Veil - A Payload Generator To Bypass Antivirus - Christopher Truncer's Website

Veil - A Payload Generator to Bypass Antivirus | Christopher Truncer's W...
https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-a...
The musings of a technology and life hacker
Home Certifications CTF Featured Category IT IT Security Password Cracking Pen Test Techniques Personal
Veil A Payload Generator to Bypass Antivirus

Posted by Christopher Truncer on May 30, 2013 in Featured Category, IT Security | 117 comments
NOTE: Please, be kind, and dont submit any payloads to ANY online virus scanner! On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that goes into each battle relies on the AV solution, its definitions, etc. Researching methods to bypass antivirus solutions has been an interest of mine on and off for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful. I set out with a couple goals: Bypass common AV solutions that I/we routinely encounter in most network environments Utilize payloads that are compatible with the Metasploit framework, and expand upon these in future releases Attempt to make each payload file as random as possible With these goals in mind, I continued researching methods of bypassing AV. Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop. From their research, I learned about really interesting ways to inject shellcode into memory through python. These methods were the foundation of the rest of my research. Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems. Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine. One of the solutions I looked into was using Py2Exe. I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same. I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so I stuck with that solution. The final part was for me to develop a tool that automated the payload generation process, and Im happy to release Veil. Note: Please be sure to check out https://www.veil-evasion.com, Veils website for the latest tutorials, updates, and repo location.
1 of 23
10/30/2013 12:44 AM
Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in meterpreter connections. Veil provides the user with the option of using either Pyinstaller or Py2Exe to convert their python payload into an executable. With Pyinstaller, Veil users and have their file converted into an executable all within Kali and does not require the use of a second VM/Machine. When using Py2Exe,Veil will generate three files to which are required to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. The executable file can be dropped anywhere, on any Windows system, as all required libraries are stored within the exe file. Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.
Ive tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and in the wild, and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldnt deter an actual adversary.
2 of 23
10/30/2013 12:44 AM
Setup: For Kali: 1. Run the setup script (setup.sh) and follow the installation process. 2. Once the setup script has completed, delete the setup script. For Windows (when using Py2Exe) 1. Install Python 2.7 - (tested with x86 http://www.python.org/download/releases/2.7/) 2. Install Py2Exe - (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/) 3. Install PyCrypto - (http://www.voidspace.org.uk/python/modules.shtml) Instructions for Use: 1. Run Veil from Kali and generate your payload. 2. If using Pyinstaller, your payload will be converted into an executable and is available for immediate use. 3. If using Py2Exe Move the payload.py along with its two accompanying files onto your Windows machine (that already has python and the other dependencies from above installed). All three files should be placed in the root of the directory Python was installed to (likely C:\Python27). Run the batch script to convert the Python payload into an executable format. 4. Place the payload file on your target machine through any means necessary! Future Direction: Research new methods of encrypting or obfuscating the payload. Research other languages with direct access to the Windows API for delivering the payload. Want to play with Veil? Feel free to do so. Download, clone, do anything youd like with it. You can download Veil here - https://github.com/veilevasion/Veil. I hope that it can help others on their tests just as it has helped me. Please, if anyone has additional functionality they would like to add, Id love to have input from the community! To learn how to effectively use Veil on assessments, and other Red Team techniques, check out our class at Blackhat USA 2013! And check out our Pen Testing class as well! References: Dave Kennedy - http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf Debasish Mandal - http://www.debasish.in/2012/04/execute-shellcode-using-python.html
Share this:
117 Responses to Veil A Payload Generator to Bypass Antivirus
1.
DoesNotMatter says: May 30, 2013 at 9:52 am Ive been using this technique in my custom code for quite sometime. One recommendation create template files, rather than creating it with all the Payloadfile.write(). You could replace the strings in the template files real easy. It also allows for others to easily just modify the template. This will also make your code more cleaner and maintainable ==== and extensible as others would be happy to add to it All the best! reply
CTruncer says: May 30, 2013 at 10:06 pm Thanks, appreciate the recommendations. Were definitely looking to do both suggestions shortly, after a lot of testing, we were happy where we are at for an initial release, but do plan on trying to turn this into a usable framework to allow contribution from the community.
3 of 23
10/30/2013 12:44 AM
reply 2.
