I made certain assumptions regarding Veil-Evasion’s payload naming scheme, and how Veil-Ordnance works, only to discover that understanding these tool variations is not as intuitive as I thought. This post aims to help provide more clarity regarding Veil-Evasion and Veil-Ordnance.
Veil-Evasion has different payloads which are organized by different attributes. The best way to think about how these payloads are organized are:
- Payload Language
- Payload Goal
- Payload Obfuscation
We can see each of these attributes in the following screenshots:
The yellow box is relatively self-explanatory, it surrounds the language that the payload is written in. In the above case with payloads 23 and 24, the language is PowerShell.
The second part of the payload name is the “goal” of the payload, which is contained in the red box. There are two different “goals” that are used by Veil payloads:
- Meterpreter – Meterpreter payloads are payloads that do not contain any shellcode. Rather than injecting shellcode into memory and running it, these payloads use the language they are written in to connect back to your Metasploit handler and load Meterpreter, or Cobalt Strike listener and load Beacon. These payloads are static in the sense that they can only be used to load Beacon or Meterpreter, as opposed to loading arbitrary shellcode with the shellcode inject payloads.
- Shellcode Inject – The shellcode inject payloads are designed to load shellcode into memory and execute it. Generally, this is used to load Meterpreter or Beacon, but these payloads give you the ability to write your own custom shellcode and run it. You can use these payloads to automatically create a user account on the system, spawn calc.exe, or anything you want via the shellcode you write or use.
It’s likely easier to visually see the differences between the payload goals. A sample”Meterpreter” payload (shellcode-less) can be seen below:
A “shellcode_inject” payload, which uses shellcode, looks similar to the following:
Finally, the last part of the payload (surrounded by the green boxes) describe the level of obfuscation associated with a payload if using a “shellcode_inject” payload, or the type of connection that the payload will use if using a “Meterpreter” payload. The different types of obfuscation can include:
- Flat – this means there is no obfuscation at all
- letter_substitution – letters are swapped out to make valid shellcode
- *_encrypt – the shellcode is encrypted using the selected encryption algorithm
The Meterpreter payloads are simply you specifying if your listener or handler is expecting a reverse tcp, reverse http, or reverse https connection.
After you have selected your payload, the next step, if using a shellcode_inject payload, is to generate the shellcode you will use. Most people may use msfvenom to generate the payload within Veil, however another option is to use Veil-Ordnance. Veil-Evasion can directly invoke Veil-Ordnance to generate shellcode and pass it into your payload. You can choose this option when you’re prompted to generate or supply shellcode. Rather than choosing msfvenom, choose option one with to use Ordnance.
This will drop you into the normal Ordnance. Just select a payload like normal (use rev_http), fill out the different options such as LHOST and LPORT, and generate your shellcode.
At this point, you should be seamlessly dropped back into Veil-Evasion when it asks you for a payload name, and execution will continue like normal.
Hopefully this post helps to explain the naming scheme with Veil-Evasion payloads and provided with you another option to generate shellcode with Veil-Ordnance. If you have any questions, please don’t hesitate to contact us at FortyNorth Security.