1
00:00:00,420 --> 00:00:03,630
‫Now, let's see the veil framework in action.

2
00:00:05,490 --> 00:00:09,450
‫Go to the Vail folder and run Vail Dot Pi script.

3
00:00:15,670 --> 00:00:18,610
‫Use list command to list the available tools.

4
00:00:19,590 --> 00:00:24,660
‫We would like to use the evasion tool, so print use one and hit enter.

5
00:00:25,880 --> 00:00:27,790
‫Veil evasion menu is opened.

6
00:00:28,310 --> 00:00:31,670
‫Use the list command to see all available payloads.

7
00:00:32,270 --> 00:00:34,310
‫There are more than 40 different payloads.

8
00:00:34,460 --> 00:00:39,740
‫Let's use maternity payload, which is using a reverse HTTPS connection.

9
00:00:40,520 --> 00:00:42,590
‫Copy the file name of the full path.

10
00:00:42,800 --> 00:00:44,240
‫We'll use it on the next step.

11
00:00:45,300 --> 00:00:50,130
‫Print use 27 to use the payload we selected and hit enter.

12
00:00:51,620 --> 00:00:58,760
‫The options of the payload are listed change as many options as possible to make the payload more customized.

13
00:00:59,740 --> 00:01:07,000
‫The most important options here are the address and port number of the listener Machine Bell host and

14
00:01:07,000 --> 00:01:11,980
‫L Port Options Again listener would be our calling machine.

15
00:01:12,250 --> 00:01:19,900
‫So assign the IP address of Carly as L host, let the L port remain as 44 44.

16
00:01:21,410 --> 00:01:26,630
‫To keep the example simple, I'm not going to change any other option at this point.

17
00:01:27,410 --> 00:01:29,240
‫Now we're ready to generate the payload.

18
00:01:30,680 --> 00:01:33,250
‫Used to generate command for this purpose.

19
00:01:35,000 --> 00:01:38,810
‫Give the base name for the output files to be more meaningful.

20
00:01:39,200 --> 00:01:48,260
‫I'd like to use connection type, reverse protocol https and the port number that uses 44 44 in the

21
00:01:48,260 --> 00:01:48,920
‫file name.

22
00:01:50,490 --> 00:01:57,630
‫And last, it's asking the method to create the executable file from the script code, choose the first

23
00:01:57,630 --> 00:01:57,930
‫one.

24
00:02:10,800 --> 00:02:19,020
‫Malware is ready as a code and as an executable file, plus an RC file, which is used to start an appropriate

25
00:02:19,020 --> 00:02:23,400
‫handler that uses the same options with the malware is prepared.

26
00:02:25,290 --> 00:02:30,180
‫Let's transfer the malware to our victim machine using the win as a tool.

27
00:02:30,720 --> 00:02:34,830
‫First, I copy the malware to the home folder of the S.H. user.

28
00:02:48,280 --> 00:02:52,270
‫You can examine the generated file using Linux file command.

29
00:02:58,020 --> 00:02:59,760
‫Yes, it's Windows executable.

30
00:03:01,610 --> 00:03:09,920
‫Now go to the victim machine run, win FCP and connect to the counting machine with SSA chooser.

31
00:03:23,160 --> 00:03:29,430
‫Before copying the malware generated by Vale, let's turn on Windows Defender.

32
00:03:38,460 --> 00:03:43,770
‫Now, while Windows Defender is running, copy the malware to the victim machine.

33
00:03:44,460 --> 00:03:48,480
‫No Windows Defender cannot recognize the malware.

34
00:03:49,200 --> 00:03:53,790
‫We successfully copied the malware into the Windows eight system.

35
00:03:54,870 --> 00:04:01,560
‫Now, at this point, as the attacker, we need to have a listener because the payload of the malware

36
00:04:01,560 --> 00:04:03,480
‫uses a reverse connection.

37
00:04:04,140 --> 00:04:13,880
‫So go to Kalli use Metasploit RC file, which is generated by Vale to create a listener print MSV console

38
00:04:13,890 --> 00:04:19,830
‫Dash R and add the RC file name with its full path, then hit Enter.

39
00:04:33,300 --> 00:04:41,610
‫An https reverse handler starts on our calling machines 44 44 port as background job.

40
00:04:41,790 --> 00:04:44,580
‫Now go to the Windows machine and run the malware.

41
00:04:46,650 --> 00:04:47,910
‫Our session is opened.

42
00:04:50,670 --> 00:04:58,320
‫Use the Sessions Dash L Command to see the open sessions and the sessions, Dash I one to enter the

43
00:04:58,320 --> 00:04:59,190
‫open session.

44
00:05:00,250 --> 00:05:07,600
‫Now we have a maturity session on the victim machine, even though the victim machine has a security

45
00:05:07,600 --> 00:05:08,380
‫solution.

46
00:05:08,650 --> 00:05:11,740
‫Windows Defender and Joy.