Now that Veil is installed, we can take a look at its commands. The commands are straightforward, with exit allowing us to exit the program, and info providing us with information about a specific tool.list will list the available tools, update will update Veil, and finally, use enables the use of any tool, as shown in the following screenshot:
The list command displays Veil's main commands, which are as follows:
- Evasion: This generates undetectable backdoors
- Ordnance: This generates the payloads used by Evasion; this is more of a secondary tool
A payload is a part of the code, or of the backdoor, that does what we want it to. In this case, it gives us a reverse connection and downloads and executes something on a target computer.
When Veil-Evasion has loaded, you should see something similar to the following screenshot:
As you can see, Veil gives us a list of commands that can run on this tool. What we want here is to list all of the available payloads, of which there are 41. Each payload is divided into three parts, as shown in the following screenshot. We've highlighted the payload we'll be using, 15) go/meterpreter/rev_https.py:
The first part of the payload's name is cs, which refers to the programming language the payload will be wrapped in. As you can see in the preceding screenshot, languages used include GO, C, CS, Python, PowerShell, and Ruby.
The second part of any payload is really important, as this is the type of payload; in other words, the type of code that's going to be executed on the target computer.
In this example, we're using Meterpreter, which is a payload designed by Metasploit. Metasploit is a huge framework sometimes used for hacking. Meterpreter runs in memory, so is difficult to detect and doesn't leave a large footprint. Using Meterpreter, we can gain full control over a target computer, allowing us to navigate through the filesystem, turn on the webcam, install or download files, and much more.
The third part of a payload's name is the method that's going to be used to establish its connection. In our example, that's rev_https. rev, which stands for reverse, and https is the protocol that will be used to establish the connection. There are also a few examples of rev_tcp in the preceding screenshot, which creates a reverse TCP connection.
A reverse connection is where the target computer connects to an attacker computer via a backdoor. This method bypasses antivirus programs because the connection is not directed at the target computer, but rather at the attacker instead. In our case, we are going to use a port that many websites use, 80 or 8080, so the connection will appear as a harmless website connection. Reverse connections also work on hidden computers, making it one of the most practical methods of gaining access to a machine.
Some payloads don't follow the conventional naming pattern, such as shellcode_inject. This instead creates a normal payload that injects our other payload.