SPOOKFLARL TOOL USE HACK AND SECURTY
SpookFlare has a different way of seeing things to bypass security measures and it gives you theopportunity to go around the endpoint countermeasures at the client-side detection andnetwork-side detection. SpookFlare is a loader generator for Meterpreter Reverse HTTP andHTTPS stages. SpookFlare has custom (turn into secret code)er with string hiding and run-timecode collection/creation features so you can go around the countermeasures of the targetsystems with a lot of skill until they "learn" the way of doing
things and behavior of SpookFlarepayloads.
TECHICAL DETAIL
Windows is still the most popular end-user operating system and security products are mostlyinstalled on Windows operating systems. Desktop operating system (out of all the people who buy a product (like a car), how many people buy it from a particular company) graph is givenbelow from NetMarketShare report for August 2017. If an operating system has the highestusage rate in end user systems, it will be the target of attackers in the same way. This meanssecurity products will be used in that operating systems and that security products will have todevelop themselves day by day against attacks.
Since Windows is the most commonly used operating system, the target systems usually haveWindows operating system in the penetration tests. If you intend to break into the Windowsoperating system, Meterpreter is usually used as RAT in penetration tests because there is full(combination of different things together that work as one unit) with Metasploit. Also my favoriteRAT is the Meterpreter. :) Although the Meterpreter has great features, it can be used for illegalpurposes, not just for legal purposes, it means, Meterpreter can classified as evil and cruel bysecurity products. This leads to the need of going around the security products in the targetsystem in penetration tests. OK, we know what we need; "We want to use the Meterpreter and go around the security countermeasures taken at target". So how the security products work andhow will the SpookFlare help us?
We can (figure out the worth, amount, or quality of) the operations of the securitycountermeasures put into use in the operating systems with three stages. The first is signature-based detection, the second is behavioral detection and the third is reputation-based detection. The first thing that is accepted in the books to go around the signature-based detection is hiding, so you can bypass countermeasures taken. The second, you must change the behavior ofharmful programs or apps to bypass behavioral detection. So if you have been detected usingMimikatz to get the hashes of the local users in the target system, you can use the procdump toolof SysInternals. You can bypass behavioral detection because procdump is signed by theauthority and generally it used for legal purposes. The last thing is reputation-baseddetectionand there are some things that are getting complicated at this point. Because theopinions/points of view of security products may be different. Sometimes the properties of yourapplication can be defined as evil and cruel by some security products and the reputation-baseddetections sets of computer instructions changes completely from security product to securityproduct. At this point, your experience is fully started/working at order to go around the securityproduct. At the end of the day, security products can detect and prevent the attack vectors if they"know". I mean if you have unknown way of doing things or way you can go around thecountermeasures of target system
There are many ways the bypass security products. SpookFlare has a different way of seeing things to bypass security measures and it gives you the opportunity to go around the endpointcountermeasures at the client-side detection and network-side detection. SpookFlare is a loadergenerator for Meterpreter Reverse HTTP and HTTPS stages. SpookFlare has custom (turn into secret code)er with string hiding and run-time code collection/creation features so you can go around the countermeasures of the target systems with a lot of skill until they "learn" the way of doing things and behavior of SpookFlare payload
Hiding
In software development, hiding is the carefully planned act of creating source or machine codethat is hard for humans to understand. SpookFlare uses the hiding for the string names. Therefore, it will be very hard to develop a signature in a certain "string(s)". Actually writing asignature for certain string is a behavior done by many harmful programs or apps-analysts orsecurity product developers. When a harmful programs or apps analyst carefully studies thesample or by energetic/changing analysis systems then, once it is decided to be a harmful programs or apps, a proper signature of the file is (pulled out or taken from something else) andadded to the signatures (computer file full of information) of the AV or Endpoint Security product. The signature of the file will change if you change any byte in a file. If you change the correctbytes, you can go around the signature-based detections. SpookFlare uses the string hiding. Therefore, each created payload will be (like nothing else in the world) as possible.
Source Code (turning messages into secret code)
So far we have learned that we can use the string-based hiding and collect/make the code atruntime. However, when doing all of this we need to hide code the actual loader. Because theloader code being moved will have a disadvantage against signature-based fixes when the loadercode defined clear-text. So SpookFlare (turns into secret code) the original loader's code usingthe RijnDaelManaged class and when ran/run it (changes secret codes into readable messages)the loader code after then it give the code to the collector/maker. It is act like crypters and finally, it run the collected/made code.
original link technical detail
GITHUB LINK
YOU WANT WATCH VIDEO click HERE
things and behavior of SpookFlarepayloads.
