Wednesday, 9 October 2013

Veil - Custom Metasploit Payloads

So I was looking into customizing Metasploit payloads to bypass antivirus and host intrusion protection, but my assembly, bit flipping skills are lacking...or none existent...

So in steps Veil, dont know why I only saw this recently but its a great tool for generating all kinds of custom Metasploit payloads. Developed using Python, Veil will run on Linux (already in Kali sources) and Windows. Its another great way to bypass antivirus to use the Metasploit tools for password audits and internal pen tests. 

We use it for a variety of legitimate reasons on the internal network. A good example is that we have a suite of McAfee products on a network/hosts with ePO. When we get an malware infection alert from a PC that is firewalled off and we cant access it, we get ePO to push and run the custom payload to the ePO agent on the box to pop a shell so we can access, analyse and clean if neccessary. Quite ironic I think (:

When running Veil you will notice the devs made the interface very similar to the Metasploit Console Interface. If your familiar with this then using Veil out of the box should be a breeze for you (:

I had some issues running Veil properly from Kali sources (issues using Wine with the default version of Veil at the time) so I downloaded the latest release from github, which also now support 64bit systems:

Once you got a copy from git, its very important to run the setup script which fetches some important...required files and gets it working with Wine (for automatic compiling python to EXE).

When I run Veil, one of the options I use is "compile_to_exe" which will run wine on Kali and compile the custom python payload to EXE for me. You don't have to do it this way and can output the python payload to file and compile later on a windows system to EXE use Python2EXE libraries.

The only thing to do now is setup a Meterpreter session to listen for your incoming custom payload. The compiled custom payload ran flawlessly on fully patched and up2date McAfee systems (AV and HIPS).  

You can use Veil with Cobalt strike beacon and a variety of other tools out there, the application is quite wide: 

for more info, videos and updates check out:

NB. Dont upload your new custom payloads to virustotal or similar to see if the custom payloads are detectable...rather test that it runs on your servers and antivirus products to ensure the payloads stay undetected for longer.