Derek Mischler says: May 30, 2013 at 1:13 pm I think you spelled your name wrong in the by, looks like you may have just dropped an r. Excited to give this a shot and dig your use of the Polished theme! reply
CTruncer says: May 30, 2013 at 3:40 pm haha, good catch. That was a fail. Just updated. Thanks for letting me know! reply 3.
Alexandros Iliopoulos says: May 30, 2013 at 5:04 pm One question. When I choose Pyinstaller where the payload have saved? reply
CTruncer says: May 30, 2013 at 10:12 pm Like @selsroger mentioned below, the payload.exe file will be in the same directory that you launched Veil from. reply 4.
Vincius K-Max (@viniciuskmax) says: May 30, 2013 at 5:14 pm Er my payload.exe crashs over and over again, dont matter my encode choices: http://i.imgur.com/UIXrvTO.png Windows XP SP 2 x86 Suggestions? reply
CTruncer says: May 30, 2013 at 10:09 pm Could you let me know exactly what you installed for py2exe? Weve done extensive testing and havent encountered any issues yet, but if you could let us know exactly what you installed, we could try to re-create the issue and then determine how to fix it. reply 5.
@SelsRoger says: May 30, 2013 at 7:23 pm @Alexandros Iliopoulos: in the directory from which you have launched veil. You can see this easily. Launch veil but dont chose between 1 & 2, pyInstaller or py2Exe so it just sits there waiting for input. Payload.py will have been built and be sitting in the cwd (just ls). Actually Chris, on 64-bit kali, wine isnt installed. Launching the setup script will get a helper wine64 package ask to setup multiarchs and install the 32-bit wine. After doing this, on my system, Python wasnt installed under wine. So when using Veil, obviously pyInstaller does not succeed in creating the payload. So this never works:
4 of 23
10/30/2013 12:44 AM
185 # Else, used pyinstaller (used by default) 186 else: 187 print 188 os.system(wine /root/.wine/drive_c/Python27/python.exe /root/pyinstaller-2.0/pyinstaller.py noconsole onefile payload.py) 189 os.system(mv dist/payload.exe .) and later the temp payload.py is cleaned up. @Alexandros Iliopoulos: unzip Veil.py a second time and launch setup.py again and make sure to install Python under wine (if this was your problem). If not, I hope I at least solved someones problem reply
CTruncer says: May 30, 2013 at 10:11 pm Yeah, youre absolutely right. We initially tested on and developed for x86 Kali, but supporting x64 Kali is important to us as well. Looks like you helped to save us some time in supporting this, so thanks! Well be adding this capability to the tool shortly. reply
Bhavin says: August 27, 2013 at 5:51 am Hi Chris, Thanks for the great tool in advance. But the solution above doesnt work for me as well. No payload is generated using pyinstaller.py. I have changed the supportfiles.py by following the post mentioned here http://www.infosecisland.com/blogview/23359-Sewing-Patches-in-the-Veil-AV-Evasion-Framework.html But that also does not work. Have checked the location for my pyinstallyer.py file which is here /usr/share/pyinstaller/pyinstaller.py The payload.py file gets created under the source directory. Dont know what i am doing wrong. I have Kali Linux. If you need more info. will be glad to help Kind Regards, Bhavin reply
CTruncer says: August 27, 2013 at 6:29 am Hi, We dont recommend making that change which is in the article as it can break Veil. You need to give us a little more info to help. What version of Kali are you using? Did you run the setup script? Please reach out to us on twitter and/or Freenode irc channel #veil and we can give live support. Thanks reply
Bhavin says: August 27, 2013 at 8:52 am Hi Chris,
5 of 23
10/30/2013 12:44 AM
Version of Kali is 1.0 Firstly i installed veil from add/remove softwares and then it downloaded a lot of supported software Kali did run and had no errors with that at all, except no .exe file was being gerated. Then i downloaded the files from git and ran the setup.sh file. Same results no .exe file. Am i missing anything? Kind Regards, Bhavin
CTruncer says: August 27, 2013 at 8:57 am Hey, We posted that there currently an issue with installing Veil via apt. The offsec guys (theyre an awesome team) are currently looking into fixing the veil package, unfortunately it happens considering Veil requires a wide variety of dependencies for the payloads that it generates. And unfortunately, if you try installing via apt, it causes issues when installing via git too. Easiest way would be to go back to a snapshot before you installed veil via apt, and instead install it via git. Itll work for you then.