TECHICAL DETAIL
Windows is still the most popular end-user operating system and security products are mostlyinstalled on Windows operating systems. Desktop operating system (out of all the people who buy a product (like a car), how many people buy it from a particular company) graph is givenbelow from NetMarketShare report for August 2017. If an operating system has the highestusage rate in end user systems, it will be the target of attackers in the same way. This meanssecurity products will be used in that operating systems and that security products will have todevelop themselves day by day against attacks.
Since Windows is the most commonly used operating system, the target systems usually haveWindows operating system in the penetration tests. If you intend to break into the Windowsoperating system, Meterpreter is usually used as RAT in penetration tests because there is full(combination of different things together that work as one unit) with Metasploit. Also my favoriteRAT is the Meterpreter. :) Although the Meterpreter has great features, it can be used for illegalpurposes, not just for legal purposes, it means, Meterpreter can classified as evil and cruel bysecurity products. This leads to the need of going around the security products in the targetsystem in penetration tests. OK, we know what we need; "We want to use the Meterpreter and go around the security countermeasures taken at target". So how the security products work andhow will the SpookFlare help us?
We can (figure out the worth, amount, or quality of) the operations of the securitycountermeasures put into use in the operating systems with three stages. The first is signature-based detection, the second is behavioral detection and the third is reputation-based detection. The first thing that is accepted in the books to go around the signature-based detection is hiding, so you can bypass countermeasures taken. The second, you must change the behavior ofharmful programs or apps to bypass behavioral detection. So if you have been detected usingMimikatz to get the hashes of the local users in the target system, you can use the procdump toolof SysInternals. You can bypass behavioral detection because procdump is signed by theauthority and generally it used for legal purposes. The last thing is reputation-baseddetectionand there are some things that are getting complicated at this point. Because theopinions/points of view of security products may be different. Sometimes the properties of yourapplication can be defined as evil and cruel by some security products and the reputation-baseddetections sets of computer instructions changes completely from security product to securityproduct. At this point, your experience is fully started/working at order to go around the securityproduct. At the end of the day, security products can detect and prevent the attack vectors if they"know". I mean if you have unknown way of doing things or way you can go around thecountermeasures of target system
There are many ways the bypass security products. SpookFlare has a different way of seeing things to bypass security measures and it gives you the opportunity to go around the endpointcountermeasures at the client-side detection and network-side detection. SpookFlare is a loadergenerator for Meterpreter Reverse HTTP and HTTPS stages. SpookFlare has custom (turn into secret code)er with string hiding and run-time code collection/creation features so you can go around the countermeasures of the target systems with a lot of skill until they "learn" the way of doing things and behavior of SpookFlare payload
Hiding
In software development, hiding is the carefully planned act of creating source or machine codethat is hard for humans to understand. SpookFlare uses the hiding for the string names. Therefore, it will be very hard to develop a signature in a certain "string(s)". Actually writing asignature for certain string is a behavior done by many harmful programs or apps-analysts orsecurity product developers. When a harmful programs or apps analyst carefully studies thesample or by energetic/changing analysis systems then, once it is decided to be a harmful programs or apps, a proper signature of the file is (pulled out or taken from something else) andadded to the signatures (computer file full of information) of the AV or Endpoint Security product. The signature of the file will change if you change any byte in a file. If you change the correctbytes, you can go around the signature-based detections. SpookFlare uses the string hiding. Therefore, each created payload will be (like nothing else in the world) as possible.
Source Code (turning messages into secret code)
So far we have learned that we can use the string-based hiding and collect/make the code atruntime. However, when doing all of this we need to hide code the actual loader. Because theloader code being moved will have a disadvantage against signature-based fixes when the loadercode defined clear-text. So SpookFlare (turns into secret code) the original loader's code usingthe RijnDaelManaged class and when ran/run it (changes secret codes into readable messages)the loader code after then it give the code to the collector/maker. It is act like crypters and finally, it run the collected/made code.
original link technical detail
GITHUB LINK
YOU WANT WATCH VIDEO click HERE
Comments
Post a Comment