Undetectable C C Reverse Shells
Isidora Herline
In this post, we will be walking through a simple C/C++ based reverse CMD shell over TCP. Remember, that this is not fully undetectable. In the next post, I will publish on how to write enterprise grade malwares which are totally undetectable by Offline Antiviruses, and how we can code in C/C++ to use HTTP instead of TCP over Proxy, using hostname instead of IP addresses for C2 Servers and evading Firewall detection. And in the final part, I will be writing on Evading Antiviruses which use Machine Learning to detect anomalous behaviour of the executables.
Our main aim will be to evade everything and at the same time keep our executable size as low as possible. As we code and use encryption over time, the size of the executable will increase, so we need to keep a tab on which external libraries are we using and how to compile the code, whether statically or dynamically. If you are using g++ to compile the below executable, the size should be around 21Kb, for mingw cross compilers, which I am using in Linux, the size of the malware is 13Kb and for cl i.e. Microsoft Compiler, the size goes around 87Kb size it does a lot of code optimization. Also, you can either use netcat, or build a python server to handle multiple communications for the reverse shells. As for me, I have built a C2 Server in Cython which uses multiprocessing to handle multiple bots simultaneously. I have named it Prometheus as you can see above.
When using the windows/local/ask exploit, it seems you do not need to set a payload with it. In the windows/local/ask exploit you can set a reference to the undetectabletrojan.exe, which will then be executed with elevated privileges through UAC. However, as pointed out by @SilverlightFox, the ask exploit always uses a self-generated payload which is easily detected by AV. To counter this, some changes in the /usr/share/metasploit-framework/lib/msf/core/post/windows/runas.rb are required.
A backdoor is used to bypass security mechanisms, often secretly and mostly undetectably. Using MSFvenom, the combination of msfpayload and msfencode, it's possible to create a backdoor that connects back to the attacker by using reverse shell TCP. In order to develop a backdoor, you need to change the signature of your malware to evade any antivirus software. Complete this project on a pair of computers that you have permission to access, and in the process, you'll learn more about computer security and how this kind of backdoor works.
The "hoaxshell" reverse shell implementation is a Python script that listens to a pre-defined port.This can not be considered malicious activity by any means- this behavior is typical for many legitimate software and IT tools.Therefore- behavioral coverage can not be provided to prevent the execution of this reverse shell - since the connection itself is not malicious.In Cortex XDR when a malicious activity is executed through this shell, it is prevented by our behavioral coverages modules.
The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable.
"We highly recommend that organizations educate themselves about the methods and flows malicious actors may use to create undetectable resources and proactively monitor for code execution indicative of such behavior."
This is not original work, I found it here on Github. Interesting idea with a somewhat limited use... in my opinion. The description states: "c# reverse shell poc that also does TLS". I keep reading that CSharp is the new PowerShell but as far as I can tell, CSharp payloads are getting detected so maybe that ship has passed. I will say that this shell goes undetected but it does require the arguments so it's not something you can get a user to click on.
One final thought -- you only need Program.cs which can be compiled in the .NET folder.
A few months ago I hit a unique set of circumstances on a different engagement. Where we had an outdated version of Weblogic having a known RCE exploit. The network was setup to deny any and all reverse connections back. So a reverse shell was not an option. Add into the mix that *every* node on the network had endpoint protection software, some form of in-line traffic inspection, and you should understand they had done so many of the basics perfectly.
We fell down trying to get bind shells. Starting with the venerable post from pentestmonkey [2]about reverse shells in various languages. I converted them all into bind shells (a post about that soon) and watched as none of them worked on that target.
There is an obvious quick win if you can get a reverse connection back from your victim. You simply deliver your payload over HTTP and you never touch disk. Obviously in my narrative here I could not use HTTP so I needed to find another solution.
What you can do is establish bind and reverse TCP shells in a new language where the payloads are pretty universal. You can re-implement some of the amazing PowerShell libraries in Java and have another option which might go undetected.
In this article, we will create a simple but powerful and undetectable SSH backdoor written in Python with some built-in features like SFTP. At the final stage we will export this backdoor as a standalone and test it against online virus scanners as well as inside a simulated secure environment in VirtualBox.
Inside this secure channel, we will transfer arbitrary commands to our victim and make it send the execution result back to us. Encryption is a great way to evade IDS/IPS sensors since they will be completely blind about the traffic type that passed on. Making a 'reverse shell' is also a well-known method to bypass FW rules, as it is most likely blocking all incoming connections, but you can't block all outbound connections since they are mandatory for business needs.
Paramiko is not designed to be used for penetration testing, the author 'as others do' supposed that the client will execute commands on the server and this occurs via the 'chan.exec_command(command)' function. However it's reversed in our scenario since the server (hacker) is the one who will execute commands remotely on the client (victim). To overcome this, we will initiate a subprocess on the client side, and based on commands we received from the server via chan.recv() ,our client will send the output back via chan.send().
Doesn't everyone love new tools to lab with? Today, we are throwing hoaxshell in my lab environment to see what it's all about and if it's really undetectable on a fully patched Windows 10 Pro machine with Defender running.
I came across a Tweet by 0dayCTF sharing hoaxshell which is an encrypted reverse shell that is currently undetected by Windows Defender. After using it for a little bit in a few CTFs, I wanted to test it out in my lab environment to see what it's all about to see if it can slide past Defender. Let's do this!
As this is a reverse shell, you can run any command as you would in something like a Meterpreter or netcat shell as long as whatever you run doesn't spawn an interactive shell. So for example, don't try running powershell.exe or cmd.exe. The limitations are documented in the README file should you want to check it out.
In backdoors a reverse connection is created, i.e. when the target person double clicks the script, their computer will start the initiation of the backdoor. So it becomes undetectable by many antivirus software because there is no external machine requesting to connect. I also used port 8080 which is a common port used to connect to websites, so nothing would seem suspicious to the antivirus softwares.
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.[1][2][3]
PCR cloning using the A-overhangs left by Taq DNA Polymerase and an appropriately T-tailed vector (e.g., pGEM-T Easy Vector) is not a technique that will retain orientation. The orientation can be rapidly assessed with colony PCR using vector-specific primers and insert-specific primers. For example, this technique was used for screening the orientation of a 1.8kb insert into the pGEM-T Easy Vector. Colony PCR was performed with the T7 Promoter Primer and either the insert-specific forward or reverse PCR primer. Eight white colonies were chosen from the cloning experiment for analysis. Clones with the T7 orientation will only produce a fragment with the T7 primer and reverse PCR primer, and clones in the opposite (SP6) orientation will only produce a fragment with the forward PCR primer as illustrated below.
Promoted as fully undetectable malware on YouTube and Telegram, the price for EXFILTRATE-22 ranges from $1,000 for a monthly subscription to $5,000 for lifetime access. (Image credit: tupungato via Getty Images)
Promoted as fully undetectable malware on YouTube and Telegram, the price for EXFILTRATE-22 ranges from $1,000 for a monthly subscription to $5,000 for lifetime access. The buyer will also receive a login panel to access the EXFILTRATE-22 server, which allows threat actors to remotely control the malware.
0aad45d008