Hey everyone, I'm mado. This is my first post in the community, though I've been digesting material here for years, and now I'm happy I can start creating it. The first few paragraphs will just be a general overview of the software; feel free to skip f you want to get straight to the installation and usage.
Today, I'll be teaching you how to create a "fully-undetectable" reverse shell backdoor for any Windows system written entirely in C++, with no metasploit-framework needed. The only software we'll be using is my madwin shell script. All you'll need for this is a Debian-based Linux system (which includes Kali, Ubuntu, Parrot, Mint, etc.) and a working internet connection. You could install it anywhere else with a shell script interpreter, but keep in mind it uses APT for dependency installation.
To begin, let me explain how exactly this reverse shell works. It's based off (and by that, I mean the code, so it's essentially an overdeveloped fork) of TheLinuxChoice's GetWin project, so if you're familiar with that you'll be familiar with this:
The shell, when spawned, connects to a serveo.net server, effectively routing it's traffic across the internet. Using just a basis of php and ssh, your attacking machine connects to the serveo.net session and retrieves the interactive shell. This is good for a few reasons; you don't leave behind a local IP, so forensics may assume you've patched in externally if discovered, and you can spawn a reverse shell heading to an address over the internet leading to less suspicion of traffic-detecting antivirus solutions, like Norton 360.
Beyond that basic functionality, I've added a few new tweaks to lower the detection ratio and improve functionality:
- The script code has been simplified and organized for easier modifictation
- The padder's (the function that obfuscates the source code, from TheFatRat's powerfull.sh) been augmented with a more extensive charset
- The padder's been implemented more times in source code creation
- GNU/Strip is installed and executed to strip the .exe of object symbols, lowering the detection ratio
- UPX-Compressor is downloaded and executed to compress the .exe, further masking it's functionality and making it more compact
*Please note*, "fully undetectable" is hard to come by nowadays. This program will always be FUD so long as it's limited to a basic hash-checking algorithm, but nowadays many AVs have heuristic analysis functions, making it extremely hard to bypass a sweep. Sufficed to say, this program will bypass Windows Defender every time, at least to my testing. Without further ado, let's get one with madwin!
Step 1: Clone the Repository and Set Up Dependencies
First off, you'll need git. Run in your terminal:
sudo apt update && sudo apt install git
Then, clone my repository:
git clone github.com/mado-95/madwin.git
Finally, after the clone finishes. run the script:
cd madwin && bash madwin.sh
Assuming all goes well, you'll be greeted with the thematic ASCII startup screen.
Note, if you've never ran the script before, it'll quickly check for the necessary packages on your system (strip, mingw-w64, gcc, binutils, netcat php, ssh) and install them if need be. After it finishes, it'll create the file "install" in /usr/share/madwin, to let the script know it doesn't have to run through the package check.
Step 2: Configure Your Options
As with any other malware generating framework, you'll be prompted with a few options, like port number (equivalent to LPORT), output name, and the icon, or the thumbnail of the executable. There's a few options included in the "icon" folder, but feel free to use your own if you like. Once you input all the options, the script will go ahead and generate the source code, obfuscate it, compile it, strip, and compress the executable. It'll also output useful pointers about the compression of the executable.
Step 3: Start Your Listener and Exploit!
After compilation, your server will start up.
When that happens, getting your shell is as simple as executing the exe on the target machine.
Whether you do so by means of an RCE exploit, social engineering, or physical access, it's up to you.
And that's it! You're, erm, "hacked in," free to do whatever nefarious things you can think of.
Remember, only attack targets you have permission to attack!
That about sums up my tutorial. I hope everyone enjoyed!
I'll try to keep maintaining and adding to Madwin.
Feel free to leave me questions or comments.
2 Responses
Hello!
It's good!
I got a shell without privileges. How do I elevate privileges from windows cmd?
The git repo has been removed, can you update it please?
Share Your Thoughts