Veil AV Bypass on Kali
One of the common hurdles of security and penetration testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs.
A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.
Kali wasn’t originally installed on Kali, but has recently been added to the repositories. In this article we will discuss how to install and run Veil on Kali Linux.
Veil was recently added to Kali, if typing “veil” at a terminal prompt does not start it, it may not be installed yet.
- To install just type, “apt-get update && apt-get install veil”:
- Then to run the program open a terminal and just type, “veil”:
And this will bring you to the main menu:
The first thing to do is to list the available payloads using the “list” command:
So just type the “use” command and the number of the payload. We will use the “powershell/VirtualAlloc” payload.
- Type, “use 9”.
This will select the payload and present us with the following screen:
- We will just use the default values, so just type, “generate”.
Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. We will just choose the default, msfvenom.
- Type “1” and enter:
Next choose the type of shell; we will just use the default which is reverse_TCP. This means that their computer will connect back to us.
- Just press “enter” to accept default shell payload:
- Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.
- Then enter the Local port that you will be using. I chose to use port 4000:
- You will then be asked to enter any MSVenom options that you want to use, we won’t be using any, so just press enter to bypass them.
And that is it! Veil will then generate our shellcode with the options that we chose.
- Now we need to give our created file a name. I chose “CutePuppy”
Okay, “Cutepuppy” sounds a little odd, but remember, you want the target to open the file that you are sending them, so a bit of Social Engineering is required.
If you know they like cute puppies, then our chosen file name is perfect. But you could also name it “2013 Business Report”, or “New Job Requirements”. Whatever you think would be the best.
Veil now has all that it needs and creates our booby-trapped file.
Our file will be stored in the “/usr/share/veil/output/source/” directory.
Just take the created .bat file and send it to our target. When it is run, it will try to connect out to our machine.
We will now need to start a handler listener to accept the connection.
Getting a Remote Shell
To create the remote handler, we will be using Metasploit.
- Start the Metasploit Framework from the menu or terminal (mfsconsole).
- Now set up the multi/handler using the following screen:
Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.
Metasploit will then start the handler and wait for a connection:
Now we just need the victim to run the file that we sent them.
On the Windows 7 machine, if the file is executed, we will see this on our Kali system:
A reverse shell session!
Then if we type “shell”, we see that we do in fact have a complete remote shell:
This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.
Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.
Blocking certain file types from entering or leaving your network is also a good idea.
And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.