Creating Remote Shells that Bypass Anti-Virus with “Veil”

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. Meet “Veil” a remote shell payload generator that can bypass most current Anti-Virus programs.

Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.

If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a menu driven program allows you to create 21 different payloads that most likely will bypass anti-virus.

But how well does it work?

Following the directions on Chris’s page, I downloaded and installed Veil on my Kali (Backtrack) system.

Simply pick what payload you want:

Veil Payload Generator Menu

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. I just chose the default, msfvenom:

Veil Options

Next choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use:

Veil setting remote address

Veil will then create the payload and present you with two options. You can feed the payload into Pyinstaller or Py2Exe to create a Windows executable file.

This is where I got a bit stuck. For some reason Pyinstaller did not want to co-operate on my Kali machine. Fussed with it for a while, then just followed Chris’s instructions for creating the .exe file on a Windows machine and it worked without a hitch.

Basically install Python, Py2exe, and PyCrypto on Windows (all in the same directory). Then just copy over your created payload.py file, the RunMe.bat file and setup.py (found in your Kali Veil directory), into your Windows Python Directory.

Run the Bat file and sit back and watch the magic. When it is done you will have a payload.exe file. Any Windows system that runs it will try to connect out to the Kali system.

Finally start a Metasploit payload handler on your Kali system so the remote shell can connect to you. In Kali at a terminal prompt, type “msfconsole” and then:

Veil Running

Make sure you use the same IP address as LHOST and port as LPORT that you used in creating the payload.

Now, when a Windows system runs the payload.exe file we get this:

Veil Session

A remote session.

Then if we type “shell”:

Veil Shell

This was a fully updated Windows 7 system with a very good Anti-Virus installed and updated with an intrusion detection system running. It didn’t see a thing.

This should prove that you can not trust in your Firewall and AV alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

For more information on Veil, and other pentesting topics, check out Chris’s training session at Blackhat USA 2013!

Hacking PLC SCADA Systems Easy as Pushing a Button

Interesting news yesterday from Digital Bond and Rapid 7, PLC exploits have been added to the Metasploit security testing platform. HD Moore developer of the Metasploit project had this to say on Twitter:

According to the Rapid 7 Blog the following exploits that target General Electric’s D20 PLCs have been added to Metasploit:

  • d20pass : This module leverages a pretty major information disclosure for the device — turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that — downloads the configuration file, parses out the credentials, and stores them in Metasploit’s database for reuse.
  • d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

With the media hype of “CyberWar” and the news of hacker attacks against critical infrastructure systems, this is a shocking move by the Metasploit team. But maybe that is what they intended.

Metasploit is used for network security and penetration testing and it is very good. There are automated options that you can use with Metasploit that will try numerous exploits against a system, and give you a remote shell if one of them works. Taking this technology  and adding in PLC exploits is truly scary, or should I say, push button easy.

Just last month the FBI released the news that infrastructure systems of three US cities were hacked:

“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.” And, “Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”

The problem is, even though people who run PLC devices in a SCADA environment have had years of warnings, many systems are still woefully unprotected, some even using default passwords. And many of these systems can be found using simple online search tools.

Most likely the thinking behind publicly releasing a tool to automate PLC exploits is that it will force companies to lock down their SCADA systems, as Dale Peterson, founder of Digital Bond states:

We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager. By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

Hopefully this tactic works and the good guys are the ones using the tools.