Bhavin says: August 27, 2013 at 9:25 am Hi, Is there a tutorial somewhere where i can follow it and you mentioned snapshot in Kali, how do i go about doing that? But the link will be great. Kind Regards, Bhavin reply
CTruncer says: August 27, 2013 at 9:31 am You would have needed to have taken a snapshot with VMware (or your virtualization software of choice). There isnt a tutorial for installing Veil because all you need to do is run the setup script and it handles everything. If youre having issues, Honestly the best bet is to try with a clean system. You are potentially going to have issues when trying to install from git after a failed apt install. reply
Bhavin says: August 27, 2013 at 9:41 am hmmokay, thanks Chris I think the best thing to do is to do a clean installbut first i am trying the git waylets seefingers crossed Kind Regards, Bhavin reply
CTruncer says:
6 of 23
10/30/2013 12:44 AM
August 27, 2013 at 10:28 am Yeah, sorry might not have been what you were looking for, but git, as of right now, is the way to install due to a bug in the veil package. Im 100% certain if you have a clean Kali and install/setup veil from git, it will work for you. reply 6.
@SelsRoger says: May 30, 2013 at 7:33 pm For completeness sake: dpkg add-architecture i386 && apt-get update && apt-get install wine-bin:i386 are what should be executed on kali 64bit before launching the setup.sh script. reply
7.
MARCELO CARVALHO (@mfcarva) says: May 30, 2013 at 8:00 pm good job. reply
CTruncer says: May 30, 2013 at 10:11 pm Thanks, much appreciated reply 8.
alex says: May 30, 2013 at 11:47 pm This is absolutely amazing !!!! reply
9.
rootless says: May 31, 2013 at 8:00 am man,this i an awesome work! reply
10.
James W says: May 31, 2013 at 8:18 am Thanks for the post. I am able to get a meterpreter connection. However, when I try to run a command, I get unknown command. I just type ? at the meterpreter prompt, nothing is returned. Any suggestions? Thanks reply
CTruncer says: May 31, 2013 at 9:39 am What sort of machine are you running it on?
7 of 23
10/30/2013 12:44 AM
reply
James W says: May 31, 2013 at 9:47 am I have tried from a windows 7 machine and kali (both with no firewall). The victim machine is a windows 2003 sp2. reply
CTruncer says: June 1, 2013 at 12:25 am Which wrapper are you using? py2exe or pyinstaller? Can you try both? reply
James W says: June 3, 2013 at 7:41 am Ive been using py2exe. I will try pyinstaller and let you know what happens reply
James W says: June 3, 2013 at 9:12 am Just tried it with pyinstaller and getting the same results. Getting the meterpreter prompt, but nothing is loaded. reply
CTruncer says: June 3, 2013 at 10:18 am Whats your environment that you are using it in? Also, might be easier to hit myself (@ChrisTruncer), @themightyshiv, or @the_grayhound up on twitter, and provide us a pastebin of everything youve been doing. reply
James W says: June 3, 2013 at 10:45 am Just tried this on a winxp machine and everything worked great. Wonder why the win2003 machine is giving me problems. Going to try and get more info about the system. reply
James W says: June 11, 2013 at 11:22 am This is the error that I am getting: Failed to load extension: No response was received to the core_loadlib request. reply
CTruncer says: June 12, 2013 at 2:00 pm
8 of 23
10/30/2013 12:44 AM
Can you check, are you using the latest version of Veil? reply
James W says: June 12, 2013 at 4:24 pm I am running the latest version. Thanks for your help
CTruncer says: June 12, 2013 at 8:43 pm You should hit all three of us up on twitter. Give us all the tech specs of what you are running on your systems, and pastebin the entire thing so we can see what youre doing. @ChrisTruncer @TheMightyShiv @the_grayhound reply 11.
