Hide a Hacker's Reverse Shell in ONE Command

John Hammond · Intermediate ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates how to hide a hacker's reverse shell in one command using various tools and techniques, including Windows registry manipulation, hoax shell, and SQL database connector. It also covers low-binning techniques, living off the land, and persistence mechanisms.

Full Transcript

this might be one of my new favorite low bins or living off the land techniques because if you stage it right it can blend in so well take a look you add a registry key to the hkey local machine Hive under system current control set control terminal servers under utilities for the query command and you can stage your own operation or little sub command to run that can be literally anything all that needs to be ran to execute it is the command query and then whatever name you decided for your sub procedure as always credit where credit is due this is another gem coming from gregora's torque or OG tweet over on Twitter forgive me I know I always get your name wrong my friend but man he's always pumping out some super cool low bin techniques or just strange idiosyncrasy stuff that can come from a whole lot of the built-in native Windows applications and programs this came out on December 27th or at least that's when he tweeted about this way back in 2022 but I think it's gold not gonna lie if you take a look at the Microsoft documentation for the remote desktop Services terminal Services command line tools reference to or whatever it kind of just briefly mentions these but doesn't actually dig into detail as to how you could actually play with them and manipulate them within the Windows registry they list off all these commands all the different things that you might be able to do related to RDP or terminal services or a lot of these remote desktop utilities and they're actually listing out hey query term server query user yada yada yada and if you go take a look at all of the commands that come under query as the utility that you can run it just tells you look it displays information about the processes sessions and remote desktop session host servers and that's kind of it it gives you some of the arguments that you can run but I haven't found a reference or at least a note that look this is modified and configurable within the Windows registry you can take a look at query process or any of the other articles specific to each of the sub commands but they just tell you kind of what that one does but not exactly where it's coming from or how it's all put together I don't exactly know they showcase some examples and other related links but like that's it that's the end of the article same thing for session same thing for term server same thing for user all they showcase is the use message of the command but not a whole lot more of how it's all coming together in the background so anyway let's go ahead and play with this I'm going to fire up a terminal I am inside of my Kali Lumix virtual machine for the moment but I've gone ahead and staged this registry command so that we can work with it take a look this was the syntax just using the old school reg.exe dos command and you add into this registry key setting the value for the new key to lobin but you could set this to really whatever you want the type should be reg multi-string SZ thing and that looks like they're using like escaped zeros which I believe is one of the representations for a no-byte which I just think is kind of interesting to put this in as a lot of the Stacked values inside of the registry or that might just be the representation for some of their new lines because if we take a look at it within the registry let me hop over to a Windows Virtual Machine where I can open up the registry editor and we'll go ahead and move into that location yep hklm system current control set control terminal server utilities look at these entries because app server is present here process session user winsta and looks like it's running a subcon and like qprocess.exe can I do this on my own here let me fire it up I will go ahead and run just query and you'll see the syntax that we need to supply are any of these sub commands that you can pass as parameters query user and it just lists out okay whatever active users here but that was just simply trying to run Q user.exe can I just run quser.exe and it's the exact same thing all the arguments that you pass to query will still funnel down and go through the little sub command or executable train underneath it but if I double click on cue user here one of the entries look all of these uh have the sort of new lines denoting these and I don't know if that backslash zero kind of Associates with that and I'm just dumb hey so in previous videos where we showcased a lot of these low Bend or living off the land techniques whether it's for persistence mechanisms or what have you we've just used a simple innocent benign payload like popping open a calculator application and that's what we saw OG tweet do in his Twitter response but it would be very cool to do something a little bit more realistic like try to Stage something whether it's a reverse shell whether it's another implant some other Beacon whatever so in this video I am going to go use hoax shell one of the other cool uh applications that we can use to try to put together a reverse shell on Windows but however this is now detected by amsi or the anti-malware scan interface or amsi on Modern versions of Windows I need to supply AI my IP address which is 192.168.11166 now I can run hoax shell with that as The Listener and it just spits out a whole lot of Powershell syntax encoded base64 while it's waiting for a connection I can go ahead and copy this whole thing but back on my Windows Virtual Machine obviously if I try to open up a terminal go ahead and paste this in to run this reverse shell we get an error because look this contains malicious content and it's been blocked by your antivirus software of course Windows Defender is on doing its thing if I actually take a look at the virus and throat protection Center look at this we do have oh even an alert for it okay just run away here but if I scroll down into virus and threat protection oh whatever Cloud delivered protection is off but that's fine real-time protection is still doing its thing we could try to break amsi or MZ using flankvix website and toolmz.fail if we were to generate a payload it'll try to give us oh Matt graber's reflection method or some of roster Mouse's different methods to see if we could oh just stage out a patch for the amsi scan buffer function now all of these used to work for me in the past but I do think that even these still now get flagged and if I try to paste this in it will still trigger and tell me look hey you can't do this uh the script contains malicious content and it's been blocked by AV every single one I've tried even generating an encoded rendition will just still get the same error I don't believe I can get a whole lot of luck out of amsi.fail to try and break amsi right now so let's not use this vanilla Windows 11 virtual machine for our low bin testing let's go ahead and use a separate virtual machine where I can still stage the same sort of process but just for showcase sake if I were to go ahead and add a I don't know like what's the thing that blends in with a query Command right on the command line uh let me just try to take the syntax from one of these others and then rename it to use the SQL database connector I think that will blend in just fine uh and we'll just pop open calc.exe right so let's save that and now from my terminal I'll open up another one here as a low privilege user I can query SQL database connector and then there's the boring Dumbo calculator.exe opens us for us nice now you can of course stage this to like some second order persistence mechanism maybe hide it inside of a Powershell script or a batch script that just gets ran automatically from other scheduled task or service or whatever oh and hey by the way if you're using a whole lot of these living off the land techniques for your red team engagements or for your penetration tests and you probably don't want to have to deal with writing the report after the fact you should probably check out our sponsor hey please allow me to give some love and support to today's sponsor of this video Plex track when you're performing a penetration test you're in the zone you're hacking away and you're having fun Gathering findings beating up vulnerabilities and earning domain admin but you might be dreading the work that comes after you have to write a report but writing a pen test report doesn't have to be dull and boring and long and tedious in fact it can be a breeze you don't even have to worry about your report because Plex track can handle it for you if you aren't familiar Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive Plex track removes the pain of reporting and lets you collaborate between both red and blue teams for Effective purple teaming and faster remediation the Plex track platform lets you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure engagement progress in real time import assets from CSV files or nmap or nessus and so many others of your favorite tools with over 25 Integrations you can streamline your reporting and collaboration process right into your existing workflow you can do even faster testing with plextract run books and show the impact to managers in leadership with Plex tracks analytics and visual realizations within minutes you can have your pen test report done and dusted all with your team's logo and details and then sent off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 percent with Plex track seriously check out Plex track I have great colleagues and peers that use Plex track every day for reporting get started with my link below in the video description and let you and your team get back to hacking huge thanks to Plex track for sponsoring this video but let's get some real fireworks here and let's use this in a different virtual machine that has another antivirus product set up and stage with it it is not using Windows Defender currently it is going to end up using this antivirus where our hope show payload it just flies right onto the radar and runs without an issue so let me go ahead and grab this syntax here I'll change this low bin to use like again another SQL database connector something that will fit in with the word query so at this point I'd love to give this to you for your own exploration or maybe an exercise for the reader or Watcher I don't know if you could stage this without any arguments kind of in the mix or if you can supply those arguments one way or the other maybe you could pull this down for a remote resource maybe iwr invoke web request pipe to IEX uh you could pull it from a file system you can get super creative if you want it I guess see Windows tasks is normally a world writable folder we can call this service and paste in our Powershell syntax just for the sake of showcase here and let me uh save this as really a DOT bad extension so we can run oh I missed a backslash there that should be corrected okay stage again done yes overwrite try to run let's check hope shell do it did it it did it it finally did it okay now I have my uh reverse shell prompt and there we go with the stupid little antivirus that is not detecting this thing a little AV bypass we can do whatever we want granted it is just a reverse shell that's faked uh you can still want anything that you did and then do maliciously with whatever tradecraft we just worry about your AV in the meantime but if we could do some private SK if we can turn that thing off if we can disable the security protections then we're in business and maybe you could stage that query command to hide inside of a system administrator script something that looks like I don't know it's going to work with the database you can have it camouflage you could have it blend in you could set up persistence mechanisms and some sort of second order thing where you still have some cheesy cutesy foothold but then your real Detonator is masked behind this living off the land technique I don't know about you I thought it was kind of cool I hope you enjoyed something like this all credit kudos to ogtweed he's always putting out incredible stuff hey thanks so much for watching hope you learned something and enjoyed this video if you did please do all those YouTube algorithm things like comment subscribe and if you'd be willing to if you feeling super duper generous there are links to patreon down below if you want to become a member of the channel That super duper helps support and keep the channel grown and me I don't know able to keep doing stuff like this thanks again everyone I'll see you in the next video

