• Stars
    star
    1,440
  • Rank 32,688 (Top 0.7 %)
  • Language
    Python
  • License
    MIT License
  • Created over 6 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pop shells like a master.

ShellPop

About

Shellpop is all about popping shells. With this tool you can generate easy and sophisticated reverse or bind shell commands to help you during penetration tests.

Don't waste more time with .txt files storing your Reverse shells!

Installation

Python 2.7 is required.

3.0+ version will not work.

Required Dependencies Install

root@kali# apt-get install python-argcomplete metasploit-framework -y
root@kali# pip install -r requirements.txt

Setup Install

root@kali# python setup.py install

PS: After installation, tab auto-complete will only work after restarting the terminal.

Index


Help Section

To quickly list all available options of this tools, use --help.

Command line examples

root@kali# shellpop --help

Screenshot


Shells List

List of shells

You can list all available shellpop shells using the --list option.

Command line example

root@kali# shellpop --list

ShellsList

Auto-Complete [NEW]

Now shellpop has auto-complete feature. To use it, you need to forget about --number and (--reverse or --bind), just stick to --payload argument. Like the image below:

Autocomplete

Basics


Copying it to clipboard

Dont waste time. This tool is all about NOT wasting time. So you can use --clip option to all your generated payloads and get them automagically copied to your clipboard.

Shell Types

There is two types of payloads in this program: Bind or Reverse.


1. Reverse shell

Reverse shells use your attacker machine to serve as the "server". In this type of payload, you need both --host and --port pointing back to your machine. A handler must be set.


2. Bind shell

Bind shells use the remote host to serve the connection. In this type of payload, all you need is the --port option with a valid port number.

Command line examples

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443

Screenshot

Generating a Powershell TCP bind shell over port 1337

Screenshot


Obfuscation

There are currently two main methods of obfuscation available for your generated payloads:

  1. Variable renaming obfuscation

Replaces all variables in payload with randomly named ones. Applied to every payload automatically.

Screenshot

  1. IPfuscation

Obfuscate the IP addresse and port used by the payload

Coined by @vysecurity, IPfuscation is simply leveraging the little known fact that IP addresses can be converted to decimal, octal, and hexadecimal numbers, or a combination of all three, and still be used.

Port obfuscation is accomplished by replacing the port number with a mathematical expression that evaluates to the port number.

Screenshot

Here the IP address in the generated payload is a combination of different number bases. The first part in normal decimal notation, the second and third parts are 2 and 3 converted to octal with random zeros as padding, and the fourth part is 4 in hex, with some zeros as padding also. The selection of bases to use in each part of the IP address is randomized, as well as the number of zeros used as padding to hex and octal numbers.

The port is obfuscated by replacing 443 with an expression that evaluates to 443. This expression is generated randomly as well.


Size Concerns

Although IPfuscation is optional, random variable obfuscation is now automatically enforced on all payloads. If the size of the payload is a real concern, you can pass the --obfuscate-small option to have the payload be minimally increased in size by obfuscation. The variable names, IP address and port number will be significantly shorter when used with this option.

Screenshot


Encoders

Encoders are special options that you can use while generating shellpop payloads.

There are, currently, three encoding methods that can be applied singularly, or concurrently, and they are:

  1. XOR encoding

Uses a random numeric key (1-255) to obfuscate the payload and add a decryption stub to decrypt it.

  1. Base64 encoding

Simple base64 encoding in payload data and add a decryption stub to decrypt it.

  1. URL encoding

Simple URL encode over the final payload.

Command line examples

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 but using URL-encoding, suitable to use over HTTP protocol.

Screenshot

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 but encode it to base64 and set-up a wrapper to decode it. This helps when quotes are troublesome.

Screenshot

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 URL-encoded and encoded to base64 ... Yes, you know the drill!

Screenshot

Generating a Powershell bind shell over port 1337 encoded in base64

Screenshot

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 using --xor encoding.

Screenshot

Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 using ALL methods of encoding!

Screenshot


Handlers

Handler is a mechanism to "handle" the act of serving a socket to receive the incoming connection or to connect itself to a server endpoint in a way to establish your shell.

Currently there is support of the following TCP handlers:

  1. TCP PTY Handlers
  2. TCP Meta-Handlers [NEW]

This means every TCP shell can have appended to their command-line argument the --handler option. Removing the necessity of the operator to spawn the handler (probably ncat or nc) by himself.

Screenshot

Meterpreter Shells [NEW]

This feature was widely asked by people who used this tool. Now it is technically possible to upgrade all shellpop shells to meterpreter, as since 0.3.6, handler uses by default the Metasploit Framework to land shells.

Meterpreter


Stagers

Stager is a mechanism of serving your payload in STAGES. Sometimes payload complexity or size can get troublesome. In such cases, you can craft a small payload which in turn can request and execute the bigger one.

