Hoaxshell

Features

C2 Beaconing Protocols - Implements an HTTP beaconing protocol where victim clients periodically poll a handler to receive and execute instructions.

PowerShell Language Mode Bypasses - Implements specialized PowerShell payload construction to bypass Constrained Language Mode restrictions on hardened Windows systems.

HTTP Beaconing C2 Systems - Provides a command and control system where victims periodically poll a handler over HTTP to receive instructions.

Constrained Language Mode Payloads - Constructs PowerShell commands using specific syntax and alternative cmdlets to execute in restricted language mode environments.

Constrained Mode Payloads - Generates specific payload variants that remain functional even when PowerShell is in constrained language mode.

PowerShell Payloads - Generates encoded single-line PowerShell payloads for remote command execution.

C2 Beacon Generators - Provides the core capability to generate PowerShell payloads that establish HTTP beaconing sessions with a C2 handler.

C2 HTTPS Listeners - Ships a secure listener that uses TLS certificates to encrypt shell traffic and supports routing through public tunnels.

HTTP Beaconing Protocols - Implements an HTTP beaconing protocol for persistent remote command execution and control.

C2 Session Identifiers - Uses unique identifiers embedded in HTTP headers to associate incoming requests with specific persistent shell sessions.

Shell Session Persistence - Maintains session metadata allowing disconnected victims to reattach to their existing shell upon reconnection.

Remote Command Execution Tools - Establishes persistent remote access to Windows systems using encoded PowerShell or cURL payloads.

Reverse Shell Listeners - Provides a standalone HTTP/HTTPS listener to manage multiple incoming reverse shell connections via session IDs.

Reverse Shells - Generates and manages PowerShell or CMD payloads that establish remote command execution over HTTP or HTTPS.

PowerShell Reverse Shell Frameworks - Generates and manages Windows reverse shell payloads that communicate over HTTP or HTTPS for remote command execution.

Reverse Shell Payloads - Creates operational reverse shell command strings that connect the target system to a remote handler.

Payload Traffic Encryptions - Secures remote shell traffic using SSL certificates and custom HTTP headers to evade network detection.

Session Identifiers - Uses unique session identifiers in HTTP headers to associate incoming requests with specific shell sessions.

C2 Session Recovery - Reestablishes control over active remote payloads after a handler crash or network disconnection using session identifiers.

Network Tunneling - Routes reverse shell traffic through services like Ngrok or LocalTunnel to bypass firewalls and NAT restrictions.

Encrypted Shells - Secures C2 traffic using TLS certificates to create encrypted HTTPS shells and evade network detection.

Session Restoration - Re-establishes connectivity to a running remote payload following a handler disconnection or system crash.

Header Obfuscation - Disguises session traffic by using custom HTTP header names to bypass antivirus traffic analysis.

NAT Traversal Routings - Routes reverse shell connections through public tunnel services to reach targets located behind NAT.

Traffic Tunneling - Directs reverse shell traffic through public tunnel services to operate without a static IP address.

Tunnel-Agnostic Listeners - Binds the local listener to a port that accepts forwarded traffic from external tunneling services like Ngrok.

C2 Session Recovery - Enables recovery of control over active remote payloads by starting a new handler instance.

Listener Certificate Injection - Embeds custom SSL certificates and private keys into the listener to encrypt traffic and evade network detection.

cURL-Based Shell Payloads - Provides reverse shell capabilities using Windows Command Prompt and cURL to bypass PowerShell-specific security restrictions.

cURL Reverse Shells - Provides an alternative delivery mechanism using Windows CMD and cURL for environments where PowerShell is restricted.

Session ID Capturers - Provides a session grab mode to reconnect to running payloads by capturing existing session IDs after a restart.

Stateful Session Persistence - Maintains session state on the handler to allow disconnected victims to reattach using their session ID.

Payload Obfuscators - Randomizes session IDs, URLs, and headers to obfuscate payload signatures and evade antivirus detection.

Command and Control - Generates and handles Windows reverse shell payloads over HTTP.

Hoaxshell is a command and control system for Windows remote command execution. It provides a framework for generating and managing reverse shell payloads that utilize an HTTP beaconing protocol, where victim clients periodically poll a handler to receive and execute instructions.

The project distinguishes itself through its ability to bypass PowerShell Constrained Language Mode using specialized payload generation. It supports encrypted command and control via TLS certificate injection and provides mechanisms for remote session recovery, allowing a handler to reestablish control over active payloads after a disconnection or system crash.

The system covers a broad range of capabilities including the generation of both PowerShell and cURL-based payloads, the use of custom HTTP headers to obfuscate traffic, and the integration of public tunnel routing to bypass NAT and firewall restrictions.

The tool is implemented in Python.

Features