Original Description

https://jh.live/plextrac || Save time and effort on pentest reports with PlexTrac's premiere reporting & collaborative platform: https://jh.live/plextrac 😎 🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe! 🙏 SUPPORT THE CHANNEL ➡ https://jh.live/patreon 🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor 🌎 FOLLOW ME EVERYWHERE ➡ https://jh.live/discord ↔ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/instagram ↔ https://jh.live/tiktok 💥 SEND ME MALWARE ➡ https://jh.live/malware
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches how to hide a hacker's reverse shell in one command using various tools and techniques, and how to use living off the land techniques for persistence. It also covers how to bypass antivirus detection and create a second-order foothold for further exploitation.

Key Takeaways
  1. Stage a registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Utilities
  2. Use the query command with a subcommand to run a custom operation
  3. Run hoax shell with a listener
  4. Copy the Powershell syntax encoded in base64
  5. Paste the syntax into a terminal to run the reverse shell
  6. Try to break AMSI using flankvix and toolmz.fail
  7. Generate a payload to stage a patch for the AMSI scan buffer function
  8. Stage the reverse shell in a Powershell script or batch script
  9. Invoke a web request to pull the reverse shell from a remote resource or file system
  10. Use Windows Task Scheduler to run the reverse shell
💡 The video demonstrates how to use living off the land techniques to hide a reverse shell in one command and bypass antivirus detection, highlighting the importance of defensive AI in preventing such attacks.

Related Reads

Up next
Why Cyber security is important for your SEO
Menerva Digital
Watch →