{"id":961,"date":"2018-10-19T18:55:13","date_gmt":"2018-10-19T18:55:13","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=961"},"modified":"2018-10-22T23:49:40","modified_gmt":"2018-10-22T23:49:40","slug":"antivirus-evasion-bypassing-av-with-veil","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/19\/antivirus-evasion-bypassing-av-with-veil\/","title":{"rendered":"Antivirus Evasion : Bypassing AV with Veil"},"content":{"rendered":"

In real life pentesting scenarios, the antivirus is an added layer of security, which we have conveniently ignored so far. However, in this tutorial we will see how we can encrypt the payload and make it harder for the AV(antivirus) to detect it.<\/p>\n

Prerequisites<\/h3>\n

You should know how the basics of generating payloads using metasploit, i.e. have a basic idea about pentesting. I have covered these already, and won’t do so again.<\/p>\n

If you haven’t got the prerequisites covered, I’d suggesting you start by hacking into an unpatched Windows XP machine<\/a>.<\/p>\n

Install Veil-evasion<\/h3>\n

This is one the rare moments when you actually have to install a hacking tool in Kali Linux. That said, the process is incredibly simple, and a simple apt-get will work.<\/p>\n

 <\/p>\n

sudo apt-get update<\/p><\/blockquote>\n

sudo apt-get install veil-evasion<\/p><\/blockquote>\n

 <\/p>\n

Type veil-evasion in the terminal and you’ll be asked if you want to continue with the installation.<\/p>\n

<\/a>
\nType y. Wait for the installation to finish. It could take a while. The installation would ask you to install Python & Ruby (don’t change installation directories even if it says that Python is already installed), which is just a matter of clicking next <\/i>and finish.<\/i><\/p>\n

Veil Evasion – Creating a simple payload<\/h2>\n

Type veil-evasion <\/i>on the terminal to start it.<\/p>\n

<\/a>
\n1) Type list to see available payloads.<\/p>\n

 <\/p>\n

list<\/p><\/blockquote>\n

2) Use any payload you want to. I’m using python\/shellcode_inject\/flat. Type<\/p>\n

use python\/shellcode_inject\/flat<\/p><\/blockquote>\n

<\/a>
\n3) You can use set option to change any values you want to change. We don’t need that right now. Type info to see the settings you can change.<\/p>\n

info<\/p><\/blockquote>\n

4) Type generate<\/p>\n

generate<\/p><\/blockquote>\n

<\/a>
\n5) Choose option 1
\n<\/a>
\n6) Press enter, or if you want to use some other exploit, then type it’s name.
\n7) Enter LHOST (listener IP, i.e. your IP from ifconfig) and LPORT (any unused port works), enter any extra msfoptions you want to enter (not required here). Enter any name you want.
\n<\/a>
\n8) Give your payload a name. Then choose 1 or 2 for Payload creation method. I chose 1.<\/p>\n

<\/a><\/p>\n

Your payload will get generated in a bit. Don’t upload it to online scanners, since they distribute it to different AV companies and the detection rate increases.<\/p>\n

PS: If you are having issues, scroll down to the troubleshooting section below.<\/p>\n

Veil Evasion – Creating An encrypted payload<\/h2>\n

Let’s try to create an encypted payload, one which will be undetectable by most AVs.<\/p>\n

We’ll use AES encryption to encrypt the payload. This is a pretty strong algorithm and should provide pretty low detection rate.<\/p>\n

1) Select the payload (this step is the only difference between the encrypted payload and simple payload)<\/p>\n

 <\/p>\n

use python\/shellcode_inject\/aes_encrypt<\/b><\/p><\/blockquote>\n\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Don’t be confused by the directory at which I currently am in (\/Veil-Evasion\/Setup)
\nin all the screenshots.
\nI created a troubleshooting section below for which I was in this directory, and never
\nswitched back to home directory. This doesn’t change anything.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

2) Look at the parameters\/options that we can choose<\/p>\n

info<\/p><\/blockquote>\n

<\/a>
\n3) Change anything you want to change. I’m not changing anything and using all the default options.
\n4) Generate the encrypted payload.<\/p>\n

generate<\/p><\/blockquote>\n

5) Choose option 1, press enter for default payload. Follow the same procedure as the previous case. Choose the LHOST, LPORT.
\n<\/a>
\n6) Give your payload a name. I call it veiled.<\/p>\n

