{"id":13389848,"url":"https://github.com/0x00-0x00/ShellPop","last_synced_at":"2025-03-13T14:32:08.957Z","repository":{"id":37734710,"uuid":"124334139","full_name":"0x00-0x00/ShellPop","owner":"0x00-0x00","description":"Pop shells like a master.","archived":false,"fork":false,"pushed_at":"2019-04-02T14:53:19.000Z","size":13445,"stargazers_count":1451,"open_issues_count":5,"forks_count":236,"subscribers_count":51,"default_branch":"master","last_synced_at":"2025-03-03T11:36:27.852Z","etag":null,"topics":["bind","hacking","pentest","pop-shells","remote","reverse","shell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x00-0x00.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-08T03:58:00.000Z","updated_at":"2025-02-27T07:39:01.000Z","dependencies_parsed_at":"2022-07-10T02:00:38.411Z","dependency_job_id":null,"html_url":"https://github.com/0x00-0x00/ShellPop","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x00-0x00%2FShellPop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x00-0x00%2FShellPop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x00-0x00%2FShellPop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x00-0x00%2FShellPop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x00-0x00","download_url":"https://codeload.github.com/0x00-0x00/ShellPop/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243021756,"owners_count":20223068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bind","hacking","pentest","pop-shells","remote","reverse","shell"],"created_at":"2024-07-30T13:01:35.604Z","updated_at":"2025-03-13T14:32:08.910Z","avatar_url":"https://github.com/0x00-0x00.png","language":"Python","funding_links":[],"categories":["Table of Contents","Python","Python (1887)"],"sub_categories":["Penetration Testing Tools"],"readme":"# ShellPop\n## About\n\nShellpop is all about popping shells. With this tool you can\ngenerate easy and sophisticated reverse or bind shell commands\nto help you during penetration tests.\n\nDon't waste more time with .txt files storing your Reverse shells!\n-----\n## Installation\nPython 2.7 is required. \n\n3.0+ version will not work.\n\n**Required Dependencies Install**\n```bash\nroot@kali# apt-get install python-argcomplete metasploit-framework -y\n```\n```bash\nroot@kali# pip install -r requirements.txt\n```\n**Setup Install**\n```bash\nroot@kali# python setup.py install\n```\n\n**PS**: After installation, tab auto-complete will only work after restarting the terminal.\n\n## Index\n* [Help](#help-section)\n* [List](#shells-list)\n* [Basics](#basics)\n* [Obfuscation](#obfuscation)\n* [Encoders](#encoders)\n* [Handlers](#handlers)\n* [Meterpreter Shells](#meterpreter-shells-new)\n* [Stagers](#stagers)\n* [Protocols](#protocols)\n* [Credits](#credits)\n* [Team Members](#team-members)\n* [Contributors](#contributors)\n\n-----\n### __Help Section__\nTo quickly list all available options of this tools, use --help.\n\n#### *Command line examples*\n```bash\nroot@kali# shellpop --help\n```\n\n![Screenshot](img/img-shell-help.JPG?raw=true)\n\n\n-----\n### __Shells List__\n#### *List of shells*\nYou can list all available shellpop shells using the --list option.\n\n\n#### *Command line example*\n```bash\nroot@kali# shellpop --list\n```\n\n![ShellsList](img/img-shell-list.JPG?raw=true)\n\n##### Auto-Complete [NEW]\n\nNow shellpop has auto-complete feature. To use it, you need to forget about --number and (--reverse or --bind), just stick to --payload argument. Like the image below:\n\n![Autocomplete](img/img-shell-autocomplete.JPG?raw=true)\n\n### __Basics__\n-----\n#### *Copying it to clipboard*\nDont waste time. This tool is all about NOT wasting time. So you can use `--clip` option to all your generated payloads and get them automagically copied to your clipboard.\n\n#### *Shell Types*\nThere is two types of payloads in this program: Bind or Reverse.\n\n-----\n##### 1. Reverse shell\nReverse shells use your attacker machine to serve as the \"server\". In this type of payload, you need both --host and --port pointing back to your machine. A handler must be set.\n\n-----\n##### 2. Bind shell\nBind shells use the remote host to serve the connection. In this type of payload, all you need is the --port option with a valid port number.\n\n\n#### Command line examples\n##### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443\n![Screenshot](img/img-shell-example-01.JPG?raw=true)\n\n##### Generating a Powershell TCP bind shell over port 1337\n![Screenshot](img/img-shell-example-02.JPG?raw=true)\n\n---\n### __Obfuscation__\nThere are currently two main methods of obfuscation available for your generated payloads:\n\n1. *Variable renaming obfuscation*\n\n__Replaces all variables in payload with randomly named ones. Applied to every payload automatically.__\n\n![Screenshot](img/img-random-variables.JPG?raw=true)\n\n2. *IPfuscation*\n\n__Obfuscate the IP addresse and port used by the payload__\n\nCoined by @vysecurity, IPfuscation is simply leveraging the little known fact that IP addresses can be converted to decimal, octal, and hexadecimal numbers, or a combination of all three, and still be used.\n\nPort obfuscation is accomplished by replacing the port number with a mathematical expression that evaluates to the port number.