Apos says: May 31, 2013 at 11:37 am I havent tried the tool yet, but just out of curiosity, I would like to ask something. When someone generates a meterpreter based payload with metasploit into an exe template, then metasploit will put there the 1st stage which will then get the rest of the necessary modules upon connection with the evil machine. So, does that tool basically try to hide that 1st stage? Thanks for your time. Apos reply
CTruncer says: June 1, 2013 at 12:26 am Pretty much. This is kind of a wrapper for meterpreters stage 1. reply 12.
rw says: May 31, 2013 at 11:40 am well done, its working great so far. any plans to offer x64 msf payloads eventually? also, you mention it works on almost all AV products can you disclose which ones caught it? reply
alex says: May 31, 2013 at 5:44 pm just ran it thru virustotal and only 2/47 detected it .it passed with flying colors as no major AV caught it :).btw i used this on a windows 7 machine 64bit .some AV called antiy-AVL and TheHacker caught it hope i helped :) reply
9 of 23
10/30/2013 12:44 AM
rw says: May 31, 2013 at 8:01 pm Ugh. Best not to upload stuff like this to VT as AV vendors have been known to use VTs signatures thus making things easier to detect. reply
mj says: June 1, 2013 at 12:28 am Yea the longer this stays out of VT, longer its likely to stay undetected and remain useful. reply
SuperNova says: June 11, 2013 at 5:22 am Read the line: Please, be kind, and dont submit any payloads to VirusTotal reply
CTruncer says: June 1, 2013 at 12:28 am We can definitely look into adding x64 meterpreter, that wouldnt be hard to do. We just wanted to start with the x32 bit versions first. We mentioned almost all AV products because we just simply havent tested EVERY single AV solution out there. Of the ones weve tested, its bypassed everyone of them. However, just due to not having tested all solutions, we just didnt think it was fair to say we bypass them all. reply 13.
Hugo Sanchez says: June 1, 2013 at 12:02 pm Well done alex !! IOMG,it is a common rule and everybody knows NOT to upload samples to VT for checking since therell be signatures soon in the AV products for your sample ! reply
14.
xmatt says: June 3, 2013 at 3:21 pm Chris, firstly congrats, brilliant tool. Could I suggest that perhaps you put an explanation at the top by your comment about not uploading to VT? I think Hugo Sanchez said it quite well so words to that effect. It would be nice if there was an efficient way to communicate this kind of tool to the community without the risks of the general masses getting their hands on it and it shortly being smashed through VT regardless. Maybe there is a need for a reputation-trust based social network type website maintained by the community that is quite well guarded? just a thought reply
CTruncer says: June 6, 2013 at 11:27 pm Thanks for the kind words, appreciate it. As for Virus total, I would have thought that that was common sense, but looks like a disclaimer wouldnt hurt reply
10 of 23
10/30/2013 12:44 AM
Epidome says: August 22, 2013 at 5:57 pm Well isnt it counter productive not to? I mean are these methods developed for the good or bad? reply
CTruncer says: August 22, 2013 at 6:02 pm No, we dont want to submit them because we would like the payloads to avoid AV. reply
Epidome says: August 22, 2013 at 7:14 pm Ah ok. I thought the idea was to have the Av protect from people using this method to do evil.
CTruncer says: August 22, 2013 at 8:55 pm Theres a lot of legitimate reasons to release a tool like this. While that is one, it isnt our goal. Primarily we released this to help pen testers and red teamers during their assessments.
Epidome says: August 23, 2013 at 6:52 am Ok. Well I just think I have a hard time seeing how this industry works.
CTruncer says: August 23, 2013 at 8:00 am What exactly? We already know that malicious actors can perform the same task quite easily. Shouldnt we allow the white hats to perform the same capability?
15.
bON says: June 7, 2013 at 4:01 am Sorry, but i can not to download setup/requiredfiles.zip because this file is big!( Can you halp my??? reply
CTruncer says: June 8, 2013 at 10:37 pm Those are all the files required for setup, so it might be useful to have. reply 16.
bON says:
11 of 23
10/30/2013 12:44 AM
June 7, 2013 at 4:09 am Dear, Chrys! Can you create tutorial video, where you showed how install and exploit Vail! Please! reply 17.
someinterestedguy says: June 7, 2013 at 10:08 am can you port Veil to mac (no wine)? thanks. reply
CTruncer says: June 7, 2013 at 8:37 pm We do have a goal to make Veil not rely on any underlying OS, but purely on Python, but as of now it is reliant on Linux. It does work best on Kali, and as of now we recommend using it on Kali. reply 18.
