Skip to content

Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.

License

Notifications You must be signed in to change notification settings

furkansayim/SpookFlare

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SpookFlare

SpookFlare

SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. SpookFlare is a loader/dropper generator for Meterpreter, Empire, Koadic etc. SpookFlare has obfuscation, encoding, run-time code compilation and character substitution features. So you can bypass the countermeasures of the target systems like a boss until they "learn" the technique and behavior of SpookFlare payloads.

  • Obfuscation
  • Encoding
  • Run-time Code Compiling
  • Character Substitution
  • Patched Meterpreter Stage Support
  • Blocked powershell.exe Bypass
     ___ ___  ___   ___  _  _____ _      _   ___ ___ 
    / __| _ \/ _ \ / _ \| |/ / __| |    /_\ | _ \ __|
    \__ \  _/ (_) | (_) | ' <| _|| |__ / _ \|   / _| 
    |___/_|  \___/ \___/|_|\_\_| |____/_/ \_\_|_\___|

            Version    : 2.0
            Author     : Halil Dalabasmaz
            WWW        : artofpwn.com, spookflare.com
            Twitter    : @hlldz
            Github     : @hlldz
            Licence    : Apache License 2.0
            Note       : Stay in shadows!

 [*] You can use "help" command for access help section.

SpookFlare > list

 ID | Payload                | Description                                                
----+------------------------+------------------------------------------------------------
 1  | meterpreter/binary     | .EXE Meterpreter Reverse HTTP and HTTPS loader             
 2  | meterpreter/powershell | PowerShell based Meterpreter Reverse HTTP and HTTPS loader 
 3  | javascript/hta         | .HTA loader with .HTML extension for specific command      
 4  | vba/macro              | Office Macro loader for specific command                   

Installation

# git clone https://github.com/hlldz/SpookFlare.git
# cd SpookFlare
# pip install -r requirements.txt

Docker Build

docker run -t spookflare .

Docker Run

docker run --rm -it -v $(pwd):/tmp/spookflare/output -p 80:80 spookflare 
docker run --rm -it -v $(pwd):/tmp/spookflare/output -p 8080:8080 spookflare
docker run --rm -it -v $(pwd):/tmp/spookflare/output -p 443:443 spookflare
docker run --rm -it -v $(pwd):/tmp/spookflare/output -p 555:555 spookflare

Docker Run Example: docker run --rm -it -v $(pwd):/tmp/spookflare/output -p 80:80 xshuden/spookflare

Technical Details

https://artofpwn.com/spookflare.html

Usage Videos and Tutorials

Note

I developed the SpookFlare and technique for use in penetration tests, red team engagements and it is purely educational. Please use with responsibility and stay in shadows!

Acknowledgements and References

Special thanks to the following projects and contributors.

About

Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 98.3%
  • Dockerfile 1.7%