The Veil Framework, developed by Will Schroeder and Chris Truncer, aims to bridge the gap between pentesting and red teaming by providing tools for evading antivirus detection and delivering payloads. With components like Veil-Evasion, Veil-Catapult, and Veil-PowerView, it enhances offensive security capabilities while addressing ethical concerns related to malware dissemination. The framework is available on GitHub and is also included in Kali Linux, promoting accessibility for security professionals.

1. The Veil-Framework
@HarmJ0y
@ChrisTruncer
@VeilFramework

2. Who Are We?
 Will Schroeder (@harmj0y)
 Former national research lab keyboard monkey
 Chris Truncer (@ChrisTruncer)
 Florida State Graduate – Go Noles!
 Veris group pentesters by day, offensive security
researchers by night
 And we’re hiring!

3. Overview
 The Initial Problem
 Public Reaction and Ethical Considerations
 The Veil-Framework
 Evading AV: Veil-Evasion
 Payload Delivery: Veil-Catapult
 Situation Awareness: Veil-
PowerView
 Demos Throughout

4. The Initial Problem
 Antivirus doesn’t catch malware but (sometimes)
catches pentesters

5. Our Initial Solution
 A way to get around antivirus as easily as
professional malware
 Don’t want to roll our own backdoor each time
 Find a way to execute existing shellcode in an
AV-evading way

6. The Veil-Framework
 A toolset aiming to bridge the gap between
pentesting and red teaming capabilities
 We started with Veil-Evasion, and began to
branch out to payload delivery and Powershell
exploitation
 Nothing revolutionary here, but want to bring
together existing techniques and incremental
research try to push things forward

7. Ethical Considerations
 The disclosure debate is not new…
 Pentesters are 5+ years behind the professional
malware community
 This is already a problem the bad guys have
solved

8. HD Moore’s Take
 “The strongest case for information disclosure is
when the benefit of releasing the information
outweighs the possible risks. In this case, like
many others, the bad guys already won.”
 https://community.rapid7.com/community/meta
sploit/blog/2009/02/23/the-best-defense-is-
information

9. Public Reaction
 “surely this will just result in 21 new signatures for all major
AVs and then we're back to square one?”
 “Isn't our entire field meant to be working towards
increasing security, rather than handing out fully
functioning weapons?”
 “The other point here is that anything that helps to expose
how in-effective AV really is at stopping even a minimally
sophisticated attacker is a good thing.”
 http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a
_metasploit_payload_generator_for_bypassing/

10. Twitter Reaction

11. Twitter Reaction

12. Evading AV
Veil-Evasion

13. Veil-Evasion’s Approach
 Aggregation of various shellcode injection
techniques across multiple languages
 These have been known and documented in other
tools
 Focused on automation, usability, and
developing a true framework
 Some shellcodeless Meterpreter stagers and
“auxiliary” modules as well

14. Veil-Evasion Features
 Can use Metasploit-generated or custom
shellcode
 MSF payloads/options dynamically loaded
 In the process of porting msfvenom
 Third party tools can be easily integrated
 Hyperion, PEScrambler, BackDoor Factory, etc.
 Command line switches to allow scriptability

15. Native Compilation
Python: pyinstaller/py2exe
C#: mono for .NET
C: mingw32

16. Module Development
 Implement your own obfuscation methods!
 Lots of reusable functionality
 Shellcode generation is abstracted and can be
invoked as needed
 https://www.veil-framework.com/tutorial-veil-
payload-development/

17. Shellcode Injection
 Void pointer casting
 no guarantee the memory region is executable
 VirtualAlloc
 allocate memory as RWX, copy code in and create
a thread
 HeapAlloc
 create a heap object and manually allocate
memory

18. Pyinstaller and DEP
 Pyinstaller produced .exe’s are DEP enabled by
default
 this ruins some shellcode injection methods
 Luckily Pyinstaller is open source
 we can recompile to turn off DEP opt-in
 https://www.veil-evasion.com/dep-pyinstaller/

19. Pwnstaller
 A generator for obfuscated Pyinstaller loaders
 BSides Boston „14 – Pwnstaller 1.0
 Dynamically generates and compiles a new
Pyinstaller loader on the fly
 http://www.harmj0y.net/blog/python/pwnstaller-
1-0/

20. Payload Releases
#VDay

21. VDay
 Since 9/15/2013, we’ve release at least one new
payload on the 15th of every month
 32 currently published payloads
 20+ additional payloads have been developed
so far
 we’re going to be releasing for a while :)

22. Native Stagers
 Stage 1 Meterpreter loaders don’t have to be
implemented in shellcode
 Meterpreter stagers can be written in higher-level
languages
 https://github.com/rsmudge/metasploit-loader