7) Choose 1 (pyinstaller).<\/p>\n

<\/a><\/p>\n

Generated executable can be seen here-
\n\/usr\/share\/veil-output\/compiled\/veiled.exe<\/p>\n\n\n\n\n
<\/a><\/td>\n<\/tr>\n
This is the second payload I created with the name veiled so it got changed to
\nveiled1.exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

That’s it, you now have a payload that can bypass a lot of AVs easily.<\/p>\n

Troubleshooting<\/h2>\n

If you’re getting this error<\/p>\n

ERROR: Can’t find python.exe in \/root\/.config\/wine\/veil\/drive_c\/Python27\/<\/p>\n

Then it means apt-get failed you, and there are some uninstalled\/mis-configured dependencies<\/p>\n

Try this solution-<\/p>\n

git clone https:\/\/github.com\/Veil-Framework\/Veil-Evasion.git<\/p><\/blockquote>\n

It’s going to be approximately a 300 MB download.<\/p>\n

then<\/p>\n

 <\/p>\n

cd Veil-Evasion\/setup\/<\/p><\/blockquote>\n

then<\/p>\n

.\/setup.sh -c<\/p><\/blockquote>\n\n\n\n\n
<\/a><\/td>\n<\/tr>\n
This step may take some time. You’ll have to wait.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n
<\/a><\/td>\n<\/tr>\n
You’ll have to install a lot of stuff including python, ruby, etc. with Wine<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

then<\/p>\n

cd ..\/setup\/<\/p><\/blockquote>\n

then<\/p>\n

python update.py<\/p><\/blockquote>\n

This should fix the issues.<\/p>\n

Tinkering<\/h2>\n

I just generated an encrypted payload without a lot of tinkering. You can play with the options, try out everything that veil offers, and get a much more ‘veiled’ payload. As far as bypassing antiviruses is concerned, experimentation is key. Keep trying out different options till one generates a payload that your target AV won’t detect.<\/p>\n

 <\/p>\n

What to expect<\/h2>\n

Imagine your created payload is FUD (fully undetectable). Let’s reiterate the steps you performed-<\/p>\n

    \n
  1. Figured out how to use Kali (live USB, dual boot, VM, doesn’t matter).<\/li>\n
  2. Completed the steps given in a very easy to follow tutorial (I hope it was easy to follow).<\/li>\n<\/ol>\n

    Now ask yourself how hard it was to do the above steps, and how many people would be able to do it. Let’s say 1 in every 100 persons who tries to do the steps 1 and 2 succeeds. This would mean, one in every 100 persons who wants to write a virus\/payload\/trojan that cannot be detected by any antivirus, would succeed. Would you want to live in a world where there are viruses which can’t be detected by AVs, and these can be created by anyone with a bit of brain, internet access, and odds (1 against 100) in his favor?<\/p>\n

    Obviously not. The antivirus companies constantly keep evolving their algos, and the good ones would detect veil payloads. If you are clever, you can make the payload such that it’s detected only by very few AVs, but making a completely undetectable payload is hard, as it should be. There are crypters available, which are not free of cost, which encrypt your payloads, and then they are FUD for a short while at least. However, just like searching google for hack facebook and typing the username on a bogus website doesn’t give you the password of a facebook account, simple stuff like this won’t make an invincible payload. However, since you did do a lot of genuine work, the payload can certainly bypass a lot of common AVs, and with a bit of effort, you can probably make it almost FUD.<\/p>\n

    So no, your payload won’t be perfect, and yes, it’s a good thing.<\/p>\n

    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    In real life pentesting scenarios, the antivirus is an added layer of security, which we have conveniently ignored so far. However, in this tutorial we will see how we can encrypt the payload and make it harder for the AV(antivirus) to detect it. Prerequisites You should know how the basics of generating payloads using metasploit, … <\/p>\n

    Continue reading “Antivirus Evasion : Bypassing AV with Veil”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-961","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=961"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/961\/revisions"}],"predecessor-version":[{"id":1253,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/961\/revisions\/1253"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}