venom v1.0.17 - Codename: shinigami
Author: r00t-3xp10it
Version release: v1.0.17
Codename: shinigami (God of death)
Distros Supported: Linux Ubuntu, Kali, Debian, BackBox, Parrot OS
Suspicious-Shell-Activity© (SSA) RedTeam develop @2020
Framework Description
This tool uses msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh | docm | docx | deb | xml | ps1 | bat | exe | elf | pdf | macho | etc ) then injects the shellcode generated into one template (example: python) "the template then execute the shellcode in RAM" and uses compilers like GCC (gnu cross compiler) mingw32 or pyinstaller.py to build the executable file.
it also starts an multi-handler to receive the remote connection (shell or meterpreter). Venom toolkit will maintain old shellcode builds (that are now being detected by AV soluctions) to serve as a library of technics used, but it will incorporate a new sub-menu categorie (since version v1.0.16) named 'Amsi Evasion Payloads' to deal with windows defender detection (and other Anti-Virus detections).
Version v1.0.17 Changelog
New Agents added
| Categorie nº | Target OS | Agent nº | Description |
|---|---|---|---|
| 8 (Amsi Evasion) | Windows systems (vista|7|8|8.1|10) | 4 | meterpeter C2 command & Control PowerShell rat (*) |
| 8 (Amsi Evasion) | Windows systems (vista|7|8|8.1|10) | 5 | Social Engineering - Fake PDF Trojan Horse (**) |
| 8 (Amsi Evasion) | Multi-Platforms (Linux|Mac|Windows) | 6 | SillyRAT multi-platform reverse TCP python shell (***) |
| 3 (Multi-OS) | Multi-Platforms (Linux|Mac|Windows) | 5 | SillyRAT multi-platform reverse TCP python shell (***) |
Dropper/Client execution diagrams
(*) meterpeter C2 Command & Control rat its only available in venom for linux x64 bit because Microsoft does not support powershell under
linux x86 (32-bit) arch's and meterpeter rat its written using powershell language. the bellow diagram demonstrates meterpeter on x64 bit.
(**) This Venom module will ask the attacker to insert a PDF document, creates a C program that will be compiled with the help of GCC
(mingw32 or mingw-W64) into a binary.exe where is main task its to download and run the attacker Legitimate PDF document and the
Client.exe (reverse tcp shell) from attacker's apache2 webserver. Using for that the Remote-Host PowerShell interpreter.
(***) This venom module uses SillyRAT (python) rat to build the Client.py and to recive the connection back (server.py), venom then
Creates a standalone executable (Windows OR Linux distros) to be deliver to target user using one URL link. dropper main task its
to download and run Client.py (reverse tcp shell) from attacker's apache2 webserver to the sellected location chosen before..
Remark: Under categorie nº8 (Amsi Evasion) SillyRAT will create an dropper.bat insted of dropper.exe to evade AV detection.
Improvements/Bug-fixes
| Issue | Description | Bug Reports |
|---|---|---|
| The requested URL was not found on this server | setup.sh 'venom domain name' obsolect configs | @ricko2991 |
| review Setup.sh | sourcecode review/Improved | @r00t-3xp10it |
| venom CLI displays improved | venom CLI interface improved | @r00t-3xp10it |
Install venom v1.0.17 shinigami
'Download the framework from github'
Remark: Allways use git clone to download the tool because it downloads the lastest commits to sourcecode.
If you wish to download the stable version then scrool until the end of this page and download the .zip or .tar.gz packages.
git clone https://github.com/r00t-3xp10it/venom.git
Set execution permitions
cd venom
sudo find ./ -name "*.sh" -exec chmod +x {} \;
sudo find ./ -name "*.py" -exec chmod +x {} \;
Install all dependencies
cd aux && sudo ./setup.sh
Run main tool
sudo ./venom.sh
Remark: SillyRAT project under venom framework will build droppers (Windows|Linux) to auto-Install Client.py requirements
on target machine before download the Client.py from attacker apache2 webserver and finally executes it in background (child).
Linux droppers will fake the installation of some package [Steam-Installer] to silent execute the Client in a child process detach from dropper parent process. And Mac (Apple) build only creates the Client.py that requires to be manual executed on target systems.
Finally the Windows dropper will reproduce Linux dropper job, but all steps are taken in Background mode (none prompt displays).
Remark: Under 'Linux' or 'Mac' systems the Client.py needs to be manual stoped because it 'beacons home' in intervals of 8 sec.
Under 'Windows' systems its the 'dropper' process that requires to be manual stoped to abort the 'beacon home' Client function.
🥇 Credits & Special Thanks 🎉
Remark: Once any of the Amsi Evasion builds (agent's) starts to get flagged by AV solluctions, it will be deleted from amsi evasion
sub-categorie and copy to any of the venom main-menu above categories to be stored has a technic used (not bypassing AV anymore).