xor-function Posted October 28, 2015 Posted October 28, 2015 (edited) Fathomless has been a project I have been working on and includes some new tools. Running environment is Ubuntu 14.04 LTS Updated the description below to include recent changes. Async Shell Handler: Provides a prototype C&C web server along with an asynchronous powershell client, and a basic command interface. The server is hosted on an lighttpd server using HTTPS with a self-signed certificate. Since the C&C is a cgi hosted on a lighttpd server you can edit the included lighttpd.conf to only allow connections from the expected IP range. The async client performs basic key fingerprint comparison for the self-signed cert and basic authentication to the C&C. These values are randomly generated upon installation. All requests and responses from the client are performed via HTTPS GET requests with url safe base64 encoded strings. The client initially operates in memory so if it exits or the system reboots the process will be terminated and flushed from memory. Limited persistence has been added via the shortcut-inject function avaliable in the async and tcp powershell clients. The tcp reverse shell version of the client does not require the C&C component just an open tcp port with netcat ex: nc -lvvp 443 Available functions from the client: * get-info Displays a summary of current host * exec-script "name-of-script" Executes script hosted server side in /var/async-shell/ps-scripts by IEX requires the name of the script filename as a parameter. * obfuscate "name of text file / script" Uses a polyalphabetic obfuscation method on base64 strings writes obfuscated string to file and provides a de-obfuscation key. * de-obfuscate "(name of text file / script), (key)" Performs the inverse of the obfuscation function requires the text file with the obfuscated base64 data and de-obfuscation key as parameters. * gen-key generates a random alphabetic string for use with the obfuscate-base64 function. * obfuscate-base64 "(action:hide or clear ), (key: obfuscation or de-ofuscation), (base64-string)" The function that contains the obfuscation engine, it works only with clear base64 data. * byte-encode ( binary-to-obfuscate, key ) Performs byte-encoding prior to converting to obfuscated base64 provide key de-obfuscation. * byte-decode ( file-containing-obfu-base64, key ) performs the reverse of byte-encode, requires the de-obfuscation key. * askfor-creds Performs some social engineering in order to acquire plain-text credentials. This is done by generating a authentication popup which seems to reconnect to a network share. * gen-enccmd "your command string" Generates a PowerShell formatted encoded command. Insure to quote your command string. ex: gen-enccmd "cmd /c ipconfig /all" * shortcut-inject "name-of-lnk" "Url-hosting-script" Modifies the specified shortcut to run the original program and also execute a download and execute command string. Ex: "Google Chrome.lnk" "full url to powershell script" Requires the http:// or https:// in the URL. gen-obfuscated Enables execution of a command string on systems while evading countermeasures, specifically AV signature based detection. This is accomplished by focusing on obfuscating command strings that typically download a short script involved in first-stage/initial access. boot2own: Live OS that dumps hashes and uses them with winexe to execute commands on remote systems. I haven't updated it yet since I have been waiting for UEFI support to mature (shim & preloader). Once that happens I will invest time in it. Find it on github (.) com/xor-function/fathomless Let me know if you run into issues. Edited January 25, 2016 by xor-function Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.