Coldfire says: June 7, 2013 at 3:27 pm How can i use Veil to create a payload On external IP ??? When i try to Create a payload thrs no option to create payload for External IP.. May b thrs another method i dnt knw.. your help is much appreciated.. reply
CTruncer says: June 8, 2013 at 10:37 pm Could you elaborate on that? You provide the IP address that the callback goes to, so it can be for any IP. reply
Coldfire says: June 10, 2013 at 7:25 am When i try to create a payload It says Enter ur local IP Dats what i worried lil bit as u said anyIp .. can we put our Public IP when it says Enter ur local IP ?? If yes than i will try to test it via External network Not on my same Network On Internet i mean ?? I forwarded Port also and while generating payload i will put that Port which i forwarded on my Modem After all this Can i get a meterpreter Shell On External IP ??? Srry Noob Question Again thnx reply
12 of 23
10/30/2013 12:44 AM
CTruncer says: June 12, 2013 at 1:59 pm Yes, you can use your external IP address, or any IP address. reply
Coldfire says: June 15, 2013 at 3:07 pm Sir 1 major prob plz help me .. i tried Veil on Ubuntu 13 Its all running ok But when in last i tryied to make Binary .exe it show error ========================================================================= Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013 ========================================================================= [Error]: Cant find python.exe in /root/.wine/drive_c/Python27/. Make sure the python.exe binary exists before using PyInstaller. root@nomno:~/Desktop/Veil-master/Veil-master# I knw bcoz Python27 is not thr But when i try to install through wine in Ubuntu It installed in my home/machinename/.wine/drive_c/Python27 How can i change the script to Take Python27 frm another location??? and which script shld i change Help !! plzzz
CTruncer says: July 1, 2013 at 12:24 pm We just pushed out an update where it should allow for use on non-kali linux. That looks to be your problem
19.
anonymous says: June 8, 2013 at 4:30 pm Hello there Chris, Just dropping by to say thank you and that you did a brilliant job. I appreciate the effort. Thank you mate P.S. I promise never to use it on virustotal lol James reply
13 of 23
10/30/2013 12:44 AM
Haha, Thanks for both accounts, we all appreciate it. reply 20.
Ali says: June 8, 2013 at 8:52 pm maybe a little stupid question? but there are too many files on your github link? how do i get all modules etc ? cause it will take me ages to download all files?. Thanks and sorry for a noob question. By the seem nice. all the best for upcoming updates. reply
CTruncer says: June 8, 2013 at 10:35 pm Hey, No, there arent too many. The reason it is semi-large is because we have all the required setup files included within the git repo. We included them because weve tested with those specifically and they are known to be working. reply 21. iso (@watiso0) says: June 10, 2013 at 12:59 pm good job reply
CTruncer says: June 12, 2013 at 1:59 pm thanks, we appreciate it reply 22.
dimi says: June 12, 2013 at 11:48 am Hello Chris sorry for the bad english!! The Payload crash when i try to run it, the machines are windows xp (italian) x86. ive installed the requirement that you have indicated. thanks reply
CTruncer says: June 12, 2013 at 1:58 pm Hi there, we need a bit more information. Are you running the latest version of Veil on Kali? Have you updated it? How are you generating your payload files? Might be easy to talk to us on twitter. Look up our accounts: @ChrisTruncer @TheMightyShiv @the_grayhound reply
14 of 23
10/30/2013 12:44 AM
dimi says: June 13, 2013 at 2:33 am yes im running the latest version of veil on windows xp, i ve downloaded veil yestarday from github,so i think to have the latest version. ill create a twitter account soon. Thanks. reply
CTruncer says: June 13, 2013 at 8:05 am The readme and this blog post says to run Veil on Kali. reply
Matt B says: June 16, 2013 at 5:16 am Hi, it works fine when used on my local network but when others open the .exe from a different wifi connection, nothing happens. Any ideas?
CTruncer says: June 16, 2013 at 4:51 pm You might need to check into your port forwarding.
23.
Bernie says: June 16, 2013 at 2:06 am Would be great if you could specify hostname for reverse_https instead of just IP address. Other than that, great job! reply
CTruncer says: June 16, 2013 at 4:50 pm Good request. Were working on the error checking logic to make this happen. Thanks for the feedback reply 24.
