ThunderShell v3.1.2 Releases: Fully encrypted powershell RAT

by do son · Published · Updated

ThunderShell

ThunderShell

ThunderShell is a C# RAT that communicates via HTTP requests. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network detection on the target system. RC4 is a weak cipher and is employed here to help obfuscate the traffic. HTTPS options should be used to provide integrity and strong encryption.

Advantage against detection

The “core” RAT doesn’t require a second stage to be injected/loaded in memory.

Features

Payload delivery

Currently, it only supports C# wrapped in PowerShell.

A future release will include:

  • C# as cs
  • powershell as ps
  • C# exe as exe
  • msbuild as msbuild

Multi-users interface

ThunderShell can be used through the CLI and the web interface (under development) and supports several users at the same time on both the web interface and the CLI.

Logging capabilities

The tool provides typical web traffic and error logs. Commands for every active session are saved on disk for future reference. The log folder structure contains each shell output sorted by date.

Multithreading

ThunderShell client supports threading, meaning you can execute several commands in parallel on your target. ThunderShell is handling this for you on both the client and the server.

Network traffic formatting

(under development) ThunderShell allows you to configure the network request performed by the client by setting arbitrary headers and changing the format of the data sent to the server.

Example configuration file profile.json:

{

        "headers": {

                                "X-Powered-By": "ASP.NET",

                                "X-AspNet-Version": "4.0.30319",

                                "Set-Cookie": "ASP.NET_SessionId={{random}}[32];"

                },



        "autocommands": ["whoami", "cmd /c set"],

        "auto-interact": "on"

}

 

The {{random}}[size] syntax can be used to set arbitrary values at runtime.

The profile is loaded by the main configuration file shown below

ThunderShell client features

The client is using a C# unmanaged approach to execute powershell code. This allows the user to execute arbitrary powershell commands directly on the shell, without invoking powershell.exe.

Installation

apt install python
apt install redis-server
apt install mysql-server
apt install mono-dmcs
apt install python-redis
apt install python-mysqldb
apt install python-tabulate

git clone https://github.com/Mr-Un1k0d3r/ThunderShell

Use

Copyright (C) 2016 Mr.Un1k0d3r

Source: https://github.com/Mr-Un1k0d3r/

Tags: powershellThunderShell