Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.

Supported OS are:

  • Windows
  • Linux
  • Mac OS
  • FreeBSD and derivatives

Why ?

Although meterpreter payloads are great, they are sometimes spotted by AV products. The goal of this project is to get a simple reverse shell, which can work on multiple systems,

How ?

Since it’s written in Go, you can cross compile the source for the desired architecture.

Building the Payload

To simplify things, you can use the provided Makefile. You can set the following environment variables:

  • GOOS : the target OS
  • GOARCH : the target architecture
  • LHOST : the attacker IP or domain name
  • LPORT : the listener port

For the GOOS and GOARCH variables, you can get the allowed values here.

However, some helper targets are available in the Makefile:

  • depends : generate the server certificate (required for the reverse shell)
  • windows32 : builds a windows 32 bits executable (PE 32 bits)
  • windows64 : builds a windows 64 bits executable (PE 64 bits)
  • linux32 : builds a linux 32 bits executable (ELF 32 bits)
  • linux64 : builds a linux 64 bits executable (ELF 64 bits)
  • macos : builds a mac os 64 bits executable (Mach-O)

For those targets, you just need to set the LHOST and LPORT environment variables.

Using the shell

Once executed, you will be provided with a remote shell. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines.

The following special commands are supported:

  • run_shell : drops you an system shell (allowing you, for example, to change directories)
  • inject <base64 shellcode> : injects a shellcode (base64 encoded) in the same process memory, and executes it (Windows only at the moment)
  • meterpreter IP:PORT : connects to a multi/handler to get a stage2 reverse tcp meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)
  • exit : exit gracefully

Examples

First of all, you will need to generate a valid certificate:

For windows

For Linux

For Mac OS X

Listeners

On the server side, you can use the openssl integrated TLS server:

Or even better, use socat with its readline module, which gives you a handy history feature:

Or, and this is great, use a metasploit handler:

Credits

Ronan Kervella <r.kervella -at- sysdream -dot- com>

Download Hershell