Lolantha Peiris says: June 19, 2013 at 11:11 am I get this error. Do you have any idea about it? Any help would be much appreciated [Error]: Cant find python.exe in /root/.wine/drive_c/Python27/. Make sure the python.exe binary exists before using PyInstaller. reply
15 of 23
10/30/2013 12:44 AM
Did you run the setup script? Are you using Kali x86? Do you have python installed within wine? reply 25.
Phobos69 says: June 20, 2013 at 4:22 pm Thanks a lot for this tool. It works perfectly. Just a little question, somebody tried to convert the payload.exe, obtained with veil, with exe2vba of metasploit for obtained a macro for MSOffice? Im tried but sometimes work and sometimes receive an error when open word . Somebody can help me? Thanks in advanced? reply
CTruncer says: June 20, 2013 at 5:15 pm We havent tested the capability of that. So as of right now, wed have no idea if that worked or not. reply 26.
Carl Campbell says: June 22, 2013 at 3:31 am Hi. Just picked up Veil today and been playing with it this afternoon. Excellent job. Ive been having a bit of bad luck with some of the resulting *.EXEs 3 of them got picked up by Norton (Argh!). However, all of the powershell payloads I created, work like a charm!!! Great job, Christopher. Keep up the good work! reply
CTruncer says: June 22, 2013 at 9:06 am What version of Norton were you going against? What payloads did you use? What was the message that Norton had detected the exes with? reply
Carl Campbell says: June 27, 2013 at 11:29 pm This is how my test went: 1. I used 3 PCs, all of them brand new. 2. They all had a version of Norton Internet Security pre-installed. 3. The attacking machine, was a remote VM. 4. The payload was created using python/DESVirtualAlloc and compiles with pyinstaller. 5. No additional msfvenom parameters were used. Norton identified the file, as Metasploit, correctly identified the destination and port. It was just a test I didnt bother to encode the payload. reply 27.
k says: June 26, 2013 at 3:33 pm i cant run it on kali it give me that error
16 of 23
10/30/2013 12:44 AM
./Veil.py bash: ./Veil.py: No existe el fichero o el directorio reply
Carl Campbell says: June 27, 2013 at 11:34 pm You have to be in the folder where you unpacked Veil. Supposing that you installed on your home folder, type: # cd ~/Veil-master (or whatever you called the dir) # ./Veil.py reply
k says: June 30, 2013 at 7:28 am i maneged to open it with /root/Veil/Veil.py now it give mi thath error [?] How would you like to create your payload executable? 1 Pyinstaller (default) 2 Py2Exe [>] Please enter the number of your choice: 1 C:\Python27\python.exe: cant open file /root/pyinstaller-2.0/pyinstaller.py: [Errno 2] No such file or directory mv: no se puede efectuar `stat sobre dist/payload1.exe: No existe el fichero o el directorio rm: no se puede borrar *.spec: No existe el fichero o el directorio rm: no se puede borrar logdict*.*: No existe el fichero o el directorio i think i made a great mess : ) reply
CTruncer says: July 1, 2013 at 12:27 pm This is because you are running it on Windows. Please use Kali reply 28.
bonich7@rambler.ru says: July 3, 2013 at 10:37 am Dear, Chris! When i use Py2Exe, Veil no creat file in output/compiled/ ! Can you help me, please! reply
CTruncer says: July 3, 2013 at 10:42 am Py2Exe requires python and other dependencies installed on windows. Review the Veil readme file, it details exactly what you need. When using py2exe, you move the files from the source folder into your windows machine and convert into an executable there. reply
bonich7@rambler.ru says: July 3, 2013 at 10:47 am I was mistaken! When i use Pyinstaller!!
17 of 23
10/30/2013 12:44 AM
reply
CTruncer says: July 3, 2013 at 10:48 am If you need support, which it sounds like you might need help. The best place is to talk the three of us developers on twitter, or in #veil on freenode. reply
bonich7@rambler.ru says: July 3, 2013 at 10:49 am When i use Pyinstaller!! Veil no creat file in output/compiled/ ! reply
CTruncer says: July 3, 2013 at 10:50 am Please contact us on Twitter, or even better, within #veil on freenode. We can help you there. reply 29.
