Reverse shell over TOR network using hidden services
Reverse shell over TOR network using hidden services using this tool will allow you to spawn a reverse Metasploit shell over the TOR network. Using Tor2Web, the victim doesn’t need to have tor or ncat. So, using Tor2Web our victim can establish a connection to our hidden service. It’s really an interesting way to pop a reverse shell anonymously.
-> Create a hidden service
-> Generate non-staged payload (python/meterpreter_reverse_http)
-> Convert url using Tor2Web: a final extension .ws will be added, so url becomes available outside tor network
-> Generate batch .rc file for msfconsole
$ git clone https://github.com/CalfCrusher/Poiana/
$ cd Poiana && pip3 install -r requirements.txt
$ python3 poiana.py
NOTE: You need to edit your torrc file and insert:
I didn’t want to insert this automatic ‘feature’ in my tool because of course, you need to be root to edit torrc. In this way, this script can run just like a normal user. Remember do NOT run/trust scripts from others, discover some backdoor in fancy scripts is not rare, unfortunately! Take care of source code, always 🙂
Be careful if the script fails to delete
hidden_service_data for some reason. The script won’t start correctly if this dir is already present before running the tool. I’m trying to fix this behavior, also because I want to add the (optional) feature to have a persistence onion URL and maybe the option to make an ephemeral hidden service (a hidden service without touching disk)
Why this project?
Reverse Shell on hidden services through Tor is sexy
One of the weaknesses of the attackers, when they’re exfiltrating compromised information, is that they expose part of their technological infrastructure during the process. In this sense, the Tor network offers the possibility of making services in a machine accessible as hidden services, by taking advantage of the anonymity it offers and thereby preventing the reallocation of the machine from being exposed. Using Tor2Web, the victim doesn’t need to have tor or ncat. So, using Tor2Web our victim can establish a connection to our hidden service. To me, it’s really an interesting way to pop a reverse shell quite anonymously.
Tor2web https://www.tor2web.org – is a software project to allow Tor hidden services to be accessed from a standard browser without being connected to the Tor network. You can find a list of Tor2Web volunteers: https://www.reddit.com/r/onions/comments/bx19c6/list_of_tor2web_gateways/
Onion network is NOT 100% bulletproof: https://www.wired.com/2014/12/fbi-metasploit-tor. I made this tool just for educational use only. I’m not responsible for the consequences of illegal use. Please understands also that there is no warranty for this free software. Please note also that using Tor2Web is NOT secure from the victim’s point of view: the point of Tor is that users can connect without being eavesdropped on, and going through the clearnet (Tor2Web), even with HTTPS, seriously cripples the efforts made to protect users!