Creating Remote Shells that Bypass Anti-Virus with “Veil”

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. Meet “Veil” a remote shell payload generator that can bypass most current Anti-Virus programs.

Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.

If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a menu driven program allows you to create 21 different payloads that most likely will bypass anti-virus.

But how well does it work?

Following the directions on Chris’s page, I downloaded and installed Veil on my Kali (Backtrack) system.

Simply pick what payload you want:

Veil Payload Generator Menu

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. I just chose the default, msfvenom:

Veil Options

Next choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use:

Veil setting remote address

Veil will then create the payload and present you with two options. You can feed the payload into Pyinstaller or Py2Exe to create a Windows executable file.

This is where I got a bit stuck. For some reason Pyinstaller did not want to co-operate on my Kali machine. Fussed with it for a while, then just followed Chris’s instructions for creating the .exe file on a Windows machine and it worked without a hitch.

Basically install Python, Py2exe, and PyCrypto on Windows (all in the same directory). Then just copy over your created file, the RunMe.bat file and (found in your Kali Veil directory), into your Windows Python Directory.

Run the Bat file and sit back and watch the magic. When it is done you will have a payload.exe file. Any Windows system that runs it will try to connect out to the Kali system.

Finally start a Metasploit payload handler on your Kali system so the remote shell can connect to you. In Kali at a terminal prompt, type “msfconsole” and then:

Veil Running

Make sure you use the same IP address as LHOST and port as LPORT that you used in creating the payload.

Now, when a Windows system runs the payload.exe file we get this:

Veil Session

A remote session.

Then if we type “shell”:

Veil Shell

This was a fully updated Windows 7 system with a very good Anti-Virus installed and updated with an intrusion detection system running. It didn’t see a thing.

This should prove that you can not trust in your Firewall and AV alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

For more information on Veil, and other pentesting topics, check out Chris’s training session at Blackhat USA 2013!

Java Releases Zero-Day Patch – Why you Need to Install it Now

Java Setup

Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.

The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.

Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.

SET Java 0-Day

Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.

Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:

Surf to page

It doesn’t seem that anything happens. No warnings or pop-ups.

But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:

SET Session Created

We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address

We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:

SET Windows 7 Shell

In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.

Now, let’s go to the Java Download page and download the latest update (update 11):

Java Update

Then let it install:

Java Setup Complete

Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.

The webpage opens and acts like it did on the victim’s side. So far no change.

But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:

After Update No Shell

That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.

Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.

Second Issue of Exploit Mag is out!

The second free issue of Exploit Magazine has been released!

This month’s issue highlight’s three articles written by, well… yours truly!

(Guys we really need more contributors. Help the security community out and share your knowledge! Contact me at cyberarms (at) for more info.)

Included are updated versions of my Pentesting with Metasploitable 2 article series, Security Testing with Powershell and Powerpoint, and a short article on Listening to VoIP calls with WireShark:

Practice Pentesting with Metasploitable 2

You have been learning some mad hacking skills, but how do you test them? Wouldn’t it be great if there was a system that came with vulnerabilities that you could try to exploit? Well, there is, meet Metasploitable 2!

In this article we will take a look at the purposefully vulnerable Linux system and learn how to exploit it. We will cover scanning a system, using a remote exploit to get root access, cracking the passwords, and then using the passwords to exploit all the systems on the network.

Security Testing with PowerShell and PowerPoint

Many times hackers think “Out-of-the-Box” and manipulate common services and programs to exploit a system. In this article we will look at gaining remote shells with PowerShell through the Social Engineering Toolkit and how to get remote user credentials via PowerPoint.

Listening to VoIP Calls from Packet Captures

In this article we will look at recovering and playing voice calls from nothing more than a network packet capture that includes VoIP traffic.

How difficult would it be to scan a packet capture, find the calls out of the thousands of available packets and be able to somehow listen to the call? Well, come to find out, it is not hard at all. The feature is built into Wireshark!

Check it out!