Dimo says: July 17, 2013 at 11:43 pm I have one question, when i use custom shellcode (all in one line and no quotes) the vail console flickers up and down maybe 2 min, and then returns to the beginning Is this a bug, or my shellcode is too big? reply
CTruncer says: July 18, 2013 at 9:15 am Sounds like it might be a bug. Can you pastebin us everything you are doing, and send it to us via twitter/e-mail/github? Info is on https://www.veil-evasion.com reply 30. Anumod says: July 26, 2013 at 5:07 am I have tried to install on Linux x86 using setup.sh but in the end i receive the following errors:./setup.sh: line 55: cd: ../config: No such file or directory python: cant open file update.py: [Errno 2] No such file or directory reply
CTruncer says: July 26, 2013 at 12:27 pm Are you using the latest version from github? reply
18 of 23
10/30/2013 12:44 AM
Anumod says: July 27, 2013 at 5:34 am Thakyou Christopher.. I got it. reply 31.
Moises says: July 26, 2013 at 6:55 am Hello and thank you for the tool. I have tried it few times, looks great. I really hope you will continue developing it. I am new to Kali and security in general. Is there an option in Veil to merge the payload.exe generated with another custom executable, lets say an http://ftp.exe? If not do you know of any tool in kali which will give me the option to do so? Thank you. reply
32.
Steve says: July 26, 2013 at 4:37 pm Thanks for posting this! It looks amazing, but Im having trouble getting it installed. Google-fu didnt help me, so Im posting here. Sorry if its a retarded question, but if the boot fits I downloaded the setup.sh to kali. I attempted to run it and got: root@kali:~# sh ./setup.sh ./setup.sh: 5: ./setup.sh: Syntax error: newline unexpected How to do? :\ reply
Steve says: July 26, 2013 at 5:02 pm Fixed myself- Working great! <3 Thank you so much for posting this. reply
CTruncer says: July 26, 2013 at 5:03 pm What was the issue? It need a patch? reply 33.
Robert says: July 30, 2013 at 5:27 am Is it possible to add msfvenom options such as -x for template name? At one point it says: Enter extra msfvenom options in OPTION=value syntax,. If I want to add a custom template how do I go with this one? Tried few methods but no luck. I think this one was asked in one of the above posts too. reply
CTruncer says: August 12, 2013 at 8:59 am Yeah, you can add extra options exactly in that OPTION=value section of veil, but the only one that wont work is the -x. Thats because youre not cloning an existing template when using Veil, its making its own template.
19 of 23
10/30/2013 12:44 AM
reply
Robert says: August 26, 2013 at 6:20 am Do you consider this as a future additional to Veil? It will be great if we had the option to inject the new Veil exe into lets say putty so it runs when you open putty. reply
CTruncer says: August 26, 2013 at 7:59 am Veil doesnt work in that way, it makes its own executable (and by extension, its own template). To use another template, you can just use msfvenom reply 34.
Bhavin says: August 28, 2013 at 1:01 am Hey Chris, I installed Kali again and downloaded the latest Veil version from gitErrors below after i run as sudo sh ./setup.sh ./setup.sh: 4: [: root: unexpected operator ./setup.sh: 13: [: 1: unexpected operator [ERROR]: Either run this setup script as root or install sudo. Is there anything wrong i am doing? Kind Regards, Bhavin reply
Bhavin says: August 28, 2013 at 3:22 am Hi Chris, Finally got it working: used bash ./setup.sh instead and that did the trick. Although not the first time. Had the error Cant find python.exe in /root/.wine/drive_c/Python27/ So followed the post above by Alexandros Iliopoulos to unzip the package again and start the install process Went through the python setup and voilaworks like a charm. Thanks for your prompt replies Kind Regards, Bhavin reply 35.
bukovinai says: September 5, 2013 at 8:50 am Hi Cristopher, I created a python style payload (with pyinstaller) but when I run this payload on my machine the program is quit after some seconds. How can I debug what is the problem? (I would like to create a reverse meterpreter shell) My environment win7 x64 + SCEP 2012. the AV didnt alert me.
