[ Linux Machine ] Session status gets in "undefined" state after closing the terminal in victim machine where the payload was executed

t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).

Other

3.72k stars 598 forks source link

[ Linux Machine ] Session status gets in "undefined" state after closing the terminal in victim machine where the payload was executed #61

Closed yaseerkhan closed 2 weeks ago

yaseerkhan commented 1 year ago

I am not sure if it's only me or if others encountered this issue as well.

When I use "shell {session ID}" and run commands I observed behavior in the victim machine terminal where I pasted the payload.
After closing the terminal where I pasted the payload, the status of the session becomes undefined and it doesn't work anymore.

stevenhay commented 1 year ago

Also happening on Windows, payload runs correctly, session gets generated but then the powershell instance quits and the session sits on "Undefined" and no commands work

yaseerkhan commented 1 year ago

Also happening on Windows, payload runs correctly, session gets generated but then the powershell instance quits and the session sits on "Undefined" and no commands work

have you tried turning off real time protection in firewall settings?

SolsticeSpectrum commented 1 year ago

I am not sure if it's only me or if others encountered this issue as well.

1. When I use "shell {session ID}" and run commands I observed behavior in the victim machine terminal where I pasted the payload.

2. After closing the terminal where I pasted the payload, the status of the session becomes undefined and it doesn't work anymore.

I can confirm this behaviour

t3l3machus commented 1 year ago

The shells you can grab with Villain at the moment are not fully functional ptys. If you run commands that start interactive sessions (e.g., nano, cat > file.txt, sh/zsh/bash, vim) your shell will hang. The commands you issue must always return. Maybe its because of that?

SolsticeSpectrum commented 1 year ago

Probably yes, how about creating a service? And running it as a service? That would also mean that it will stay hidden from htop.

yaseerkhan commented 1 year ago

The shells you can grab with Villain at the moment are not fully functional ptys. If you run commands that start interactive sessions (e.g., nano, cat > file.txt, sh/zsh/bash, vim) your shell will hang. The commands you issue must always return. Maybe its because of that?

No that is understandable, but here sessions were the main concern as they get into undefined state after closing the terminal where the payload is executed! let me try to explain it with an example.

I generated a payload for Windows and executed that payload in the Powershell but now when I close that instance of PowerShell the session status changes to undefined state and that specific session is not usable any further

I hope this example helps you get an idea of what i was talking about initially!!

t3l3machus commented 2 weeks ago

I'm checking out old issues again lately. This does not appear reproducible

yaseerkhan commented 2 weeks ago

I'm checking out issued again lately. This does not appear reproducible

I will check and let you know.

SolsticeSpectrum commented 2 weeks ago

@t3l3machus the problem is that the terminal instance has the reverse shell as it's child, if you kill the parent, you kill the session. Unless you changed something to spawn as a separate process or you added persistence either through injection or services

t3l3machus commented 2 weeks ago

there are some payloads that use nohup and disown to survive a user logout / closing a terminal, but not all of them work in that manner