved   ->  build 23 - exploit/windows/fileformat/office_word_macro (deprecate)
                          exploit/multi/fileformat/office_word_macro (upgraded)

added ->  'settings' config framework internal settings
added ->  'office.ppsx' python_word_doc_payload (windows systems) 
added ->  'kimi.py' Malicious_Debian_Packet_Creator (linux systems)
added ->  'astrobaby.docm' word_macro_trojan_horse (multi_OS systems)
added ->  'system built-in-shells' -> perl_reverse_shell (pentestmonkey)
added ->  'exploit_suggester.rc' multi_post_exploits_suggester (multi_OS)
added ->  'post_linux.rc' linux gather information module (post-exploitation)
added ->  'post_multi.rc' multi system gather information module (post-exploitation)
added ->  'privilege_escalation.rc' windows privilege escalation (post-exploitation)
added ->  'enigma_fileless_uac_bypass.rb' windows privilege escalation (post-exploitation)

:: Detail description ::

One of the major updates in this release was the introduction of: 'venom-main/settings'
that allow users to config framework internal setting like: check/rebuild msf database
(msfdb) and update it (msfupdate) automatic at framework startup with recent exploits ..

venom shellcode v1.0.13
venom shellcode v1.0.13

Another usefull funtion its the implementation of framework logfiles creation, that allow
users to record session activity (spool command) in: venom-main/output/report.log All user
needs its to activate 'MSF_LOGFILES=ON' in: 'venom-main/settings' to start record logfiles

venom shellcode v1.0.13
venom shellcode v1.0.13

Another major improvement can be found in post-exploitation with the implementation
of: 'exploit_suggester.rc', that allow users to further search for entry points ..

venom shellcode v1.0.13
venom shellcode v1.0.13

Other improvement its the implementation of: 'privilege_escalation.rc' post-module to
windows systems using 'enigma_fileless_uac_bypass' msf module to upload our payload
to target system and execute it with elevated privileges (admnistrator) ..

venom shellcode v1.0.13
venom shellcode v1.0.13

WARNING: To revert changes made by enigma_fileless_uac_bypass you need to (manually):
1º - use post/windows/escalate/enigma_fileless_uac_bypass
2º - unset all
3º - set [session number]
4º - set DEL_REGKEY true
5º - exploit
Other major improvement can be found in 'venom domain name attack vector' funtion
(http://mega-upload.com) sutch as: 'phishing_webpage' and 'mitm+dns' small-bug-fixes ..
"mitm+dns_spoof payload delivery method can be turn on/off in venom-main/aux/setup.sh"

venom shellcode v1.0.13


REMARK: All venom framework 'resource files' can be called in meterpreter prompt
by simple executing: meterpreter > resource /root/venom-main/aux/[resource-name.rc]
except: persistence.rc - persistence2.rc - privilege_escalation.rc (they need venom configurations)


:: Usefull links ::

venom - GPLv3 license
venom - project main page
venom - project bug reports
venom - youtube videos

:: Git download/install ::

1º - Download framework from github
git clone https://github.com/r00t-3xp10it/venom.git

2º - Set files execution permitions
cd venom-main
sudo chmod -R +x *.sh
sudo chmod -R +x *.py

3º - Install all dependencies - turn on/off mega-upload.com domain
cd aux
sudo ./setup.sh

4º - Run main tool
sudo ./venom.sh

venom shellcode v1.0.13

Special thanks: @ChaitanyaHaritash (MDPC-kimi.py debian agent)
@0xyx3n (hta-to-javascript-obfuscator) | @suriya (VBS-crypter.exe obfuscator)

All the hard work goes to: @HDMoore (metasploit) | @NickHarbour (PEScrambler.exe)
@HarmJ0y (pyherion) | @g0tmi1k @ChrisTuncker @HarmJ0y (ruby template stager.rb)
@cortesi (pyinstaller) | @0Entropy (powershell poc's) | @mgraeber (powershell poc's)
@liviu (encrypt_polarSSL) | @alor&naga (ettercap mitm+dns_spoof ) | @astr0baby (poc's)
@Rel1k (set/unicorn shellcode poc's) | @nullbyte (powershell+shellcode poc's)

Suspicious-Shell-Activity© (SSA) RedTeam develop @2017

Venom v1.0.12-Stable :: Black Mamba

16 Nov 13:28
Compare
Choose a tag to compare

venom shellcode v1.0.12

:: CHANGELOG ::

Major changes:
Better KALI2 rolling release intergration, sourcecode fixes, misspeling fixes
external encoders,crypters added, nse and msf private auxiliary modules added.

improved  ->  'persistence' post-exploitation module added to most windows payloads
improved  ->  'timestomp' added to persistence.rc to change target payload mace values 
improved  ->  no more need to write the extension (.exe .bat etc) in payload output name

added     ->  x64 arch payloads added to 'availabe payloads list'
added     ->  dalvik android meterpreter payload [payload.apk]
added     ->  payload.vbs [powershell base64 enc] exec.vbs template
added     ->  exe-service payload [windows service control manager (SCM)]
added     ->  payload.exe [powershell base64 enc] c template compiled to stand-alone exec
added     ->  payload.jar [poweshell base64 enc] exec.jar template added to [option 17]
added     ->  payload.pdf [powershell+base64 OR C+random_xor] PDF trojan horse builds
added     ->  'system built-in shells' -> simple powershell shell
added     ->  'system built-in shells' -> simple php reverse shell
added     ->  'system built-in shells' -> simple reverse python shell2
added     ->  'system built-in shells' -> simple ruby Reverse_bash_shell
added     ->  'system built-in shells' -> simple ruby Reverse_bash_shell2

added     ->  'MSI_privilege_escalation' msf post-module to elevate MSI privs
added     ->  'CleanTracks.rb' msf module to clear tracks in target (post-exploitation)
added     ->  'deploy_service_payload.rb' msf module to deploy a service payload (windows)
added     ->  'reverse_engineering_venom.pdf' shows custom technics used by venom tool
added     ->  'hta-to-javascript.html' further encrypt hta payloads (thanks to 0xyg3n)
added     ->  'VBS-crypter.exe' further encrypt vbs payloads (thanks to suriya)
added     ->  'crypter_vbs_1.0_by_the_dark_side' further encrypt your vbs payloads

Special thanks: Shubham Singh | Chaitanya Haritash | Suriya Prakash
"For all the help provided in debuging this tool in diferent operative systems"

Please read my main page for further information

:: Suspicious shell Activity :: RedTeam 2016 ::