Another powerful tool found within the Veil Framework is called Veil-Pillage. What is Veil-Pillage and how does it work? Veil-Pillage is a post-exploitation framework consisting of multiple modules. It was released at the 2014 Defcon and has since attracted lots of praise for its effectiveness. In the following screenshot you can see some of the modules found within Veil-Pillage:

Veil-Pillage has similar commands and interface are similar to those in the Metasploit msfconsole. This makes it easier to learn.

To bring up Veil-Evasion, follow these steps:

1. Type ls and then cd Veil-Evasion.
2. Next type ls and then type ./Veil-Evasion.py. In order for Veil-Evasion to start you must change directories to the Veil-Evasion folder and execute the tool from there:

3. After starting Veil-Evasion you will see a menu screen, which will give you a number of options. From these options, we will select list:

The list option will bring up a list of 50 payloads that can be used.

4. For this lab, we will select the payload ruby/meterpreter/rev_tcp, which is number 48 on the list.

5. To use the payload, type use 48. After the payload has been selected we need to set the LHOST and LPORT:

6. After you set the LHOST and LPORT you can generate the payload. The option to compile the payload into an executable is set to Y (for yes) by default:

7. Next, we will be asked to name the executable we just created. For this lab, I named it .exe ethicalhaks (you can name it anything you want). The executable we created can be found in /user/share/veil-output/compiled/ethicalhaks.exe. The file path for the handler will also be displayed and found in /usr/share/veil-output/handlers/ethicalhaks_handler.rc:

8. Now we will create an encrypted payload to evade antivirus protection. For this lab, we will be selecting a different payload. Open Veil-Evasion and type list again like we did earlier.

9. From the list, we will select python/shellcode_inject/aes_encrypt. This payload will be number 35 on the list. We can also get information about the payload we selected by typing info 35. As you can see from the following screenshot, we get basic information about the payload:

Notice that our payload has a rating of excellent. This means the payload will most likely be effective when executed on a victim device. This payload uses VirtualAlloc injection in combination with AES encryption. The payload uses AES encryption to hide itself from antivirus protection.

10. After we type use 35 we will be brought to a menu to set the options of the payload. For this lab, we will keep the default setting of the payload in place. Now we will type generate.
11. The next menu will ask what type of shellcode we want to use. We will select number 1 for the default msfvenom shellcode.
12. Now we will select a second payload by pressing Enter and using the default payload, windows/meterpreter/reverse_tcp. We then must set the LHOST. This menu gives you the option of pressing Tab to acquire the IP of the device you are using as the LHOST.

13. Next, we set the LPORT 4444. For this lab, we will not be setting any additional msfvenom options. Type enter and the shellcode will start to generate:

14. After the payload is generated we will be asked to name it. For this lab, I will name it ethicalhaks2 (you can name it whatever you like).
15. Next, we will select how to compile the payload into an executable. We will select number 1 for the Pyinstaller, which is the default option. Our payload has been compiled into an .exe and is ready to use.

The new code we generated, with the Meterpreter embedded within it, will get past most antivirus protection.