20 of 23
10/30/2013 12:44 AM
(I created a crypted payload with hyperion crypter and that is works fine for me) So, I dont known why this isnt work for me reply
CTruncer says: September 5, 2013 at 1:02 pm Can you send us a message on twitter, and give us a pastebin of everything youve run? Thanks reply
bukovinaikovinai says: September 6, 2013 at 3:26 am Sorry It was my mistake (the handler was aborted somehow) I restarted the handler and the payload works nice now. But I have another problem. I have 2 machine. One laptop is at home & another desktop is in my office. In my office everything works fine. (python install in wine, etc. Everything is very nice. but in my laptop the python cant install under wine I dont understand what is the problem. (and what is the difference between the two machines) both computers are running Linux kali.(in Virtualbox) how can I compare the 2 system? I dont known what is the different (all software versions of the same: wine, python.msi, veil, etc) what I should to do ? please help me. (after I tryed install python 2.7 in wine the python.exe doesnt exist in the .wine/drive_c/Python dir ?the installation was unsuccessfull.) ps: The Veil is Excellent. Great work man! reply
CTruncer says: September 6, 2013 at 12:09 pm For the one with issues, how did you install wine? Did you do it from apt or from cloning the git repo? I just need a little bit more info to be able to help you troubleshoot this? reply
bukovinaikovinai says: September 6, 2013 at 2:57 pm Hi! Problem solved I installed wine with apt-get install. (version of wine is 1.4.1) The solution: extract python-2.7.5.msi (with uniextractor) in a windows copy -r all of python files to .wine/drive_c/Python27 then add to registry: pico pyreg.reg: [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7] [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\InstallPath]
21 of 23
10/30/2013 12:44 AM
@=C:\\python27 [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\PythonPath] @=C:\\python27;C:\\python27\\Lib\\;C:\\python27\\DLLs\\ wine regedit pyreg.reg then install all of components in wine (pywin32, py2exe, pycrypto) then everything works (I used the Pyinstaller method in Veil)
This method a work around for the err:msi:ACTION_InstallFiles Failed to extract cabinet: blablabla error
CTruncer says: September 6, 2013 at 6:45 pm Awesome, thanks for posting a suction in case anyone else has that same problem!
36.
gizmo1 says: October 20, 2013 at 5:32 am hello sir i have used your program and it is very nice but when i create the .exe file and send it to the target computer on which kaspersky internet security is installed it detects the infected .exe file please help me out to hide the file from antivirus and get access to the target commputer i did AES encrypted reply
Christopher Truncer says: October 20, 2013 at 9:34 am I believe Kaspersky may be catching it sometimes based off of heuristics. Currently, Veil-Evasion is designed to evade disk based detection. One thing you could try is a powershell based payload, or signing the payload. Also, you could try to modify the source code, and re-wrap it into an executable and try to evade it. If you create something that does it, you should certainly let us know or submit a pull request for a new payload, wed love to see it. reply
Trackbacks/Pingbacks
1. Veil - A Payload Generator to Bypass Antivirus ... - [...] On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that
Leave a Reply
@ChrisTruncer
22 of 23
10/30/2013 12:44 AM
Tweets
Follow @christruncer 20h
Christopher Truncer @christruncer
@justinelze I really want to get it on Xbox one. BF3 was awesome, loved the game
Christopher Truncer @christruncer @digininja yeah Id get out of there pretty quick.
20h
veil-evasion @veilevasion Thoughts on disclosure veil-evasion.com/disclosure/
28 Oct
Retweeted by Christopher Truncer Expand
Tweet to @christruncer
Recent Posts
Introduction to Hasher I Have the Password Hashes! Can I Pass Them? Multiple Methods for Dropping Payloads with Credentials (or Hashes)
Meta
Log in Entries RSS Comments RSS WordPress.org
Blogroll
@ChrisTruncer ChrisTruncer GitHub Powered by WordPress | Designed by Elegant Themes
23 of 23
10/30/2013 12:44 AM

Veil - A Payload Generator To Bypass Antivirus - Christopher Truncer's Website

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Veil - A Payload Generator To Bypass Antivirus - Christopher Truncer's Website

Transféré par

Droits d'auteur :

Formats disponibles

Veil - A Payload Generator to Bypass Antivirus | Christopher Truncer's W...

The musings of a technology and life hacker