Antivirus Evasion Framework: Veil Framework
The Veil-Framework is a collection of red team security tools that implement various attack methods focused on evading detection. It currently consists of:
Veil-Evasion: a tool to generate antivirus-evading payloads using a variety of techniques and languages
Veil-Catapult: a psexec-style payload delivery system that integrates Veil-Evasion
Veil-Pillage: a modular post-exploitation framework that integrates Veil-Evasion
Veil-PowerView: a powershell tool to gain network situational awareness on Windows domains
Software Requirements:
Linux
Use Kali (x86) and all dependencies are pre-installed
or
Install Python 2.7
Install PyCrypto >= 2.3
Windows (for Py2Exe compilation)
Python (tested with x86 – http://www.python.org/download/releases/2.7/)
Py2Exe (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
PyCrypto (http://www.voidspace.org.uk/python/modules.shtml)
PyWin32 (http://sourceforge.net/projects/pywin32/files/pywin32/Build%20218/pywin32-218.win32-py2.7.exe/download)
Setup (tl;dr)
NOTE: Installation must be done with superuser privileges. If you are not using Kali Linux, prepend each command with sudo or change to the root user before beginning.
Run setup.sh -c on Kali x86.
Install Python 2.7, Py2Exe, PyCrypto, and PyWin32 on a Windows computer (for Py2Exe).
Quick Install
apt-get -y install git
git clone https://github.com/Veil-Framework/Veil-Evasion.git
cd Veil-Evasion/
cd setup
setup.sh -c
Regenerating Config
NOTE: This must be done with superuser privileges. If you are not using Kali Linux, prepend each command with sudoor change to the root user before beginning.
Most of the time the config file at /etc/veil/settings.py will not need to be rebuilt but in some cases you might be prompted to do so. The file is generated by config/update.py.
It is important that you are in the config/ directory before executing update.py. If you are not, settings.py will be incorrect and when you launch Veil-Evasion you will see the following.
Main Menu
0 payloads loaded
Don’t panic. Enter the config/ dir and re-run update.py.
Veil-Evasion was designed to run on Kali Linux, but should function on any system capable of executing python scripts. Simply call Veil-Evasion from the command line, and follow the menu to generate a payload. Upon creating the payload, Veil-Evasion will ask if you would like the payload file to be converted into an executable by Pyinstaller or Py2Exe.
If using Pyinstaller, Veil-Evasion will convert your payload into an executable within Kali.
If using Py2Exe, Veil-Evasion will create three files:
payload.py – The payload file
setup.py – Required file for Py2Exe
runme.bat – Batch script for compiling the payload into a Windows executable
Move all three files onto your Windows machine with Python installed. All three files should be placed in the root of the directory Python was installed to (likely C:\Python27). Run the batch script to convert the Python script into an executable format.
Place the executable file on your target machine through any means necessary and don’t get caught!
RPC Server
On the listener side, run:
./Veil-Evasion --rpc
This will start a listener on port 4242.
On the client side, you will need to run a client program. This can be a custom script or can be as simple as Netcat. The RPC server implements JSON-RPC. This is a good reference for interpreting requests and responses for JSON-RPC: http://json-rpc.org/wiki/specification
The RPC request format is as follows:
method="version" - return the current Veil-Evasion version number
method="payloads" - return all the currently loaded payloads
method="payload_options"
params="payload_name" - return the options for the specified payload
method="generate"
params=["payload=X",
"outputbase=Y"
"overwrite=Z",
"msfvenom=...",
"LHOST=blah] - generate the specified payload with the given options and returns the path of the generated executable\
Download