Shulou(Shulou.com)05/31 Report--

This article mainly introduces the meaning of Http-Asynchronous-Reverse-Shell, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand.

Currently, there are many ways to create a reverse Shell and try to bypass the firewall to successfully control the remote device. But in fact, outgoing connections are not necessarily filtered.

However, with the development of technology, security software and hardware (intrusion prevention system IPS, intrusion detection system IDS, agents, anti-virus products and EDR, etc.) become stronger and stronger, and they have the ability to detect these attacks. In most cases, the connection to the reverse Shell is established through a TCP or UDP tunnel.

Therefore, we need to hide these communication channels, and the best way is to disguise them as legitimate connections. The most frequently used by standard users is the HTTP protocol, and this type of traffic is hardly filtered out to avoid affecting users' site browsing and visits.

Working mechanism

1. The client App needs to be executed on the target device first.

2. The client establishes the initial connection with the server

3. The server accepts the connection establishment request

Next:

After the client receives the instruction, it sends a query request to the server

The attacker provides instructions to the server

When the command is defined, the client executes the command and returns the execution result

Then continue to perform the above process until the attacker ends the session connection.

Function introduction

The current version of the tool implements the following functions:

1. Fake HTTP traffic to bing.com search traffic

2. The command is encoded in Base64 in the HTML response

3. The result of command execution will be encoded in Base64 in the client cookie.

4. [optional] SSL support. Forged bing.com certificate is used by default.

5. Set a random delay between each client call request to avoid triggering IDS

6. Every response of the server uses a random template.

7. Reuse the same PowerShell process to avoid triggering EDR

8. Support all CMD and PowerShell commands

9. [optional] the client can display fake error messages at startup

10. The client is not visible in the task manager

11. [optional] the client can run as an administrator

Anti-virus product detection

We used 69 antivirus products to detect our clients, and only three of them detected them as malicious programs without using any AV avoidance or obfuscation techniques.

Tool configuration client: C Sharp

1. Open the HARS.sln file in Visual Studio.

Config.cs

This file contains the running parameters of the tool, and we need to configure the value of each parameter according to the specific situation:

Class Config {/ * Behavior * / / Display a fake error msg at startup public static bool DisplayErrorMsg = true; / / Title of fake error msg public static string ErrorMsgTitle = "This application could not be started."; / / Description of fake error msg public static string ErrorMsgDesc = "Unhandled exception has occured in your application. \ r\ r Object {0} is not valid. "; / / Min delay between the client calls public static int MinDelay = 2; / / Max delay between the client calls public static int MaxDelay = 5; / / Fake uri requested-Warning: it must begin with" search "(or need a change on server side) public static string Url =" search?q=search+something&qs=n&form=QBRE&cvid= " / * Listener * / / Hostname/IP of Cellular server public static string Server = "https://127.0.0.1"; / / Listening port of ClearC server public static string Port =" 443 "; / / Allow self-signed or" unsecure "certificates-Warning: often needed in corporate environment using proxy public static bool AllowInsecureCertificate = true;}

HARS.manifest

Modify the parameters according to the following command, and the tool will run with special permissions by default:

Project attribute

In the following interface, you can customize the configuration compilation information and file icons:

Note: the target .NET Framework version is set to come with this version of the framework by default in v4.6 and Windows 10. If it is Windows 7, you can choose .NET v3.5.

Code construction

You need to build the project source code in Visual Studio, and the generated client programs will be stored in the Http Asynchronous Reverse Shell\ HARS_Client\ HARS\ bin\ Release directory.

Server side: Python

The HARS_Server.py file is located in the Http Asynchronous Reverse Shell\ HARS_Server\ www directory. If you need to modify the port or certificate location, you can directly modify the corresponding parameters in the configuration file:

# ConfigPORT = 443CERT_FILE ='.. / server.pem' tool runs other python HARS_Server.py configurations

1. HTTP log files are stored in the Http Asynchronous Reverse Shell\ HARS_Server\ logs directory.

2. You can add your own template (any HTML page file) in the Http Asynchronous Reverse Shell\ HARS_Server\ templates directory.

Tool demo client

Server side

Statement

This tool is only used as a proof-of-concept demonstration tool for authorized security testing, please do not use it for malicious purposes.

Thank you for reading this article carefully. I hope the article "what is the meaning of Http-Asynchronous-Reverse-Shell" shared by the editor will be helpful to everyone? at the same time, I also hope that you will support and pay attention to the industry information channel, and more related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.