23. Veil-Evasion Stagers
 The following are the stagers currently available
in the framework (as of 5/15/14):
Language Stager
Python meterpreter/rev_tcp
Python meterpreter/rev_http
Python meterpreter/rev_http_contained
Python meterpreter/rev_https
Python meterpreter/rev_https_contained

24. Veil-Evasion Stagers
Language Stager
C# meterpreter/rev_tcp
C# meterpreter/rev_http
C# meterpreter/rev_https
C meterpreter/rev_tcp
C meterpreter/rev_tcp_service
C meterpreter/rev_http
C meterpreter/rev_http_service

25. How Stagers Work
 1) a tcp connection is opened to the handler
 2) the handler sends back 4 bytes indicating the
.dll size, and then transfers the .dll
 3) the socket number for this tcp connection is
pushed into the edi register
 4) execution is passed to the .dll just like regular
shellcode (void * or VirtualAlloc)
 reverse_http stagers skip steps 2 and 3

26. Veil-Evasion Demo

27. Payload Delivery
Veil-Catapult

28. Veil-Catapult

29. Veil-Catapult
 After payload generation, our focus shifted to
delivery
 Features nice integration with Veil-Evasion for on-
the-fly payload generation
 Cleanup scripts generated for payload killing
and deletion
 Command line flags for every option
 https://www.veil-framework.com/catapult/

30. .EXE Delivery
 Users can invoke Veil-Evasion to generate a
payload, or specify an existing .exe
 Payloads are delivered in one of two ways:
 upload/execute using Impacket and pth-toolkit
 host/execute UNC path to the attacker’s box
 UNC invocation gets otherwise detectable .EXEs
right by some AVs (lol @MSE)

31. Standalone Payloads
 Powershell: shellcode injector, bye bye disk writes
 http://www.exploit-
monday.com/2011/10/exploiting-powershells-
features-not.html
 Barebones python: uploads a minimal python
installation to invoke shellcode (see: next slide)
 Sethc backdoor: issues a registry command to set
up the sticky-keys RDP backdoor

32. Barebones Python
 Uploads a minimal python .zip installation and
7zip binary
 Python environment unzipped, shellcode invoked
using “-c …”
 The only files that touch disk are trusted python
libraries and a python interpreter
 Gets right by some reputation filters and antivirus!
 https://www.veil-framework.com/barebones-
python-injection/

33. Veil-Catapult Demo

34. Situational Awareness
Veil-PowerView

35. Situational Awareness; redux
 Goal: Gain an understanding of an exploited
host/network to aid in deeper infiltration
 Old schoolz:
 net group /domain
 net group “domain admins” /domain
 net users /domain
 net user “jsmith” /domain
 net view //hostname
 netsess.exe
 custom tools utilizing WinAPI calls
 blah blah blah

36. Veil-PowerView
 A pure Powershell situational awareness tool
 https://www.veil-framework.com/veil-powerview/
 Arose partially because a client banned “net”
commands on domain machines
 annoying, but only a minor roadblock
 Otherwise initially inspired by Rob Fuller’s
netview.exe tool
 Wanted something a bit more flexible that also
didn’t drop a binary to disk
 Started to explore and expand functionality

37. Get-Net*
 Full-featured replacements for almost all “net *”
commands, utilizing Powershell AD hooks and
various API calls
 Get-NetUsers, Get-NetGroup, Get-NetServers,
Get-NetSessions, Get-NetLoggedon, etc.
 See README.md for complete list, and function
descriptions for usage options

38. Meta-Functions
 Invoke-Netview: full-featured netview.exe
replacement, plus more:
 hostlists, jitter/delay, check share access, etc.
 Invoke-ShareFinder: finds open shares on the
network and checks if you have read access
 Invoke-FindLocalAdminAccess: port of
local_admin_search_enum.rb Metaspoit module
 finds machines the current user has admin access to
 Invoke-FindVulnSystems: queries AD for
machines likely vulnerable to MS08-067

39. User Hunting
 Goal: find which domain machines specific users
are logged into
 Invoke-UserHunter: finds where target users or
group members are logged into on the
network, optionally checking if you have admin
access on targets with found users!
 Utilizes Get-NetSessions and Get-NetLoggedon
 Invoke-StealthUserHunter: extracts
user.HomeDirectories from AD, and runs
Get-NetSessions on file servers to hunt for targets
 Significantly less traffic than Invoke-UserHunter

40. Veil-PowerView Demo

41. Get the Veil-Framework
 Github: https://github.com/Veil-Framework/
 Read more: https://www.veil-framework.com
 Now in Kali: apt-get install veil

42. Questions?
 harmj0y@veil-framework.com
 @harmj0y
 chris@veil-framework.com
 @ChrisTruncer
 #veil on freenode
 forums at https://veil-framework.com/forums/