Veil AV Bypass on Kali

One of the common hurdles of security and penetration testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs.

A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

Kali wasn’t originally installed on Kali, but has recently been added to the repositories. In this article we will discuss how to install and run Veil on Kali Linux.

Installing Veil

Veil was recently added to Kali, if typing “veil” at a terminal prompt does not start it, it may not be installed yet.

  • To install just type, “apt-get update && apt-get install veil”:
  •  Then to run the program open a terminal and just type, “veil”:

And this will bring you to the main menu:

Veil Kali 1

Using Veil

The first thing to do is to list the available payloads using the “list” command:

Veil Kali 2
The payloads are rated as to it’s success rate, so let’s try one of the PowerShell ones.

So just type the “use” command and the number of the payload. We will use the “powershell/VirtualAlloc” payload.

  • Type, “use 9”.

This will select the payload and present us with the following screen:

Veil Kali 3

  • We will just use the default values, so just type, “generate”.

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. We will just choose the default, msfvenom.

  • Type “1” and enter:

Veil Kali 4

Next choose the type of shell; we will just use the default which is reverse_TCP. This means that their computer will connect back to us.

  • Just press “enter” to accept default shell payload:

Veil Kali 5

  • Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.

Veil Kali 6

  • Then enter the Local port that you will be using. I chose to use port 4000:

Veil Kali 7

  • You will then be asked to enter any MSVenom options that you want to use, we won’t be using any, so just press enter to bypass them.

And that is it! Veil will then generate our shellcode with the options that we chose.

  • Now we need to give our created file a name. I chose “CutePuppy”

Okay, “Cutepuppy” sounds a little odd, but remember, you want the target to open the file that you are sending them, so a bit of Social Engineering is required.

If you know they like cute puppies, then our chosen file name is perfect. But you could also name it “2013 Business Report”, or “New Job Requirements”. Whatever you think would be the best.

Veil now has all that it needs and creates our booby-trapped file.

Veil Kali 9

Our file will be stored in the “/usr/share/veil/output/source/” directory.

Just take the created .bat file and send it to our target. When it is run, it will try to connect out to our machine.

We will now need to start a handler listener to accept the connection.

Getting a Remote Shell

To create the remote handler, we will be using Metasploit.

  • Start the Metasploit Framework from the menu or terminal (mfsconsole).
  • Now set up the multi/handler using the following screen:

Veil Kali 10

Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.

Metasploit will then start the handler and wait for a connection:

Veil Kali 11

Now we just need the victim to run the file that we sent them.

Veil Kali 12

On the Windows 7 machine, if the file is executed, we will see this on our Kali system:

Veil Kali 13

A reverse shell session!

Then if we type “shell”, we see that we do in fact have a complete remote shell:

Veil Kali 14

Conclusion

This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.

Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

~ by D. Dieterle on October 12, 2013.

One Response to “Veil AV Bypass on Kali”

  1. Just a quick note

    > apt-get update && apt-get install veil

    might cause serious issues, such as veil being outdated or not running at all.

    Recommended installation method is apparently to clone the github repo and simply run the python file inside. It will install all dependencies by itself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: