Home

Awesome

<div align="center"> <img src="images/0.png">
HRShell: An advanced HTTP(S) Reverse Shell built with Flask

GPLv3 license version Known Vulnerabilities


<img src="images/preview.svg" width="80%"> </div> <br>

HRShell is an HTTPS/HTTP reverse shell built with flask and is compatible with python 3.x. The client.py has been successfully tested on:

while the server.py is compatible with Unix systems (Windows support comming soon...)

Features

<sub>*For version changes check-out CHANGELOG.</sub>

Details


Stealthy :shipit:

HRShell is stealthy since it uses the HTTP(S) protocol as the communication method between client and server. In addition when TLS is in use the traffic is also encrypted. Also if the CERT is not hand coded on client-side (which is a feasible option) and the upload command is not used, then client.py doesn't touches the disk at all.

TLS πŸ”‘

Server-side: Unless --http option is specified, by default server.py is HTTPS using on-the-fly certificates, since on-the-fly certificates are a built-in flask-feature. But if -s tornado option is specified in order to make the server use TLS, a --cert and a --key option must be specified like so:

python server.py -s tornado --cert /path/cert.pem --key /path/key.pem

Either "real" certificates can be used or another way to generate a cert/key pair is e.g. either using mkcert or openssl directly like so:

openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

A cert/key pair can also be used with the flask-server:

python server.py --cert /path/cert.pem --key /path/key.pem

⚠️ If the server is using TLS, then by design the client can't use http://... to connect to the server, but must explicitly use https instead.

Client-side: By default client's SSL verification is disabled, unless:

⚠️ That the SSL verification is disabled by default on client doesn't mean in any case that the TLS is disabled too, TLS will be enabled if the server uses it - so TLS depends completely on the server. The --cert option on client is there just as an alternative way for the server-client to have an encrypted session and that's all.

Shellcode injection πŸ’‰

There are two "modes" of shellcode injection using the two following commands respectively:

  1. migrate <PID>: Using this command we can inject shellcode into the memory space of another process by specifying its PID. For now this command can only be applied at Windows x86/x64 platforms!
<img src="images/1.png">
  1. inject shellcode: Using this command a new thread (or spawned process on unix systems) of our current process is created and the shellcode injection occurs in its memory space. As a result our HTTP(S) shell is not affected by the injection. The platforms where this command can be applied are: Unix x86/x64, Windows x86 platforms!
<img src="images/2.png">
Notes

Set/Modify shellcode

There are two ways you can specify/set what type of shellcode you want the client to execute:

<img src="images/3.png" width="60%">

The first way is pretty straight forward. However in order to use the second and more convenient way (since you can also modify an already specified shellcode) you have to set shellcodes/utils.py script such that it contains the shellcode(s) of your choise. The script contains an example of how you can do that.

πŸ’‘ You can modify/update shellcodes/utils.py script even after you've launched server.py as many times as you want, since server.py will dynamically use the most updated/recent version. In this way you can set & modify shellcodes on the go...

Available commands:

Special commands:

<img src="images/4.png" width="70%">

Any other command is supported if it's not interactive like e.g. gdb, top etc... Also by typing python server.py -h or python client.py -h you can get information the server and client available arguments.

Note: If a client is connected with the server and we want to terminate the server, before press <kbd>CTRL</kbd>+<kbd>C</kbd>, we have to close the connection using the exit command.

Creating custom commands

Client-side:

In order to create a custom command, generally:

Server-side:

If the command demands the existence of a new-endpoint on server-side, then:

Script-Arguments

Both scripts (server.py and client.py) can be customized through arguments:

server.py

$ python server.py -h
usage: server.py [-h] [-s] [-c] [--host] [-p] [--http] [--cert] [--key]

server.py: An HTTP(S) reverse-shell server with advanced features.

arguments:
  -h, --help      show this help message and exit
  -s , --server   Specify the HTTP(S) server to use (default: flask).
  -c , --client   Accept connections only from the specified client/IP.
  --host          Specify the IP to use (default: 0.0.0.0).
  -p , --port     Specify a port to use (default: 5000).
  --http          Disable TLS and use HTTP instead.
  --cert          Specify a certificate to use (default: None).
  --key           Specify the corresponding private key to use (default: None).

client.py

$ python client.py -h
usage: client.py [-h] [-s] [-c] [-p]

client.py: An HTTP(S) client with advanced features.

arguments:
  -h, --help      show this help message and exit
  -s , --server   Specify an HTTP(S) server to connect to.
  -c , --cert     Specify a certificate to use.
  -p , --proxy    Specify a proxy to use [form: host:port]

πŸ“¦ Requirements:

To install the server-requirements:

pip install -r requirements.txt --upgrade --user

:pushpin: TODO

:thought_balloon: Contributions & Feedback

Feedback and contributions are welcome. If you find any bug or have a feature request feel free to open an issue, and as soon as I review it I'll try to fix it.

Disclaimer

This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.

Credits & References

License

This project is licensed under the GPLv3 License - see the LICENSE file for details.