Currently there is support of the following Stagers protocols:

  1. HTTP

HTTP Stagers

ShellPop has the following set of HTTP stagers to fit in any scenario you would want:

  1. Linux Stagers (Python, Perl, Wget and cURL)
  2. Windows Stagers (Powershell, CertUtil, BitsAdmin and Cscript)

To use HTTP staging, append to your command line --stager http and, optionally, if you want to specify the HTTP server port, the --http-port flag will put your port number in front of the pre-defined ones.

Screenshot


Protocols

Currently there is support of two protocols to land your shells:

  1. TCP
  2. UDP
  3. ICMP (Nishang ICMP shell)

Command line examples

TCP is blocked but UDP is not? Let there be shell!

Screenshot


Credits

This code is authored by Andre Marques (@zc00l) and this project's contributors.

It is made open to public the moment it was released in this github.

Any damage caused by this tool don't make any contributor, including the author, of responsibility.


Team Members


Contributors

We really appreciate all Contributors.

More Repositories

1

FakePip

Pip install exploit package
Python
150
star
2

CVE-2019-0841-BYPASS

A fully automatic CVE-2019-0841 bypass targeting all versions of Edge in Windows 10.
C++
60
star
3

CVE-2018-1000001

glibc getcwd() local privilege escalation compiled binaries
C
32
star
4

Shellkiller

A killer reverse-shell script that is able to use a lot of techniques to ensure your shell will pop back to you.
Shell
27
star
5

NamedPipes

Bind shell that uses Named Pipes as transport and execute PowerShell code through Runspaces.
C#
16
star
6

CVE-2016-2098

Ruby On Rails unrestricted render() exploit
Go
16
star
7

-CVE-2017-9805

Exploit script for Apache Struts2 REST Plugin XStream RCE (β€ŽCVE-2017-9805)
Python
15
star
8

CVE-2019-1064

CVE-2019-1064 Local Privilege Escalation Vulnerability
C#
12
star
9

TelePreter

Telegram-based PowerShell Runspace Host
C#
11
star
10

CVE-2018-12613

PHPMyAdmin v4.8.0 and v.4.8.1 LFI exploit
PowerShell
10
star
11

CVE-2016-10033

PHPMailer < 5.2.18 Remote Code Execution Exploit
Go
7
star
12

XXE

My own repository used for testing XXE vulnerabilities in a more automated way.
Python
6
star
13

CVE-2017-5638

Struts02 s2-045 exploit program
Go
5
star
14

CVE-2018-10517

CMS Made Simple 2.2.7 RCE exploit
PowerShell
4
star
15

shemutils

Pythonic multi-task library of encryption, database, logging and checksum.
Python
3
star
16

0x00-0x00.github.io

Ruby
3
star
17

ctf_tools

Tools we (Watchers) use for CTF wargames.
C
3
star
18

CVE-2015-3224

Modification of Metasploit module for RCE in Ruby-On-Rails Console CVE-2015-3224
Ruby
2
star
19

CVE-2014-6271

Shellshock exploitation script that is able to upload and RCE using any vector due to its versatility.
Python
2
star
20

CVE-2018-10949

Zimbra Collaboration Suite Username Enumeration
Python
2
star
21

gadreel-bot

Telegram bot to help with task management and CTF wargames
Python
2
star
22

router_attack

wireless security audit repository
Python
2
star
23

decryptor

A substitution cipher decryptor that uses the operator (user) to decrypt the cipher on-the-fly.
Python
1
star
24

asyncspider

A URL brute-forcer to find hidden files from a target URL. AsyncIO.
Python
1
star
25

CTF_SecurityWeekend

Data for FATEC's 1st SecurityWeekend CTF
1
star
26

hashfind

A simple program to request to decrypthash.com to decrypt the hash given by the user.
Python
1
star
27

crypt

Crypt is a cryptography tool to protect all kinds of data using AES-256 and RSA-4096 algorithms.
Python
1
star
28

shredder

C program to erase files securely overwritting data with random patterns.
C
1
star
29

CVE-2018-7422

Wordpress plugin Site-Editor v1.1.1 LFI exploit
PowerShell
1
star
30

nichide

NicHide is a pure-C program to hide your NIC hardware address.
C
1
star
31

autobackup

C program to handle rsync and SimplePush notifications easily for my own servers.
C
1
star
32

shell_scripts

My own shell scripts used for management.
Shell
1
star
33

ReverseEngineerPractice

Reverse Engineering Tutorial Files from Lena Course
HTML
1
star
34

proxypwn

ProxyPwn is a scanner and tunneler for open proxies.
Python
1
star
35

netcracker

WiFi auditing tool to monitor, capture and crack WPA handshakes.
Python
1
star
36

CVE-2018-15131

Zimbra Collaboration Suite Username Enumeration
Python
1
star
37

pybackdoor

poc backdoor using python and threading
C++
1
star
38

netwatch

NetWatch is a tool to monitor network hosts TCP ports, uptime and visualize scan logs.
Shell
1
star