\n\n![Screenshot](img/img-ipfuscation-example.JPG?raw=true)\n\nHere the IP address in the generated payload is a combination of different number bases. The first part in normal decimal notation, the second and third parts are 2 and 3 converted to octal with random zeros as padding, and the fourth part is 4 in hex, with some zeros as padding also. The selection of bases to use in each part of the IP address is randomized, as well as the number of zeros used as padding to hex and octal numbers.\n\nThe port is obfuscated by replacing 443 with an expression that evaluates to 443. This expression is generated randomly as well.\n\n---\n#### Size Concerns\nAlthough IPfuscation is optional, random variable obfuscation is now automatically enforced on all payloads. If the size of the payload is a real concern, you can pass the `--obfuscate-small` option to have the payload be minimally increased in size by obfuscation. The variable names, IP address and port number will be significantly shorter when used with this option.\n\n![Screenshot](img/img-small-obfuscation.JPG?raw=true)\n\n-----\n### __Encoders__\nEncoders are special options that you can use while generating shellpop payloads.\n\nThere are, currently, three encoding methods that can be applied singularly, or concurrently, and they are:\n\n1. *XOR encoding*\n\n __Uses a random numeric key (1-255) to obfuscate the payload and add a decryption stub to decrypt it.__\n\n2. *Base64 encoding*\n\n __Simple base64 encoding in payload data and add a decryption stub to decrypt it.__\n\n3. *URL encoding*\n\n __Simple URL encode over the final payload.__\n\n\n#### *Command line examples*\n##### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 but using URL-encoding, suitable to use over HTTP protocol.\n![Screenshot](img/img-shell-example-03.JPG?raw=true)\n\n##### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 but encode it to base64 and set-up a wrapper to decode it. This helps when quotes are troublesome.\n![Screenshot](img/img-shell-example-04.JPG?raw=true)\n\n##### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 URL-encoded and encoded to base64 ... Yes, you know the drill!\n![Screenshot](img/img-shell-example-05.JPG?raw=true)\n\n##### Generating a Powershell bind shell over port 1337 encoded in base64\n![Screenshot](img/img-shell-example-06.JPG?raw=true)\n\n#### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 using --xor encoding.\n![Screenshot](img/img-shell-example-07.JPG?raw=true)\n\n#### Generating a Python TCP reverse shell to IP 1.2.3.4 at port 443 using ALL methods of encoding!\n![Screenshot](img/img-shell-example-08.JPG?raw=true)\n\n-----\n### __Handlers__\nHandler is a mechanism to \"handle\" the act of serving a socket to receive the incoming connection or to connect itself to a server endpoint in a way to establish your shell.\n\nCurrently there is support of the following TCP handlers:\n1. TCP PTY Handlers\n2. TCP Meta-Handlers [NEW]\n\nThis means every TCP shell can have appended to their command-line argument the `--handler` option. Removing the necessity of the operator to spawn the handler (probably ncat or nc) by himself.\n\n![Screenshot](img/handler.gif?raw=true)\n\n### __Meterpreter Shells__ [NEW]\nThis feature was widely asked by people who used this tool. Now it is technically possible to upgrade all shellpop shells to meterpreter, as since 0.3.6, handler uses by default the Metasploit Framework to land shells.\n\n![Meterpreter](img/handler-meterpreter.gif?raw=true)\n\n-----\n### __Stagers__\nStager is a mechanism of serving your payload in STAGES. Sometimes payload complexity or size can get troublesome. In such cases, you can craft a small payload which in turn can request and execute the bigger one.\n\nCurrently there is support of the following Stagers protocols:\n1. HTTP\n\n\n#### HTTP Stagers\nShellPop has the following set of HTTP stagers to fit in any scenario you would want:\n1. Linux Stagers (Python, Perl, Wget and cURL)\n2. Windows Stagers (Powershell, CertUtil, BitsAdmin and Cscript)\n\nTo use HTTP staging, append to your command line `--stager http` and, optionally, if you want to specify the HTTP server port, the `--http-port` flag will put your port number in front of the pre-defined ones.\n\n![Screenshot](img/stager.gif?raw=true)\n\n-----\n### __Protocols__\nCurrently there is support of two protocols to land your shells:\n\n1. TCP\n2. UDP\n3. ICMP (Nishang ICMP shell)\n\n#### *Command line examples*\n##### TCP is blocked but UDP is not? Let there be shell!\n![Screenshot](img/img-shell-example-09.JPG?raw=true)\n\n-----\n### __Credits__\n\nThis code is authored by Andre Marques (@zc00l) and this project's contributors.\n\nIt is made open to public the moment it was released in this github.\n\nAny damage caused by this tool don't make any contributor, including the author, of responsibility.\n\n-----\n### __Team Members__\n+ Andre Marques ([zc00l](https://github.com/0x00-0x00))\n+ Touhid M.Shaikh ([touhidshaikh](https://github.com/touhidshaikh))\n+ Rοbеrt Εѕрі ([lowfuel](https://github.com/SouAquele))\n-----\n### __Contributors__\nWe really appreciate all Contributors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x00-0x00%2FShellPop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x00-0x00%2FShellPop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x00-0x00%2FShellPop/lists"}