fathomless

[xor-function]

Fathomless has been a project I have been working on and includes some new tools.

Running environment is Ubuntu 14.04 LTS

Updated the description below to include recent changes.

Async Shell Handler:

Provides a prototype C&C web server along with an asynchronous powershell

client, and a basic command interface. The server is hosted on an lighttpd server

using HTTPS with a self-signed certificate. Since the C&C is a cgi hosted on a

lighttpd server you can edit the included lighttpd.conf to only allow connections

from the expected IP range.

The async client performs basic key fingerprint comparison for the self-signed

cert and basic authentication to the C&C. These values are randomly generated

upon installation. All requests and responses from the client are performed

via HTTPS GET requests with url safe base64 encoded strings.

The client initially operates in memory so if it exits or the system reboots

the process will be terminated and flushed from memory.

Limited persistence has been added via the shortcut-inject function avaliable

in the async and tcp powershell clients.

The tcp reverse shell version of the client does not require the C&C component

just an open tcp port with netcat

ex: nc -lvvp 443

Available functions from the client:

* get-info

Displays a summary of current host

* exec-script "name-of-script"

Executes script hosted server side in /var/async-shell/ps-scripts by IEX

requires the name of the script filename as a parameter.

* obfuscate "name of text file / script"

Uses a polyalphabetic obfuscation method on base64 strings

writes obfuscated string to file and provides a de-obfuscation key.

* de-obfuscate "(name of text file / script), (key)"

Performs the inverse of the obfuscation function requires

the text file with the obfuscated base64 data and

de-obfuscation key as parameters.

* gen-key

generates a random alphabetic string for use with the

obfuscate-base64 function.

* obfuscate-base64 "(action:hide or clear ), (key: obfuscation or de-ofuscation), (base64-string)"

The function that contains the obfuscation engine, it works only with clear base64 data.

* byte-encode ( binary-to-obfuscate, key )

Performs byte-encoding prior to converting to obfuscated

base64 provide key de-obfuscation.

* byte-decode ( file-containing-obfu-base64, key )

performs the reverse of byte-encode, requires the de-obfuscation key.

* askfor-creds

Performs some social engineering in order to acquire plain-text credentials. This is done

by generating a authentication popup which seems to reconnect to a network share.

* gen-enccmd "your command string"

Generates a PowerShell formatted encoded command. Insure to quote your command

string.

ex: gen-enccmd "cmd /c ipconfig /all"

* shortcut-inject "name-of-lnk" "Url-hosting-script"

Modifies the specified shortcut to run the original program and also execute a download

and execute command string. Ex: "Google Chrome.lnk" "full url to powershell script"

Requires the http:// or https:// in the URL.

gen-obfuscated

Enables execution of a command string on systems while evading countermeasures,

specifically AV signature based detection. This is accomplished by focusing on

obfuscating command strings that typically download a short script

involved in first-stage/initial access.

boot2own:

Live OS that dumps hashes and uses them with winexe to execute commands on remote systems.

I haven't updated it yet since I have been waiting for UEFI support to mature (shim & preloader).

Once that happens I will invest time in it.

Find it on github (.) com/xor-function/fathomless

Let me know if you run into issues.

Edited January 25, 2016 by xor-function