This week I got started with Veil. By using this software together with other techniques from the course, I could open backdoors to target devices in short order. There are two clever aspects to the approaches used. First, I was forcing the client device to connect to my Kali VM to execute the attack, rather than me connecting to the target directly. This approach sidesteps the typical defences in regular firewalls and routers. Second, the payload delivery was made to spoof the download of genuine updates, with redirects to the appropriate “Update successful!” pages once the download was complete. Alternatively, the payload could be set to be delivered together with any other download of an executable file. It could also be combined with the use of your own web server, which comes conveniently included with Kali.
I haven’t yet played around with all the things that can actually be done once this backdoor is open, but ultimately, it looks like all that is required for me to get complete access to another device are fairly innocuous things – using a WiFi hotspot I set up, or clicking a link, or attempting to update their own software. Even more striking was the demonstration that the Veil software payloads were considered “clean” by all antivirus software.
Much like “Defense against the dark arts” classes, the sequence of lectures on attack methods and vectors ended with a lecture on how to defend oneself against these sorts of attacks. Worryingly, these again boiled down to:
- Always make sure you’re using HTTPS
- Don’t use networks you don’t control and/or trust completely
- Verify checksums of all your downloads
These measures are all more active than convenient. “I think the base consideration of one’s security is insufficiently paranoid unless one is optimistic enough about their fellow humans to not believe that anyone will go to the effort of trying to steal their data.”
There might be a point there, though. Why bother stealing data when most people give it to Google, Apple, and Facebook for free?