Explaining Veil Payloads and Invoking Veil-Ordnance

In order to effectively use cyber security tools we need to know, in detail, how they work. Only then we are able to leverage them to the best of their capabilities. In this post we will dive into Veil-Evasion and learn its payload naming scheme, different payload variations, and how to invoke Veil-Ordnance to generate shellcode for your payload. If you want to sharpen your knowledge and gain more clarity regarding Veil-Evasion and Veil-Ordnance, this post is for you.

Veil Payloads Naming Scheme

Veil-Evasion has different payloads which are organized by different attributes. The best way to think about how these payloads are organized is by keeping in mind these attributes: Payload Language, Payload Goal, and Payload Obfuscation.

We can see each of these attributes in the following screenshots:

Veil Payload Options
  • Payload Language – the yellow box is relatively self-explanatory, it surrounds the language that the payload is written in. In the above case with payloads 23 and 24, the language is PowerShell.
  • Payload Goal – the red boxes contain the “goal” of the payload.
  • Payload Obfuscation – the green boxes contain the level of obfuscation.

Now, let’s take a more detailed look at Payload Goal and Payload Obfuscation.

Veil Payloads Goals

There are two different “goals” that are used by Veil payloads:

  • Meterpreter – Meterpreter payloads are payloads that do not contain any shellcode. Rather than injecting shellcode into memory and running it, these payloads use the language they are written in to connect back to your Metasploit handler and load Meterpreter, or Cobalt Strike listener and load Beacon. These payloads are static in the sense that they can only be used to load Beacon or Meterpreter, as opposed to loading arbitrary shellcode with the shellcode inject payloads.
  • Shellcode Inject – The shellcode inject payloads are designed to load shellcode into memory and execute it. Generally, this is used to load Meterpreter or Beacon, but these payloads give you the ability to write your own custom shellcode and run it. You can use these payloads to automatically create a user account on the system, spawn calc.exe, or anything you want via the shellcode you write or use.

It’s likely easier to visually see the differences between the payload goals. A sample”Meterpreter” payload (shellcode-less), written in Python, can be seen below:

Shellcode-less Payload

A “shellcode_inject” payload, which uses shellcode, looks similar to the following:

Payload with Shellcode

Veil Payloads Obfuscation

Finally, if using a “shellcode_inject” payload, the last part of the payload describes the level of obfuscation associated with that payload. The different types of obfuscation can include:

  • Flat – this means there is no obfuscation at all
  • letter_substitution – letters are swapped out to make valid shellcode
  • *_encrypt – the shellcode is encrypted using the selected encryption algorithm
  • etc.

However, if using a “Meterpreter” payload,  this last part describes the type of connection that the payload will uses. In other words, the Meterpreter payloads are simply you specifying if your listener or handler is expecting a reverse tcp, reverse http, or reverse https connection.

Invoking Veil-Ordnance

If using a shellcode_inject payload, the next step after selecting your payload, is to generate the shellcode you will use. Most people may use msfvenom to generate the payload within Veil. However another option is to use Veil-Ordnance: Veil-Evasion can directly invoke Veil-Ordnance to generate shellcode and pass it into your payload. You can choose this option when you’re prompted to generate or supply shellcode. As shown in the picture below, rather than choosing “2 – MSFVenom”, choose “1 – Ordnance”.

Using Ordnance

This will drop you into the normal Ordnance. Just select a payload like normal (use rev_http), fill out the different options such as LHOST and LPORT, and generate your shellcode.

Selecting Payload Type
Setting Payload Options

At this point, you should be seamlessly dropped back into Veil-Evasion when it asks you for a payload name, and execution will continue like normal.

Hopefully this post helps to explain the naming scheme with Veil-Evasion payloads and provides you with another option to generate shellcode with Veil-Ordnance. If you have any questions, please don’t hesitate to contact us at FortyNorth Security.