shepard-in-progress-persistent-download-upload-execution-tool-using-windows-bits

This is an IN PROGRESS persistance tool using Windows Background Intelligent Transfer Service (BITS).

Functionality: File Download, File Exfiltration, File Download + Persistent Executionhttps://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4429384950262667&output=html&h=280&adk=2137497429&adf=1462405177&pi=t.aa~a.3337566754~i.6~rp.4&w=1118&fwrn=4&fwrnh=100&lmt=1623163052&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=6189846884&psa=1&ad_type=text_image&format=1118×280&url=https%3A%2F%2Fwww.cybeseclabs.com%2F2021%2F06%2F05%2Fshepard-in-progress-persistent-download-upload-execution-tool-using-windows-bits%2F&flash=32.0.0&fwr=0&pra=3&rh=200&rw=1118&rpe=1&resp_fmts=3&wgl=1&fa=27&adsid=ChAI8Kr8hQYQueHGxqj0_a0TEi8A9cGHIpeYgJUZL8pzNbdupLJh8P8_qSXjb-R391KtlAKYZgavJ4PHSRB_gUEI9w&dt=1623163052882&bpp=4&bdt=2106&idt=-M&shv=r20210603&cbv=%2Fr20190131&ptt=9&saldr=aa&abxe=1&cookie=ID%3Dbb772ddf47e5c9d5-221aba1c44c900ee%3AT%3D1623159438%3ART%3D1623159438%3AS%3DALNI_MZ81ZRodJg1UBpJxL_bHS1zcfcziQ&prev_fmts=0x0%2C728x90&nras=2&correlator=4822696923899&frm=20&pv=1&ga_vid=1081803457.1623163051&ga_sid=1623163051&ga_hid=2076492524&ga_fc=0&u_tz=330&u_his=5&u_java=1&u_h=900&u_w=1440&u_ah=807&u_aw=1440&u_cd=24&u_nplug=2&u_nmime=5&adx=226&ady=1738&biw=1440&bih=742&scr_x=0&scr_y=0&oid=3&pvsid=4107041835134553&pem=606&ref=https%3A%2F%2Fwww.cybeseclabs.com%2F&eae=0&fc=1408&brdim=0%2C23%2C0%2C23%2C1440%2C23%2C1440%2C805%2C1440%2C742&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=31&jar=2021-06-08-13&ifi=4&uci=a!4&btvi=1&fsb=1&xpc=yfgtUncDqO&p=https%3A//www.cybeseclabs.com&dtd=36

Usage: run shepard.exe as Administrator with the following command line argumentshttps://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4429384950262667&output=html&h=280&adk=2137497429&adf=3124963973&pi=t.aa~a.3337566754~i.8~rp.4&w=1118&fwrn=4&fwrnh=100&lmt=1623163052&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=6189846884&psa=1&ad_type=text_image&format=1118×280&url=https%3A%2F%2Fwww.cybeseclabs.com%2F2021%2F06%2F05%2Fshepard-in-progress-persistent-download-upload-execution-tool-using-windows-bits%2F&flash=32.0.0&fwr=0&pra=3&rh=200&rw=1118&rpe=1&resp_fmts=3&wgl=1&fa=27&adsid=ChAI8Kr8hQYQueHGxqj0_a0TEi8A9cGHIpeYgJUZL8pzNbdupLJh8P8_qSXjb-R391KtlAKYZgavJ4PHSRB_gUEI9w&dt=1623163052882&bpp=4&bdt=2106&idt=-M&shv=r20210603&cbv=%2Fr20190131&ptt=9&saldr=aa&abxe=1&cookie=ID%3Dbb772ddf47e5c9d5-221aba1c44c900ee%3AT%3D1623159438%3ART%3D1623159438%3AS%3DALNI_MZ81ZRodJg1UBpJxL_bHS1zcfcziQ&prev_fmts=0x0%2C728x90%2C1118x280&nras=3&correlator=4822696923899&frm=20&pv=1&ga_vid=1081803457.1623163051&ga_sid=1623163051&ga_hid=2076492524&ga_fc=0&u_tz=330&u_his=5&u_java=1&u_h=900&u_w=1440&u_ah=807&u_aw=1440&u_cd=24&u_nplug=2&u_nmime=5&adx=226&ady=2060&biw=1440&bih=742&scr_x=0&scr_y=0&oid=3&pvsid=4107041835134553&pem=606&ref=https%3A%2F%2Fwww.cybeseclabs.com%2F&eae=0&fc=1408&brdim=0%2C23%2C0%2C23%2C1440%2C23%2C1440%2C805%2C1440%2C742&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=31&jar=2021-06-08-13&ifi=5&uci=a!5&btvi=2&fsb=1&xpc=Bf8f9I2SKM&p=https%3A//www.cybeseclabs.com&dtd=57

-d remoteLocation, writePath: regular file download to a local path of your choice

-e remoteLocation, localPath: regular file upload from a local path of your choice (only sends to IIS server, this is a limitation with BITS)

-dr remoteLocation, writePath, [optionalFileArgs]: file download to a path of your choice, and will attempt to maintain persitance. The downloaded file will attempt to run with optionalFileArgs and BITS will check back every 30 seconds to make sure the file is still running on the compromised system.

Running this executable with no arguments or an incorrect amount of arguments will cause shepard to exit cleanly.
BINDSHELL

The server (victim) is written using C#. It listens on port 6006.

Usage: run shepardsbind_serv.exe with no arguments.

The client (attacker) is written using Python and takes one argument: the IP address of the victim’s machine. Usage: run shepardsbind_recv.py with one argument: <victim’s IP>

Running shepardsbind_recv.py with no arguments will return an error. The prompt will look like: %SBS%
Using them in conjunction

The only executable that must be on the victim’s machine is shepard.exe. Host the download bindshell executable to a publicly accessible place. Shepard will download and run the bindshell executable, and the user can now use the python reciever. If the shell is found and killed, it will restart after 30 seconds. Last steps in progress: finding out how to rerun shepard.exe to redownload in case the shell executable is deleted. Most likely will use a service

Download Shepard

+————————————————-

This is only an educational purposes only I am not responsible for further activities

Join my forum and learn more ethical hacking and penetration testing

https://t.me/whiteHatHacks

Get me at

alex14324.blogspot.com

https://t.me/alex14324

https://github.com/alex14324

https://www.instagram.com/alex_14324

https://discord.gg/6NPtGxZ

——————————————————-+

Leave a Reply

Your email address will not be published. Required fields are marked *